Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
FTC's LabMD Case: The Next StepsCommission Won't Call Rebuttal Witness
The Federal Trade Commission has confirmed that it will not call a witness to refute damaging testimony given last week by a former employee of Tiversa, the peer-to-peer security firm at the center of the FTC's security enforcement case against medical testing company LabMD. That means the case potentially could proceed to closing arguments in the coming weeks.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The case is being closely watched by Congress and others because it has raised questions about the FTC's jurisdiction on security cases as well as its methods for gathering evidence for these cases.
Last week, after months of delay in the FTC administrative hearing on the LabMD data security investigation, former Tiversa employee Richard Wallace testified with immunity that the Pittsburgh-based security firm exaggerated the extent to which a LabMD insurance-related spreadsheet file containing information on 9,000 individuals was exposed and "spread" on the Internet in 2008.
After LabMD CEO Michael Daugherty refused to buy Tiversa's services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD's data, Wallace claimed in his testimony. Wallace additionally testified that it was a "common practice" by Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that Tiversa found "speading" on the Internet in an attempt to sell the company's security monitoring and remedial services.
"The FTC has confirmed that it found no reason to challenge the testimony given last week," says attorney Reed Rubinstein of Cause of Action, a non-profit organization representing LabMD in the FTC legal dispute. "The only evidence in the record now is that LabMD was telling the truth from the beginning that they were hacked by a cyberthief, and that the FTC did nothing to verify the information it was given by Tiversa."
LabMD contends that the disputed spreadsheet file was exfiltrated out of its systems by hackers, while the FTC argues the file was left unsecured on a peer-to-peer network.
Tiversa CEO Robert Boback tells ISMG that Wallace's testimony regarding Tiversa making exaggerated claims to win business amounted to "purely baseless allegations from a terminated employee."
Plus, Boback argues that Wallace's testimony about finding the spreadsheet online refuted LabMD's argument that it did not leave data exposed on a peer-to-peer network.
LabMD's Daugherty, meanwhile, offered yet another harsh assessment of the FTC's actions in the case. "We are not surprised that the FTC doesn't have the desire to place their rebuttal witnesses under oath for all the world to see. We say, 'bring them.' Transparency is not part of their playbook and not needed in this kangaroo court system that the legislative and judicial branches have allowed the FTC to create for themselves. I am determined to show their 'punishment through process' destruction at the price of truth, justice and a cancer detection center."
LabMD shut down most of its operations last year as the lab firm, which offered cancer-related testing, devoted management and financial resources to fighting the FTC dispute.
Some security and privacy experts say Wallace's testimony calls into question the credibility of sources that FTC relies on for its security enforcement investigations.
Nevertheless, some observers say that despite Wallace's testimony about Tiversa's alleged business practices, LabMD still could potentially be found responsible for the alleged exposure of information.
"To many, the testimony by [Wallace] alleging Tiversa fed the FTC information only after it was spurned by LabMD is startling and challenges our notions of fairness," says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "But the legal standard to win dismissal in this case, where it is alleged that LabMD had engaged in deceptive and unfair trade practices in violation of Section 5 of the FTC Act, would require the [FTC] administrative law judge to conclude that the agency had introduced no evidence that consumers were harmed through LabMD's actions."
Holtzman also notes: "The testimony of why Tiversa was motivated to blow the whistle on LabMD does not take away from evidence introduced by the FTC that sensitive information ... had been stored in their information systems and that the data was accessible to unauthorized parties largely because the company failed to adopt security practices, like penetration testing or other basic security practices that were the recognized industry standard for protecting this type of information."
The FTC declined to comment on its decision not to call a rebuttal witness to Wallace's testimony.
A government source tells ISMG the next step in the case is evidentiary work that will precede LabMD and FTC giving their closing arguments. It may take up to six months before the case finally wraps up with a ruling by the FTC administrative judge handling the case.
In the meantime, it's also possible that the FTC judge could grant LabMD's motion to dismiss the case.
Ultimately, if the FTC rules against LabMD, the lab firm can file an appeal in federal court.
Besides the spreadsheet allegedly found by Tiversa on a peer-to-peer network, the FTC's case against LabMD also points to a second incident, in which the commission alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," says the FTC complaint.
The commission had proposed an order against LabMD that would "require the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."