LabMD CEO Describes His Beefs With FTCHe Portrays Agency's Security Investigations as Overzealous
"We cannot have agencies that are looking in rear view mirrors, making up their minds as they go along on technological issues they don't understand," Daugherty says.
In an interview with Information Security Media Group, he explains his criticisms of the FTC investigations, which he says contributed to his decision last month to wind down operations of his company.
Last August, the FTC filed a complaint against LabMD, alleging the firm failed to protect consumer health data in two separate incidents - one in 2008 and another in 2012. "LabMD collectively exposed the personal information of approximately 10,000 consumers," according to an FTC statement (see: Lab Shutting Down In Wake of FTC Case).
In January, FTC commissioners rejected the lab's motion to dismiss the complaint. "The FTC is prosecuting us, and they're also acting as judge," Daugherty contends.
The CEO argues that the FTC has focused its attention on LabMD because the company rejected the agency's proposed corrective action plan, which called for the lab to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years.
The FTC's Allegations
The FTC complaint alleges that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," the FTC says.
The FTC also alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.
Daugherty says the LabMD paper documents found by Sacramento police were stolen from the company during a move. And he argues that neither security incident cited by the FTC should be considered a data breach.
The FTC's goal in this case has been to ensure that sensitive information is appropriately protected, says Robert Schoshinski, assistant director at the FTC's Division of Privacy and Identity Protection, in a statement provided to Information Security Media Group.
On Nov. 15, 2013, Cause of Action, a government accountability group, filed a lawsuit in a federal court against the FTC on behalf of LabMD "in an effort to put an end to the agency's arbitrary and egregious use of authority in the administrative suit," Daugherty said earlier.
In the interview, Daugherty also discusses:
- The Department of Health and Human Services' lack of involvement in the case;
- Details of how LabMD's troubles started when a third-party security firm discovered the lab's data file on a peer-to-peer network and approached the lab about the matter;
- The impact the FTC case has had on LabMD's business and where the company is headed.
Atlanta-based LabMD is a clinical and anatomic medical laboratory that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers. Daugherty founded LabMD in 1996 after 14 years in surgical device sales with U.S. Surgical Corp. and Mentor Corporation. He is author of a book about the FTC's four-year investigation of his firm: "The Devil Inside the Beltway: The Shocking ExposÃ© of the U.S. Government's Surveillance and Overreach into Cybersecurity, Medicine and Small Business."