NFIB member Michael Daugherty was a small business owner based in Atlanta, when the Federal Trade Commission accused his company of inadequate data-security practices and eventually forced him out of business.
Michael Daugherty was the owner of a cancer-screening medical company called LabMD for many years. At the height of his business’ success, he got a call from the Federal Trade Commission, accusing him of leaving LabMD customers’ private information vulnerable and available to cyberhackers through inadequate data-security practices.
Before deciding on any action to defend his company or pay the penalties from the FTC, Daugherty says the writing was on the wall for his business.
“Our death was already given and we had to decide how to die—either by fighting back or rolling over,” Daugherty says.
Just a short time later, Daugherty was forced to shut down his business because of the legal battle with the FTC. The experience inspired Daugherty to pen a book, The Devil Inside the Beltway, as a warning to other small business owners.
Why Daugherty Fought Back
The FTC alleged that a third-party company turned over records to the federal agency, which revealed LabMD was guilty of poor cybersecurity practices. The third-party company allegedly downloaded personal and confidential information of thousands of LabMD patients from a peer-to-peer network, and maintained that other hackers were also able to download the same file.
However, Daugherty became suspicious of these allegations when an employee from the company offered him services to correct the problem.
Daugherty says he had two choices at that point: to roll over and come to terms with the FTC, or fight the accusations he knew were inaccurate. Most businesses simply settle with the FTC to avoid litigation costs, but Daugherty knew that option would damage his business’ reputation too much to continue in his industry.
“I was in a unique spot to fight back,” he says. “Most business owners can not do it.”
Daugherty chose to fight the accusations through the legal process.
The FTC’s Battle with Cybersecurity Jurisdiction
In 2013 the FTC brought forth an enforcement action against LabMD. Section 5 of the Federal Trace Commission Act authorizes the FTC to take action against “unfair or deceptive acts or practices in or affecting commerce.”
When it comes to cybersecurity, these responsibilities are vague at best, says Daugherty, and he wanted to get to the bottom of the allegations.
“They don’t tell you what data security practices are unfair and what is not,” says Daugherty. “We actually had excellent data security practices, especially at the time, in 2008.”
According to the FTC’s own statements, “The main legal authority that the FTC uses in the data security space is Section 5 of the FTC Act, which gives us the ability to stop unfair or deceptive acts or practices.”
Daugherty continued to fight the allegations through several legal motions, arguing against the FTC’s authority of enforcement actions in cybersecurity cases. He voiced his concerns about the FTC’s accusations to the House Committee on Oversight and Government Reform, but quickly found himself overrun by the process.
“When you challenge the FTC, especially when you’re small, they try to intimidate you with demanding tons of work and running up your bill,” he says. “It’s called persecution through process. It’s a bully tactic. You can sit there and challenge them through the process, but they’re just going to drive you onto the ground.”
Eventually, LabMD closed its doors amid the accusations.
New Revelations
In 2014, the case against LabMD took a turn. An employee from the company that found LabMD’s security vulnerability, Richard Wallace, testified that the company engaged in misconduct with the federal agency, provided false information and grossly exaggerated the allegations against LabMD, according to a public congressional report.
The House Oversight Committee said the third-party company criminally provided false or manipulated information to determine a need for their services, but the extent of the FTC’s involvement remained unknown. However, the committee found that the third-party company “had non-public knowledge of FTC enforcement actions and took steps to profit from that knowledge.”
When these revelations came out, it was too late for LabMD and Daugherty. Daugherty says that because the FTC never verified the evidence against his company, he lost his business that would have reached its 20th year in 2016.
Years after the ordeal and no longer a business owner, Daugherty has written a book about his experience, exposing systematic failures of a federal agency with too much power and too little accountability. The result is a “regulatory nightmare,” he says, that leaves small business owners at risk and in the dark. Daugherty, however, does not regret fighting back.
In his book, The Devil Inside the Beltway, Daugherty explains what happened to him as a warning to other small business owners. He hopes to inform the small business community about the regulatory environment where the cards are stacked against the small business owner.
“They do not understand because there is little to no education about how the regulators operate and the regulators want it that way,” he says. “An uneducated victim can’t fight nearly as well, and that’s why they go after small business.”
The book has had an impact. Those involved with the LabMD accusations have come under Congressional investigation, and the rules allowing the FTC to act independently without much oversight have been questioned.
