After seven contentious years, LabMD won a major victory in its legal battle with the Federal Trade Commission. But CEO Michael Daugherty says his recent triumph could be short-lived, and he's hoping - long term - that he case shines a new light on FTC's data security enforcement practices.
The FTC needs to "stop its mentality" that an alleged data security incident potentially posing harm to consumers, such as identity theft, is the same thing as the agency showing evidence that an actual breach occurred and caused real injury to individuals, he says in an interview with Information Security Media Group.
The FTC should "go after places where things actually did happen, and communicate more proactively with the community in the private sector about what the [FTC] expectations are" for the data security practices of companies, especially in the healthcare sector.
"I don't find the knowledge of investigators at FTC evident at all in technology; they're just lawyers out to enforce," he says. There's also a "very big cultural difference" between the FTC and the Department of Health and Human Services, which enforces the HIPAA security and privacy rules, especially when it comes to the willingness of HHS to collaborate with entities in the healthcare community about data security matters, he says.
"This [difference] has to change because it will not help medicine, it will not help improve cybersecurity," he says. "It actually hurts the [FTC] and its credibility."
And despite the Nov. 13 ruling by FTC chief administrative law judge Michael Chappell to dismiss FTC's data security enforcement case against LabMD, Daugherty doesn't think the matter is over. He expects the FTC consumer protection division to appeal the judge's ruling. And if the FTC's four commissioners subsequently vote against LabMD, Daugherty vows to continue to fight the case in federal court.
Lasting Legacy
In Chappell's ruling in the LabMD case, the judge said the FTC failed to prove its case that two data security-related incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
But any further legal successes for LabMD in this dispute are bittersweet, because the cancer detection test lab is out of business for good, owing to the resources the company has poured into the FTC battle. "What did we win - because the company's dead," Daugherty says.
In the interview, Daugherty also discusses:
Why he doesn't regret fighting FTC; LabMD's beef with Tiversa, the peer-to-peer security firm at the center of the FTC dispute with LabMD; His advice to other companies when it comes to data security and the FTC.Atlanta-based LabMD was a clinical and anatomic medical laboratory that specialized in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. Daugherty founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation. He is author of a book about the FTC's investigation of his firm: "The Devil Inside the Beltway: The Shocking Exposé of the U.S. Government's Surveillance and Overreach into Cybersecurity, Medicine and Small Business."