FTC Commissioner Brill’s Laughable Cyber Security Suit Response
I hail from Atlanta, home to head quarters of a successful small business, LabMD. LabMD is a cancer detection laboratory owned by Michael J. Daugherty. In 2008, Mr. Daugherty and his senior leadership team were to begin the year discussing areas of business expansion when they received a call from Robert Boback, CEO of cyber security firm Tiversa that would change their plans drastically.
Mr. Boback proceeded to alert LabMD he was in possession of a file containing LabMD patient information and for the price of $475 per hour he would be happy to tell the firm how he came to possess said file. The back and forth with Boback went on for approximately a year and ended with LabMD declining Tiversa's 'services' and Tiversa turning over the LabMD file to the Federal Trade Commission.
Fast forward to 2010, the year the FTC contacted LabMD about the patient file in Tiversa's 'possession' and the beginning of it's investigation into the cyber security practices of LabMD.
I have read, written and reported about the LabMD story since 2012, so imagine my surprise when the first article link in the weekly ClaimJournal.com report was titled: 'FTC Member Says Lawsuits Focus on Cyber System Failures'.
The link was promptly clicked, and snorting commenced as I read FTC Commissioner Julie Brill's statement on how few suits the FTC brings compared to the hundreds of cyber security breaches investigated.
While speaking at a cyber security conference held at Norwich University, Commissioner Brill said, 'her organization has investigated hundreds of cyber security breaches at companies across the country, but has only brought suit 53 times...the organization tends to file lawsuits when it finds systematic failures in a company’s data security practices, not when there is an isolated vulnerability in a product or service'.
LabMD is one of the 53 companies the FTC filed suit against for according to what Commissioner Brill says would be 'systematic failures'. A suit coincidentally filed shortly after LabMD's CEO released his first book, The Devil Inside the Beltway: The Shocking Expose of the Government's Surveillane and Overreach into Cyber Security, Medicine and Small Business.
What Brill fails to mention is the FTC files these suits over 'systematic failures' for which there are no measurable standards, and in the case against LabMD, where a data breach had not occurred. In addition, the FTC acts as Judge, Jury and Executioner where they not only are the arresting officer and prosecutor, but also they decide whether the case will go through the FTC's Administrative court system or the Federal court system.
In LabMD's case, the FTC chose the Administrative court route where LabMD must go through a trial, and if they win, must have the decision reviewed by the five FTC Commissioners before being offered due process in Federal Court.
If my math is correct, out of the cases filed in the FTC's Administrative court system, the FTC has a 100% win rate.
LabMD's case began in May 2014, six years after the 2008 phone call from the CEO of Tiversa that turned Michael J. Daugherty from CEO to author and activist. The case was stayed in June when the House Oversight Committee began an investigation into 'the activities of Tiversa, Inc., a company upon which the Federal Trade Commission (“FTC’) relied as a source of information in its enforcement action against LabMD, Inc. Information the Committee recently obtained indicates that the testimony provided by company officials to federal government entities may not have been truthful'.
I suppose only time will tell if FTC Commissioner Brill's statement was true, or truly snort worthy.