House Panel Probes FTC ProceduresCommittee Questions FCC's Relationship with Security Firm
A House committee is requesting a review of the Federal Trade Commission's procedures for receiving information that it uses to bring enforcement actions against organizations for data security-related matters.
See Also: HIPAA Audits: A Revised Game Plan
The House Committee on Oversight and Government Reform's request stems from an ongoing dispute between the FTC and LabMD over the medical testing lab's data security practices.
In a letter to the FTC's acting inspector general Kelly Tshibaka, committee chair Darrel Issa, R-Calif., asks for clarification from the FTC about its relationship with Tiversa, a security intelligence firm that allegedly discovered an unsecure LabMD spreadsheet containing data of about 9,000 consumers on a peer-to-peer network on 2008. That alleged finding by Tiversa was one of two alleged security incidents that kicked off the FTC's enforcement action last year against the Atlanta-based lab company.
The FTC has been pursuing an enforcement action against LabMD for alleged unfair business practices related to the two separate data security incidents that collectively exposed the personal information of approximately 10,000 consumers.
Based on testimony so far in an FTC administrative trial about LabMD's security practices, Issa writes, "the committee has learned of allegations that Tiversa created [a third party entity], Privacy Institute, in conjunction with the FTC so that Tiversa could provide information regarding data breaches to the FTC in response to civil investigative demand."
The letter asks the FTC inspector general's office "to undertake a full review of the FTC's relationship with Tiversa," including examining several issues. Those include FTC procedures for receiving information that it uses to bring enforcement actions pursuant to its authority under Section 5 [related to unfair business practices] and whether FTC employees have improperly influenced how the agency receives information; and the role that FTC employees played in the commission's receipt of information from Tiversa or the Privacy Institute.
The committee is considering holding hearings on the matter, Issa writes.
The June 17 letter to the FTC inspector general follows a June 11 letter Issa sent to FTC Chairwoman Edith Ramirez, noting that the FTC has relied on Tiversa "as a source of information" in the agency's enforcement action against LabMD. "However, information the committee recently obtained indicates that testimony company officials provided to federal government entities may not be truthful" (see LabMD Case: House Committee Gets Involved).
The latest letter from Issa to the FTC states: "It is now clear that Tiversa provided incomplete or inaccurate information to FTC." The letter also notes that the committee has an ongoing investigation "into the culpability of those responsible for the dissemination of false information."
Issa writes that if the Privacy Institute or Tiversa manipulated information to support FTC's investigation into LabMD, "such coordination between Tiversa and FTC calls into account the LabMD enforcement action and other FTC regulatory matters that relied on Tiversa-supplied information."
The committee chair also notes: "Apparently Tiversa provided information to the FTC about companies that refused to buy its services."
Besides the spreadsheet allegedly found by Tiversa, the FTC's case against LabMD also points to a second incident, in which the FTC alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.
The FTC has proposed an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."
LabMD has been fighting the FTC's enforcement action since it was brought last August, arguing that the commission has overstepped its authority related to the medical lab test's data security (see FTC vs. LabMD: Next Battle Begins).
LabMD's CEO Michael Daugherty has said that resources the company has dedicated in its legal battle with the FTC has forced the firm to wind down most of its business operations.
The ongoing FTC administration trial, or evidentiary hearing, that started on May 20 aims to determine whether LabMD's data security practices violated Section 5 of FTC regulations related to unfair business practices.
As a result of the committee investigation, the trial has again been put on "indefinite hold," LabMD's Daugherty tells Information Security Media Group.
Tiversa and the Issa's office did not respond to ISMG's request for comment on the latest developments in the case. The FTC declined to provide comment.