Breach Response , Data Breach , Privacy

Bombshell Testimony in FTC's LabMD Case

Breach Allegations Called Into Question; What's Next?
Bombshell Testimony in FTC's LabMD Case

Damaging testimony by a former employee of Tiversa, the peer-to-peer security firm at the center of the Federal Trade Commission's case against medical testing firm LabMD, raises questions about the credibility of sources and evidence that the FTC relies on in its pursuit of enforcement actions related to alleged data security incidents, some legal experts say.

See Also: IoT is Happening Now: Are You Prepared?

On May 5, after months of delay in the FTC administrative hearing on the LabMD data security investigation, Richard Wallace, a former employee of Tiversa, testified with immunity that the Pittsburgh-based security firm exaggerated the extent to which a LabMD insurance-related file was exposed and "spread" on the Internet.

After LabMD CEO Michael Daugherty refused to buy Tiversa's services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD's data, Wallace claimed in his testimony

But Tiversa CEO Robert Boback, in a statement provided to Information Security Media Group, calls Wallace's testimony "purely baseless allegations from a terminated employee."

FTC attorneys declined to cross-examine Wallace at the May 5 FTC administrative session, but they could still introduce a rebuttal witness later.

Allegations About Business Practices

Wallace also testified that Tiversa had a "common practice" in attempting to drum up business of making it appear that other prospective clients' data files were compromised on peer-to-peer networks and "spread" among IP addresses of known identity thieves. Those IP addresses, however, were actually for computers in criminal investigations that were already closed by law enforcement, and added to the Tiversa's "data store" of records, Wallace testified.

A court reporter's "rough draft transcript" of Wallace's testimony, obtained by ISMG, describes the alleged Tiversa practice further.

FTC Judge:You made [a file] available around the Internet in peer-to-peer?

Wallace: No, no. We would only make [a file] appear to have been downloaded from a known bad actor. So if you have an identity thief in Arizona, say, for example, we already know law enforcement has already dealt with that individual. We know that the IP [address] is dead. We know that the computer is long gone. Therefore, it's easy to burn that IP address because who's going to second-guess it?

Judge Chappell: So to boil this down, you would make the data breach appear to be much worse than it actually had been?

Wallace: That's correct.

Tiversa would approach those prospective clients with information about the allegedly unsecured files that Tiversa found "speading" on the Internet in an attempt to sell Tiversa's security monitoring and remedial services, Wallace testified.

Bigger Picture

Some privacy and security legal experts say the testimony by the former Tiversa employee needs to be put into perspective.

"The testimony of Mr. Wallace paints a startling picture of how some involved in this matter may have fabricated information system records and other evidence provided to the FTC," notes attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.

"Taken at face value, Mr. Wallace is saying that Triversa made up the story it gave to the FTC out of whole cloth. However, we are only seeing one side of the story. I will be watching for the FTC to introduce evidence to rebut this testimony, or, if the government uses the testimony of Mr. Wallace to launch a new investigation of whether the activities he alleges were violations of the law. "

In any case, Wallace's testimony against Tiversa "significantly undermines the credibility of the FTC's evidence, but still suggests that there was an underlying security problem for LabMD," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, which is not involved with the case. "The testimony indicates that Tiversa was able to access a LabMD file with personally identifiable information, but then Tiversa allegedly made things appear far worse by making it look like the data had been downloaded by identity thieves.

"That this raises serious questions about the evidence that FTC was relying upon in this case and potentially others, but it does not absolve LabMD of potentially having had unreasonable information security practices. I don't think that this will stop the FTC from continuing to pursue the case against LabMD and to continue to bring enforcement efforts in the area of privacy and security, but it may lead to the FTC's investigatory practices falling under the microscope."

Congressional Scrutiny

The FTC filed a complaint against LabMD in August 2013, alleging the Atlanta-based lab firm failed to protect consumer health data in two separate incidents. The FTC alleges the incidents - including the one allegedly discovered by Tiversa - collectively exposed the personal information of approximately 10,000 consumers.

An investigation last summer by the House Committee on Oversight and Government Reform also called into question the completeness and accuracy of the information that Tiversa provided to the FTC about the company allegedly discovering in 2008 a LabMD spreadsheet containing insurance billing information for 9,000 individuals on a peer-to-peer network. The Congressional committee also questioned the FTC's reliance on Tiversa "as a source of information" in FTC's decision to launch its enforcement action against LabMD related to data security (see LabMD Case: House Committee Gets Involved).

Holtzman suggests that the Oversight Committee should take caution in pursuing any additional investigations into the LabMD/Tiversa case until the FTC litigation is over.

"In my view, it is extremely disruptive to the ability of the government to carry out its mandate to protect consumers and enforce the law if Congress intervenes during an agency investigation or administrative hearing," he says. "I hope that the House Committee on Oversight will take a hands-off approach concerning the LabMD matter until the FTC has had an opportunity to complete its action involving LabMD."

What's Next?

Although the FTC declined to cross-examine or depose Wallace at the May 5 FTC administrative session, the agency has until May 12 to file a motion to introduce a rebuttal witness, says attorney Reed Rubinstein, senior vice president of litigation at Cause of Action, a not-for-profit organization that's working with LabMD on the case.

If the FTC does not file that motion, then the testimony phase in the hearing is over, and closing arguments could then come by the end of June, he says. A ruling by FTC Chief Administrative Law Judge Michael Chappell, who is presiding over hearing, is not expected to come quickly, however. And because the case is so complex, Rubinstein expects "a detailed ruling."

Boback, CEO of Tiversa, tells ISMG: "It is unfortunate that [LabMD CEO Michael] Daugherty and his counsel at Cause of Action have so aggressive set out to impugn Tiversa, because their obvious lack of focus on the FTC and its needs may have just sealed their fate with the FTC v. LabMD saga. The FTC didn't need to cross-examine Wallace because, in my opinion, they did not want to destroy his credibility since he had just 'gift-wrapped' their victory in the case."

The FTC declined to comment on the case.

Dispute Details

Besides the spreadsheet allegedly found by Tiversa on a peer-to-peer network, the FTC's case against LabMD also points to a second incident, in which the commission alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," says the FTC complaint.

The commission had proposed an order against LabMD that would "require the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

LabMD's Daugherty has said the medical testing lab last year suspended most of its operations because its management and financial resources have been focused on this dispute.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network