Season 3 / Episode 192
One day in 2008, Michael Daugherty - CEO and owner of LabMD, a cancer detection lab - got a call from an executive of TiVera, a cybersecurity company. The caller said that a file containing private medical data of some 9000 of LabMD's patients has been discovered online. When Michael refused to pay for TiVersa's hefty "consultation fee", it reported the incident to the FTC. This was the beginning of a ten-year-long legal battle that ultimately destroyed LabMD - but cost the Federal Agency dearly.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
Hosted By
Ran Levi
Exec. Editor @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Michael Daugherty
Founder at The Justice Society
Mike Daugherty is embroiled in the biggest regulatory cybersecurity legal battle in the country today. The CEO of LabMD, a cancer testing laboratory, author, speaker, consultant and policy advocate, he has spent most of the last decade defending his company against charges that it had deficient cybersecurity practices. The early years of his entering and fighting Washington, DC, are recorded in his book, “The Devil Inside the Beltway”.
LabMD Vs. The FTC
It was a fateful moment in the United States Court of Appeals for the Eleventh Circuit. Dozens of people gathered in the old courthouse, waiting for the arrival of the Circuit Judges – and their impending decision on a certain case on a sunny summer day in 2018. On one side of the courthouse stood the officials and lawyers of the Federal Trade Commission, the FTC – a powerful United States government agency – with more than 1,000 employees and an annual budget of 300 million dollars. On the other side stood one man, the owner of a failed business, with few resources left.
An entire agency against one Michael Daugherty. The issue at stake was momentous: could the FTC sue a company – just because it was hacked? In other words, is a cyber security failure a civil offense? As the Circuit Judges read their decision aloud, many people in the courthouse gasped. It was the eventful culmination of a long legal fight, made of many twists and turns, that began a decade earlier.
[Michael] “My name is Michael Daugherty. I am the CEO of LabMD, a now shell of a formerly fully functioning cancer detection laboratory that was based in Atlanta, Georgia. And LabMD did prostate cancer analysis as well as any other type of blood or urine type of analysis that would come into a urologist office. So PSAs, bladder cancer, blood levels, kidney, all that. I’m from Detroit. I have a degree in economics from the University of Michigan in Ann Arbor. And I got into medicine pretty quickly out of the University of Michigan by working as a medical device salesman in surgery. And then LabMD started around 1996”.
Michael started his company with a simple plan in mind: utilizing then-new technologies in order to streamline medical tests and provide better and more accurate results.
[Michael] “We were really humming along and it was private and no debt and about 26,000 sqft in Atlanta and about 40 employees at its peak with salespeople around the country”.
But just at the height of Michael’s success, in 2008, something strange happened.
[Michael] “I remembered pretty darn well, because it was the morning I came in the office. I got there by 09:00, 09:30, and my vice president of operations came in and said a guy called, and he said he had 9000 of our patients. He had one file with 9000 patients”.
That guy was Robert Boback, CEO of a cybersecurity company called TiVersa which specialized in scanning file-sharing networks and alerting companies whose private data it discovered there. Boback wanted to alert LabMD that it was hacked.
[Michael] “So he had one file with 9000 patients. He said he found it out in cyberspace. I’m from Detroit, and I was raised by…both my parents are police officers. I’m incredibly suspicious of criminal conduct, and I also know that’s not normal behavior in medicine. In medicine, you don’t call up a facility and say, hey, I got your stuff. I’m a total stranger. I’ll be happy to tell you about it if you pay me. It stunk immediately. So I made him prove it, and he sent the file over, and then it was immediate pandemonium. You have to understand, 2008 is very, very different than 2022. No one knew what a breach was. When you said “breach” in the lexicon, they thought it was a breach birth. You know, 9000 patients out in cyberspace was insanely huge and very alarming.”
After several moments of shock and disbelief, Michael and his team rushed into action. Their first missions were to locate the source of the information leak – and put an end to the vulnerability in their systems.
[Michael] “And we saw the file, and immediately we knew the file was an insurance aging file from the accounts receivable department. We just marched right up there because it’s only six employees, it’s a completely different database. We marched right up to the office, and the manager said she had LimeWire on her computer. And we never put LimeWire in computers. We didn’t allow anyone to use the internet. Truly, 90% of our employees didn’t even have an email address, let alone have access to the web. There was no reason for them to have it either. And so we honed in very quickly because it could only be in a couple of places, and we found the software and the folder, and we deleted it”.
But Michael knew that blocking the vulnerability wasn’t enough. As a medical company, LabMD had to protect its patients’ data:
[Michael] “So we blew away the vulnerability, and then we started looking for potential victims. Where was it possible? we ended up getting rid of that employee. We scoured every laptop, every workstation, every server, there was no peer to peer file sharing software anywhere else. That file was nowhere else. So we were confident we removed whatever was considered vulnerable, but we never saw a victim, and we never saw any evidence that it was out there”.
Extorsion?
Even after taking care of these immediate, pressing issues – Michael still had another thing to tend to: TiVersa’s executive, who offered to help LabMD gain control of the situation – for a hefty fee of some 475$ an hour . This made Michal suspicious of Boback’s motives.
[Michael] “This guy’s a crook. But knowing someone’s a crook and believing someone’s a crook is one thing, but proving someone is a crook is another. So especially when you’re playing the infinite world of cyberspace, you know – prove it’s not out in cyberspace somewhere means you have to scour all of cyberspace, which is scouring all of the universe. That is daunting and impossible. So it’s the perfect situation for criminals to exploit the ignorant and vulnerable and create fear.”
“And they wouldn’t go away for a while. And they called us and threatened us and said they were going to send things over, the Federal Trade Commission, because they felt they had to. And their lawyer called and told us this, and we were like, Go ahead, you know, send it to the federal government. We’ve done nothing wrong”.
Michael didn’t think he had anything to worry about – since he didn’t know of any wrongdoing or malpractice done by his company:
[Michael] “So the next thing we looked at was, do we have to alarm our patients that were in there? The 9000 patients. And at the time, the law was that you did not have to. We weren’t even sure we had a breach. I spent the next three years looking. We never found anything. No phone call, no nothing”.
At first, Michael thought the government would assist him – or at least clear him of any lingering suspicions – but now his company found itself caught in the FTC’s crosshairs:
[Michael] “And just as things died down, the federal government, through the Federal Trade Commission, contacted us and said they’d received a file. We knew who it was from. They wouldn’t tell us who, they didn’t need to tell us, and that they would be starting a non-public investigation”.
The FTC & Cybersecurity
The FTC’s origins go back to the early 20th century, when the robber barons held massive power over the American economy – and positioned themselves in a prime position to influence America as a nation. These businessmen amassed wealth by utilizing new inventions like petroleum and train networks – but were widely accused of aggressive, immoral and sometimes even illegal business practices. Pretty soon, the United States government and its courts of law decided to limit the robber barons’ power with antitrust laws.
That’s how the FTC was born.
[Michael] “So the Federal Trade Commission. The Federal Trade Commission is an agency that was created in 1914 through President Woodrow Wilson. And they were tasked with ensuring that consumers were treated fairly and without deception. So those are two big words, fairly and without deception.”
The FTC’s mandate was to protect consumers and promote competition, and it draws its power from Section 5 of the Federal Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”
Over the years, the FTC changed – and began regulating new areas of business. One of them was cybersecurity: the FTC decided to take on companies whose cybersecurity practices were inadequate, and failed to protect their customer’s private information.
[Michael] “And so they were saying, if your data security practices aren’t up to snuff and you’re vulnerable to a breach, then you’re not being fair. Therefore, you’re violating Section Five of the FTC Act, and they have jurisdiction to investigate you. And it is actually a civil offense. It is not a crime. So no one can go to jail, but it is a civil offense, and they give you a cease and desist”.
Michael found himself facing a new dilemma: whether or not to give in to the FTC’s demands, and agree to an investigation.
[Michael] “And what they do is they come and investigate you. They want you to sign a consent decree that requires you to do all these tasks, and they require you to do it for two decades. And they chalk the agreement full of all sorts of severe punishments so that if you break something, you’ve signed a contract to say that they can punish you in a certain way, otherwise they couldn’t punish you. And a lot of big companies just play the game and sign and move on. There were 37 companies before me that had been challenged by the Federal Trade Commission for cybersecurity unfairness and deception, and they all signed 20 year consent decrees. I’m a medical facility. I’m an operating medical cancer detection facility with over 700,000 patients. That type of doubt over our integrity kills. And I would not sign anything”.
In hindsight, Michael’s decision to refuse the FTC’s request was almost a declaration of war. At this point, he was still convinced this was only a temporary crisis – but the FTC wasn’t going to fold:
[Michael] “I didn’t know it was going to destroy us then. I hadn’t met them yet. I thought it was going to be… I thought they’re going to be like Health and Human Services. So Health and Human Services comes and investigates us all the time, but we are investigated by people that are pathologists or medical technologists. They’re experts in laboratory medicine, and that’s who inspects us. So we have a very collegial professional relationship, and it’s based on scientific facts. So at first, I was like, this will be great, because they’ll see all this and we’ll be fine. Very quickly, when we submitted everything and they were mad, it was very weird. We gave them everything, and they were mad. We gave them thousands of documents. And, you know, they just wanted us to organize the entire investigation for them. And this is very hard for people to understand because it’s so foreign to what we’re taught, either through a civics book or a television show. In criminal law, there is the Constitution, and we have the Bill of Rights. This is not criminal law. This is not civil law. This is not the Constitution. This is a part of the US government that no one is taught about”.
Around this time, this legal odyssey was starting to take a toll on LabMD.
[Michael] “The FTC went through all their depositions. They deposed 40 people. The deposition process just utterly terrified my employees and destroyed the company. People started resigning, and the press had reported the investigation, and the company started to die from within and right”.
A Call From A Whistleblower
In 2013, the FTC filed a suit against LabMD – because of Michael’s refusal to comply with the agency’s request for cooperation. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, explained the reasoning behind the decision. From The Atlantic:
“The unauthorized exposure of consumers’ personal data puts them at risk […] The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”
There’s little doubt that the FTC is justified in wanting to protect consumers by forcing companies to strengthen their cybersecurity posture. After all, many – if not most of the stories we told here in Malicious Life over the years, involved companies neglecting their duty to protect their customers’ private data. Yahoo, Linkedin, Equifax – the examples are way too numerous.
But LabMD argued that in order to enforce the appropriate standards of cybersecurity – the FTC first needs to define what these standards are.
[Michael] “Right after they sued us, the first conference with the judge in September of 2013, the judge said to them, where is it where a business can go to learn what they’re supposed to do? And the FTC said there is no place for a business to go to to know what to do. The FTC said that cybersecurity is changing so quickly that they need to be able to call a violation on a case-by-case basis as they go along”.
This wasn’t the only crazy thing that Michael found out at this time. Going back to the initial hack, when Michael was contacted by Robert Boback of TiVersa, he suspected that there was foul play involved by the company. It turns out that he wasn’t the only one who was troubled by the FTC’s collaboration with the private company. Even the FTC’s own commissioner, J. Tomas Rosch, warned against it. Rosch wrote in 2012, a few months before he left the organization:
“[TiVersa] is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations. While there appears to be nothing per se unlawful about this evidence, the Commission should avoid even the appearance of bias […] by not relying on such evidence or information.”
TiVersa, for its part, strongly denied Michael’s allegations. Robert Boback published a public letter in the Wall Street Journal, claiming that TiVersa was being a good Samaritan by alerting LabMD about its leaked information, and that TiVersa was actually forced to report the case to the FTC in response to a government subpoena.
But even Michael couldn’t suspect the whole truth. When a whistleblower from TiVersa got in touch with him – Michael was shocked by what he had to say:
[Michael] “I got a call from a whistleblower in April of ‘14. And this is when the entire saga just explodes to a whole new level, where a gentleman named Rick Wallace calls and says, I worked at Tiversa. I left yesterday. I destroyed your company. I came in and stole it. It was never out in cyberspace. Everything you say in your book is true, but it’s way worse. We do this all the time. And I’m sorry, he was crying, and he had actually tried to commit suicide”.
According to a report by Reuters, Wallace said that he was instructed to falsify evidence that LabMD’s patient file fell into the hands of identity thieves. Wallace testified that Boback told him, “’We need this at four different IP addresses, and they need to be bad guys.’
If a cybersecurity firm engaging in extortion wasn’t enough – this revelation also shook the foundations of the case against LabMD: if the company’s information wasn’t ever illegally published online – then no patient data was ever in danger.
[Michael] “So I got the whistleblower with Darrel Issa, a Congressman in the House of Representatives, in Congress, and he ran the House Oversight Committee, and he started interviewing Rick, and he opened an investigation during the summer of 2014. While this was going on, I went on trial in the FTC court. And the FTC put up their entire case not knowing about this investigation and not knowing that I’ve been called by the whistleblower. And the discovery was over, and they rested their case. And then we brought out our witness, and the FTC literally freaked out”.
But Michael wasn’t out of the danger zone yet. Rick Wallace’s testimony was threatened by a new campaign of intimidation:
[Michael] “Once he became publicly known, he immediately started being witnessed tampered. He was chased down the highway. He had death threats. His children were surveilled, the bus stops surveilled. And the government did nothing. Nothing. And the witness tampering was very successful, and he withdrew. I say withdrew. He pulled in his communications, and he got very withdrawn”.
A battle ensues in Congress about Rick Wallace’s criminal immunity – and eventually, he was granted immunity. The House Oversight Committee published a report that provided new details about TiVersa’s shady practices. For example, the Committee found that TiVersa had faked documents relating to the President’s helicopter – and claimed that they were found at an Iranian IP address. In 2016, FBI agents raided the company’s Pittsburgh headquarters, and TiVersa decided to place its CEO on leave.
It seemed like the FTC’s crusade against LabMD would finally end. After all, how could a company be blamed for a leak that never happened?
[Michael] “The Justice Department did grant Rick criminal immunity, so he didn’t testify for a year. And finally, in May of ‘15, my case reopened, and he testified that he came in and took it, that it was not out in cyberspace. They did not drop the case. They said, change their argument midcase to say that you don’t have to have a breach, you don’t have to have a victim to be violating the FTC Act for bad cybersecurity practices. You just have to have bad cybersecurity practices, and they get to decide what those are on a case-by-case basis.”
The Battle Ends
Which brings us back to that decisive moment in the Eleventh Circuit court, in 2018.
[Michael] “We got to oral argument where the judge on the 11th Circuit Court of Appeals was berating the Federal Trade Commission and the Federal Trade Commission admitted that, yes, TiVersa did bad things. Yes, they don’t work with them now. But here is the big thing. The FTC tried to argue to the court that they could make rules after they charge someone. They could charge you first and then codify the rule as they went along. And truly, I think one of the justices laughed out loud and thanked them for their concession”.
The judges also had reservations about the FTC’s lack of specificity when it came to enforcing cybersecurity standards. From the court’s decision –
“In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to and replace its data-security program to meet an indeterminable standard of reasonableness.”
The court ruled in Michael’s favor – but it was too little and too late. At this point, the company was already in ruins. He won the legal battle – but lost the war:
[Michael] “I couldn’t get to court for nine years. I couldn’t get to court until the case was over, until the company was dead. And then the FTC lost. But most legal reporters can’t be bothered to read the case, to get down to what’s really going on. And so then I filed for reimbursement under the Equal Access to Justice Act, and we spent about $15 million, and we got an $800,000 check for that. And that’s supposed to be Equal Access to justice. That’s supposed to be a reimbursement for all they put you through”.
Michael’s victory in 2018 wasn’t the end of it. Shortly afterwards, he got new information from the TiVersa whistleblower – revealing the shady ties between the company and the FBI:
[Michael] “And the whistleblower gave me another dump of information because he didn’t tell me the whole truth early on at all. And in early ‘19 we got through a part of it that showed… and this is really where the earth shook, by the way. And the courts still don’t know this, they’re going to know it soon. But it turns out that the FBI is who gave TiVersa the software to break into computers. So that until ten years later, I myself and the entire world was led to believe by the Federal Trade Commission and the Department of justice and the FBI that the software that was used to break into all these computers was TiVersa’s. Turned out it was the FBI’s. The FBI was doing child pornography investigations in the early two thousands and they hired TiVersa to help them in a small scale effort”.
After the 2018 court ruling and the uncovering of this potentially implicating information, Michael decided to take the fight to the government. He sued the FTC and TiVersa’s owner in different lawsuits – and some of these cases are still being litigated to this day.
His win against the FTC may not have saved his company from financial ruin, but he does not regret his decision to refuse that original FTC request – and go to war head-to-head with the agency.
[Michael] “Now, the day the Federal Trade Commission letter came, you asked me what I thought. You know, that was 2010. My attorney said to me, oh my God, those people have no idea who they’ve just started to fight with, because I do turn my cheek the other way. I don’t fight every single battle. And if I did run a store that was a dress shop or a hospital or a car dealership or a hard drive company, that’d be different. But this was like human lives. Diagnosing cancer at a highly specialized rate. And the destruction of it…Well, I had plenty of moments of despair, but never that I was going to give up, ever. And I mean ever. That’s just how I’m wired”.
Was it worth it? Michael Daugherty says that he believes that eventually, his actions will help protect the next guy approached by the FTC – and help save the next company targeted by the agency.
[Michael] “When you have an eleven Circuit Court of Appeals using language like that at a government agency, that gets people’s attention. Since that’s happened, many people that are under oppressive government investigations reach out to me, and they’re more sophisticated. Earlier in the process, more people now believe this is possible.”
Michael’s not the only one who thinks that the FTC’s decision to continue the legal fight even after TiVersa’s shady business practices were exposed, was a mistake. Craig Newman, chair of the privacy practice at the law firm Patterson Belknap Webb & Tyler, said to Bloomberg –
“Companies subject to an FTC enforcement action have generally made well-considered business judgments that settlement makes more sense than years of litigation and discovery—especially with an in-house administrative process where the playing field seems tilted in the government’s favor. Now companies may toughen their stance when the FTC pays a visit.”
Epilogue
This story doesn’t have a happy ending, a Hollywood-skyle third act where the good guy gets the money he deserves and the apology he earned. Life’s too complicated for these endings. A court ruling in your favor is not enough to clear ten years of financial disaster – and it does not make up for a reputation lost, and a career destroyed.
But the FTC’s case against Michael shows something important about the cyber world – and the various entities struggling to adapt to its new realities. In 2008 – and still today – government agencies often found it difficult to keep up with the pace of events online. When hackings are on the rise – it’s easy for governments to adopt a hardliner position and seek to forcibly root out all cybercrimes. The danger is that innocent people like Michael will get caught up in unjust lawsuits.
Holding companies to cybersecurity standards is important – but it must be done in transparent and productive ways. The internet may seem like a mysterious, ominous place for gigantic organizations like government agencies – but this fear cannot lead to draconic measures. Maybe the FTC should have adopted the ancient proverb guiding all doctors from the dawn of western civilization: “First, do no harm”