District Court (Ga.) Finds that LabMD’s Case Against the FTC for Allegedly Manufacturing a Data Breach Enforcement Proceeding Is Barred by Statute of Limitations

The Court 0f Appeals for the 11th Circuit’s limited the FTC’s enforcement powers in LabMD, Inc. v. Federal Trade Commission, 894 F.3d 1221, 1237 (11th Cir. 2018).  In follow-on litigation by LabMD against the FTC, Judge Brown dismissed on statute of limitations grounds a case against the FTC arising out the FTC’s civil enforcement proceeding against LabMD. In Labmd, Inc. v. United States, No. 1:21-cv-3525-MLB, 2023 U.S. Dist. LEXIS 34553, at *1-7 (N.D. Ga. Mar. 2, 2023).  The factual allegations recited by the Court are rather remarkable.

Plaintiff LabMD, Inc. (“LabMD”) sued the United States of America claiming the Federal Trade Commission acted improperly in a civil enforcement action. (Dkt. 5.) Defendant moved to dismiss pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6). (Dkt. 22.) The Court GRANTS Defendant’s motion. I. Background Plaintiff LabMD previously operated a cancer detection laboratory. (Dkt. 5 ¶ 4.) It claims that, sometime before 2007, the U.S. Attorney for the Western District of Pennsylvania (Mary Buchanan) retained Tiversa Holding Corporation (a company that provides cyber and data security services) to assist the Federal Bureau of Investigation in locating digital evidence of child pornography. (Dkt. 5 ¶¶ 41, 45.) As part of this, the FBI gave Tiversa access to a programed called the “enhanced peer-to-peer sharing program” (“eP2P”). (Dkt. 5 ¶ 42.) That program allows a user to search peer-to-peer networks for child pornography. (Dkt. 5 ¶ 52.)  A. Tiversa’s Alleged Shakedown Scheme and Partnership with the FTC. Plaintiff LabMD claims Tiversa misappropriated the eP2P system. (Id.) Specifically, it claims Tiversa used the system to access private companies’ networks and steal personal health information, protected personal information, and other valuable data. (Id.) Plaintiff claims that, after launching such an attack, Tiversa manipulated the data to make it appear an unauthorized user had stolen the data, created false Internet Protocol packets to make it appear the stolen data was available on the Internet, contacted the victim company to explain it had suffered a cyber-attack (from an unidentified entity), and offered its cyber-security recovery and monitoring services to remediate the alleged attack. (Dkt. 5 ¶¶ 53, 55.) Plaintiff says that, if the company refused to hire Tiversa, Tiversa “reported fabricated data security breaches” to the Federal Trade Commission (“FTC”). (Id.) Plaintiff refers to this as Tiversa’s “shakedown scheme.” According to Plaintiff, the FTC became aware of Tiversa’s investigations and wanted access to its information to identify companies for civil enforcement investigations. (Dkt. 5 ¶¶ 64, 71-73.) The FTC considered issuing subpoenas to Tiversa. (Id.) Tiversa, however, did not want to be identified as the source of information it provided the FTC. (Dkt. 5 ¶ 73.) So, the FTC—acting through attorneys Alain Sheer, Ruth Yodaiken and Carl Settlemyer—proposed Tiversa create a pass through company called “The Privacy Institute.” (Id.) That would allow the FTC to subpoena information from the company while disguising Tiversa’s role. (Dkt. 5 VIE 71-81.) Tiversa did that.  B. Tiversa Targets Plaintiff and Works With the FTC to Manipulate Data Plaintiff contends that, in 2008, Tiversa used the eP2P program to breach its network and steal its confidential patient information— specifically a document referred to as the “1718 File.” (Dkt. 5 ¶ 97.) Tiversa then contacted Plaintiff, claimed it had found the 1718 File on the Internet, said the file was “spreading over the Internet,” and tried to sell Plaintiff its remediation services. (Dkt. 5 ¶¶ 98-101.) Because Plaintiff could find no evidence of an actual breach, it refused to hire Tiversa. (Dkt. 5 ¶¶ 99-100.)  In an alleged act of retaliation, Tiversa told the FTC that Plaintiff had suffered a security breach and (through The Privacy Institute) gave the FTC a copy of the 1718 File. (Dkt. 5 ¶ 101.) The FTC then began talking with Plaintiff about the alleged data breach. (Id.) Plaintiff believed no intrusion had occurred and refused to accept a consent decree. (Dkt. 5 ¶ 82.) The FTC, therefore, began preparing a civil enforcement action against Plaintiff. (Id.) But it faced a problem. To prosecute Plaintiff successfully, the FTC would have to show Plaintiff’s patients were harmed by the 1718 File having spread across the Internet. (Dkt. 5 ¶¶ 83-84.) The information Tiversa provided the FTC, however, showed the file had not done so. Plaintiff says Sheer met with Tiversa employees to explain this problem. (Dkt. 5 ¶ 88.) Plaintiff claims that, “by sharing with Tiversa their need for ‘spread,’ the FTC investigators should have known and had reason to know that they created pressure on Tiversa to provide the needed information.” (Id.)  Plaintiff alleges that, in response to this pressure, Tiversa “manufactured ‘proof’ of spread.” (Dkt. 5 ¶¶ 88-89.) Specifically, in October 2013, Tiversa created a “.txt file” to show four San Diego IP addresses on the 1718 File to make it look (falsely) like the file had been “found” in California. (Dkt. 5 ¶¶ 107-08.) Plaintiff claims Tiversa did this, not only to fabricate evidence of “spread,” but also to make it appear the file was still available on the Internet as of November 2013. (Dkt. 5 ¶ 108.) Plaintiff says Tiversa did this to “bolster” the FTC’s claims against Plaintiff. (Id.) Indeed, Plaintiff claims Tiversa did this after FTC attorney Sheer specifically told Tiversa the FTC needed evidence the file had “spread” across the Internet to make the prosecution of Plaintiff worthwhile. (Dkt. 5 ¶ 87.)  The FTC used the doctored file to pursue a civil enforcement proceeding against Plaintiff. (Dkt. 5 ¶ 107.) An administrative law judge ruled in Plaintiff’s favor, but the FTC reversed that decision and issued a cease-and-desist order against Plaintiff. (Dkt. 5 ¶¶ 112-114.) The Eleventh Circuit reversed. (Dkt. 5 ¶ 115.) The Eleventh Circuit did not reverse the order because it concluded the FTC engaged in the type of misconduct alleged here. Rather, it found the order unenforceable because it did not enjoin a specific practice but rather mandated a complete overhaul of Plaintiff’s data-security program without adequately explaining what Plaintiff was required to do. LabMD, Inc. v. Federal Trade Commission, 894 F.3d 1221, 1237 (11th Cir. 2018).  C. Plaintiff Sued the FTC  Plaintiff now claims the entire enforcement proceeding against it was bogus—having been manufactured by Tiversa with the knowledge and willing participation of several FTC employees. Plaintiff claims the FTC brought and pursued its civil action against Plaintiff even though it knew (or should have known) that Tiversa had altered the 1718 File as explained above, that the unaltered file showed Plaintiff had never suffered a data breach, and that individuals at the FTC worked with Tiversa to manipulate and falsify the evidence against Plaintiff. (Dkt. 5 ¶ 110.) In other words, Plaintiff alleges the FTC conspired with and aided and abetted Tiversa to obtain confidential information from Plaintiff that the FTC knew or should have known did not support an enforcement action but commenced and continued an enforcement action anyway. (Dkt. 22-1 at 2.)  Plaintiff filed an administrative complaint with the FTC on September 4, 2020. (Dkt. 5 ¶ 39-41.) The FTC rejected Plaintiff’s complaint as barred by the statute of limitations but added it would have also rejected the claim on the merits. (Dkt. 5 ¶ 44.) Plaintiff now sues the United States for negligence and negligence per se under the Federal Torts Claims Act (“FTCA”). (Dkts. 5 ¶ 116-133.) Plaintiff also filed two previous lawsuits related to Tiversa’s alleged hacking of the 1718 File. In November 2015, Plaintiff sued Alain Sheer and the two other FTC attorneys allegedly responsible for the FTC’s improper investigation. (Dkt. 22-2.) In April 2018, Plaintiff sued Mary Buchanan. (Dkt. 22-3.)