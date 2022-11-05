In May 2008, Lehman Brothers was a pillar of American banking.

Outside Alaska, no one but political junkies had heard of Sarah Palin. And LabMD was a thriving medical laboratory company in Atlanta.

As part of its business, LabMD acquired sensitive information about the patients whose specimens it tested, including not just names and medical codes, but also addresses, dates of birth, Social Security numbers and insurance information.

LabMD’s billing manager downloaded LimeWire to her work computer so she could listen to music on the job. For those readers who weren’t young in the aughts, LimeWire was a peer-to-peer file-sharing program that linked computers in a network, allowing a person sitting at one computer to access designated files on somebody else’s computer miles away. It was used widely to share music.

The billing manager inadvertently linked her documents folder to the LimeWire network, exposing its contents to anyone who cared to take a look. There was more in that folder than music. It included a file containing the detailed personal information of 9,300 patients.

In May 2008, a Pittsburgh-based cybersecurity company called Tiversa contacted LabMD to announce it had found the contents of the file disseminated in cyberspace. Tiversa offered its remediation services. According to Bloomberg Businessweek, Tiversa proposed to charge $475 an hour for a two-week job, for a total of around $38,000. Tiversa also forwarded a news story detailing the bad publicity a similar leak had generated once the press was alerted.

LabMD instead hired a different cybersecurity company, which found no indication that the contents of the file had spread on the web. As far as it could discover, the only entity that had accessed the file through LimeWire was Tiversa itself.

LabMD’s CEO, Michael Daugherty, came to regard Tiversa’s solicitations “as polite extortion notes,” Bloomberg reported. As far as Daugherty was concerned, Tiversa had wrongfully hacked into his company’s computers and was now demanding payment to keep quiet about it. Resisting Tiversa became a matter of principle for him.

When LabMD refused to hire Tiversa, Tiversa responded — Daugherty probably would say “retaliated” — by informing the Federal Trade Commission that a medical lab in Atlanta had exposed the personal details of 9,300 patients on the web.

The FTC opened an investigation. Its enabling act empowers it to challenge “unfair or deceptive acts or practices” affecting interstate commerce. Congress has specified that an act or practice may be unfair if it “causes or is likely to cause substantial injury to consumers.” Identity theft qualifies as substantial injury, as anyone who has suffered it can attest.

But, from Daugherty’s point of view, his own government was siding with the extortionist against him. Fighting the FTC became another matter of principle. Bloomberg described his attitude as one of “mulish resistance.” He refused to settle with the FTC and became involved in “a head-spinning number of legal actions.” A congressional committee got involved.

The result, predictably, was the demise of LabMD. Publicity about its failure to safeguard patient information led to insurers cancelling policies and doctors opting not to use its services. Most of Daugherty’s many lawsuits went nowhere, but, this August, a claim that Tiversa and its owner defamed LabMD was revived by the federal Third Circuit Court of Appeals. Fourteen years on, the case returns to the district court for more, more, more.

This is just the briefest of summaries. For a fuller picture, check out the 2016 Bloomberg piece or Raffi Khatchadourian’s 2019 article in the New Yorker.

There are almost too many lessons to be learned from the saga. One is purely practical. LabMD didn’t file its suit for defamation and fraud until the damages had snowballed, with the result that most of its claims were barred by the statute of limitations. Generally speaking, the time to sue begins running as soon as an injured person learns of an injury and who caused it, even if its full extent remains to be determined. Don’t delay.

Second, LabMD’s attorney in the defamation case pursued scorched-earth tactics, which can be deeply satisfying to a client intent on revenge. But all the envelope-pushing caused the federal magistrate judge overseeing discovery to impose sanctions that crippled the company’s ability to prove its case. On appeal, the Third Circuit reversed some of the sanctions, but only after years had been wasted. In litigation, hyper-aggression often backfires.

Third, litigation is not an effective way to enforce ethical principles. That’s not because the law is unethical, but because it’s concerned with legal principles instead. Business practices that can be compared to extortion, but don’t meet the technical definition of extortion, do not violate the law against extortion. Daugherty went to court to vindicate a non-legal principle and it destroyed his company.

Also: lock down your sensitive data.

Joel Jacobsen is an author who retired from a legal career in 2015. If there are topics you would like to see covered in future columns, write him at legal.column.tips@gmail.com.