David and Goliath was how some media reports have characterized the data security enforcement action brought by the Federal Trade Commission against Atlanta-based LabMD. Few have had the temerity to go head to head with FTC.
But in this case, chalk up a KO for David.
Administrative Law Judge Michael Chappell on Nov. 13 dismissed the FTC’s data-breach case against LabMD, concluding that the FTC had failed to prove any part of its case. The judge ruled emphatically that LabMD did not, as the FTC alleged, expose consumers who used its services to potential online theft of their personal information.
The ruling in the 4-year-old case was a victory for Lab MD CEO Michael Daugherty, one of only a handful of business owners ever to challenge the FTC on privacy/security complaints. Daugherty became so frustrated by his experiences with the FTC and with Tiversa Holding Company, the cyber-security company that was the source of data the FTC used to build its complaint, that he researched and wrote a book about it. “The Devil Inside the Beltway” details his company’s debilitating experience with Tiversa and Tiversa’s use of its federal government connections.
Because of repercussions from the data breach allegations, Daugherty had to wind down his blood-testing business and lay off some 40 employees.
Tiversa responded to Daugherty’s book by first trying to prevent its publication and then by filing a libel suit against him. Cynthia Counts and Ken Argentieri of Duane Morris represent Daugherty in that litigation, which is pending in state court in Pennsylvania. Cause of Action represented LabMD in the FTC matter.
At the center of the controversy was a file – identified as the 1718 file – used for insurance billing that contained names, date of birth and social security numbers of patients who used LabMD’s blood-testing services. Tiversa contacted LabMD in 2008, claiming it had obtained the file through a then-popular file sharing software called LimeWire, which was often used to download and share music. LabMD confirmed that a copy of the software had been installed on an employee’s computer, without the company’s knowledge. That breach was cured, and Limewire was removed.
Tiversa’s CEO, Robert Boback, offered pricey security remediation services, claiming that the compromised file was spreading around the internet among hackers, but Daugherty declined, unconvinced that such exposure had occurred. Information about the alleged data leak was subsequently passed – indirectly – by Tiversa to the FTC, which came after LabMD and ultimately filed its complaint in 2013.
A former forensic analyst for Tiversa, Richard Wallace, emerged as a key witness in the FTC proceedings and figured prominently in the law judge’s opinion. Wallace, who worked for Tiversa for seven years, testified that he routinely fabricated information at the direction of Tiversa’s CEO to suggest that sensitive data belonging to businesses had been compromised and was being widely circulated around the internet when, in fact, it was not.
If that tactic didn’t work, he testified, Boback would also call some of these potential customers and say “the FTC is going to be taking action against you if you don’t become clients.”
In his ruling, Judge Chappell summarized the business model presented by the analyst:
“Mr. Wallace testified that Tiversa’s business model was to ‘monetize’ documents that it downloaded from peer-to-peer networks, by using those documents to sell data security remediation services to the affected business, including by representing to the affected business that the business’ information had ‘spread’ across the Internet via peer-to-peer sharing networks, when such was not necessarily the case, and by manipulating Tiversa’s internal database of peer- to-peer network downloads (the ‘Data Store’) to make it appear that a business’ information had been found at IP addresses belonging to known identity thieves.”
The testimony tended to support the opinions Daugherty expressed throughout his book.
According to Wallace, who testified under a Department of Justice grant of immunity, the private data never actually was circulated outside Tiversa. Instead, it was spoofed in a way that made it appear that individuals already known to law enforcement as “bad actor” hackers had secured copies.
Wallace testified this was a scare tactic that added "spread" to the supposed damage – and created a "wow factor."
"So, to boil this down, you would make the data breach appear to be much worse than it actually had been?" Judge Chappell asked.
"That's correct," Wallace responded.
Following Wallace’s testimony, TIversa CEO Boback told CNN that the revelations were "baseless" and came from an ex-employee still angry for being fired. "This is an overblown case of a terminated employee seeking revenge," Boback said.
In his order, Judge Chappell clearly did not share that view: “Based on Mr. Wallace’s forthrightness in response to questioning, and his overall demeanor observed during his questioning, Mr. Wallace is a credible witness.”
Meanwhile, he was less convinced about the truthfulness of the Tiversa CEO: Based on “observation of Mr. Boback’s overall demeanor during the June 7, 2014 video deposition," including his “evasive[ness] and lack [of] forthrightness in response to questioning…Mr. Boback is not a credible witness concerning LabMD, the 1718 File, or other matters material to the liability of Respondent.”