Cato Institute: A Spurned Vendor — And a Tip To the FTC

Read the full story: Cato Institute 

In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD’s owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:

 

…according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.

 

Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard “bombshell” testimony given under immunity by former Tiversa employee Richard Wallace:

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony.

 

CNN headlined its story “Whistleblower accuses cybersecurity company of extorting clients” – that is, by threatening to turn them in to the feds if they spurned its vendor services.

 

To be sure, allegations are merely allegations, and we haven’t heard Tiversa’s side of the story, except for a statement from its CEO Bob Boback: “This is an overblown case of a terminated employee seeking revenge. Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.” The advisory board of the Pittsburgh-based security services company includes former four-star Army general and former Democratic presidential candidate Wesley Clark.

 

Two years ago, Daugherty wrote up his experience in a book, The Devil Inside the Beltway. Tiversa tried to stop its publication, saying it had been defamed. While the book got write-ups in various places – by our friend Edward Hudgins at the Atlas Society, for example – and while the story has drawn the interest of a House oversight committee and the group Cause of Action, the threatened litigation probably did chill some media coverage.

 

Gov Info Security: FTC’s LabMD Case: The Next Steps

Read the full story: Gov Info Security 

The Federal Trade Commission has confirmed that it will not call a witness to refute damaging testimony given last week by a former employee of Tiversa, the peer-to-peer security firm at the center of the FTC’s security enforcement case against medical testing company LabMD. That means the case potentially could proceed to closing arguments in the coming weeks.

 

The case is being closely watched by Congress and others because it has raised questions about the FTC’s jurisdiction on security cases as well as its methods for gathering evidence for these cases.

 

Last week, after months of delay in the FTC administrative hearing on the LabMD data security investigation, former Tiversa employee Richard Wallace testified with immunity that the Pittsburgh-based security firm exaggerated the extent to which a LabMD insurance-related spreadsheet file containing information on 9,000 individuals was exposed and “spread” on the Internet in 2008.

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony. Wallace additionally testified that it was a “common practice” by Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that Tiversa found “speading” on the Internet in an attempt to sell the company’s security monitoring and remedial services.

 

“The FTC has confirmed that it found no reason to challenge the testimony given last week,” says attorney Reed Rubinstein of Cause of Action, a non-profit organization representing LabMD in the FTC legal dispute. “The only evidence in the record now is that LabMD was telling the truth from the beginning that they were hacked by a cyberthief, and that the FTC did nothing to verify the information it was given by Tiversa.”

We Live Security: Whistleblower claims cybersecurity firm hacked clients

Read the full story: We Live Security

Last week, a former employee of Tiversa claimed in court in Washington D.C. that the company would routinely hack systems belonging to prospective clients to motivate them to purchase the cybersecurity firm’s services. It is alleged that the company would break into the prospect’s systems, without permission, then make a sales call to the prospect to offer security services to fix the problems it had just found and/or created. According to ESET security researcher Stephen Cobb, “Obviously, if these allegations are substantiated, they will be seen as some of the most egregious violations of professional ethics that the security industry has ever seen; but we do need to bear in mind that these proceedings are still ongoing and nothing is yet proven.”

 

This has all come to a head because a cancer testing laboratory, LabMD, has accused the cybersecurity firm, Tiversa, of stealing its client data back in 2010. It is alleged that Tiversa then claimed that the stolen data was being shared by known identity thieves. When the lab refused to buy the security firm’s services it threatened to report the lab to the FTC (Federal Trade Commission) for not securing their records properly. This is ultimately what happened, allegedly leading to the medical facility’s ultimate bankruptcy, according to a report in The Register.

 

As CNN Money puts it, the FTC gave LabMD a choice: “sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court.” Given that a plea deal would damage the reputation of the business, LabMD took the latter option. This initial case was lost, but following the release of a book about the case, a government watchdog, Cause of Action, has taken up the matter to pursue it further.

Weekly Rundown 5-8-2015

COA_blogImages_v03

 

CNN Money: Whistleblower accuses cybersecurity company of extorting clients – Cause of Action’s fight against the FTC continued on Tuesday… Read More

Law 360: Analyst Backs LabMD In FTC Row, Alleges Fraud At Tiversa — “LabMD Inc. on Tuesday scored a major hit in its data security fight with the Federal Trade Commission after a former analyst at the cybersecurity firm Tiversa Inc. testified that his company lied to the agency about the extent of LabMD’s data leaks after the medical testing firm turned down its services… According to LabMD’s attorney Reed Rubinstein… the testimony marked a “remarkable day” in the case and vindicated the company’s assertion that “the FTC action was based on manufactured evidence.” At the close of the hearing Tuesday, Rubenstein announced that LabMD will seek a criminal investigation against the Tiversa…” Read More

Epoch Times: EB-5 Visa Limits May Slow Flow of China’s Elite to US – Cause of Action will not allow public officials to take advantage of the EB-5 visa program… Read More

Fox News: Clinton agrees to testify this month before House committee on Benghazi, private emails — “Democratic presidential candidate Hillary Clinton has agreed to testify on Capitol Hill this month about two controversial issues when she was secretary of state — the fatal terror attacks in Benghazi, Libya, and using a private server and emails for official business, her attorney said Tuesday…” Read More

Washington Times: IRS still targeting tea party: Nine groups awaiting agency approval — “Nine tea party groups were still awaiting IRS approval for nonprofit status nearly two years after the political targeting program was exposed, the inspector general said in a report Thursday that, despite hiccups, claimed the tax agency has generally done a good job of cleaning up its act…” Read More

CNNMoney: Whistleblower accuses cybersecurity company of extorting clients

Read the full story: CNNMoney

In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud — and mafia-style shakedowns.

 

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.

 

“Hire us or face the music,” Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained a transcript of the hearing.

 

The results were disastrous for at least one company that stood up to Tiversa and refused to pay.

 

In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD’s computers and pulled the medical records.

Daily Caller: Memo: Since 2009, The State Department Required Outgoing Officials To Turn Over Emails

Read the full story: Daily Caller

A memo sent to State Department officials last year indicates that the agency had a policy in place as early as 2009 requiring out-going officials to turn over email records when they leave office.

 

Hillary Clinton flouted that policy when she left her position as secretary of state in February 2013. Clinton exclusively used a personal email account hosted on a private server during her time at the agency and only turned those records over a few months ago.

 

“As a supplement to existing policy, and consistent with the policy in place since 2009, it is important to capture electronically the e-mail accounts of the senior officials…as they depart their positions,” reads an Aug. 28, 2014, memo entitled “Senior Officials’ Records Management Responsibilities” sent by Patrick Kennedy, undersecretary of management.

 

Clinton held on to her emails until Dec. 2014, nearly two years after leaving her position. When she did finally turn the records over, she did so only at the State Department’s request and as a House committee investigating Benghazi sought them.

 

Cause of Action, a nonprofit government watchdog group, pointed out the Kennedy memo, which was included in a list of documents it received in response to a March 17 letter calling on the State Department to investigate whether Clinton turned over all official government emails sent to and from her personal account.

Weekly Rundown 4-30-2015

COA_blogImages_v03

National Review: It Appears the State Department Has Had a Policy of Retaining Senior Officials’ Emails Since 2009 – The State Department has provided Cause of Action with documents showing that the department has required emails to be preserved since 2009. According to the documents, the department should have had possession of Secretary Clinton’s email records when Mrs. Clinton left office. The fact that they did not have possession of her emails raises still pressing questions… Read More

Washington Examiner: State Department allowing Clinton Foundation to approve emails for release – “State Department officials began allowing the Clinton Foundation to review emails the government planned to release to Congress and Freedom of Information Act requesters in January 2014, prompting a process that has delayed the publication of agency records for months.”… Read More

Cause of Action: HHS Inspector General Finds Potential Misuse of Obamacare Federal Grant Dollars – The IG for HHS, Daniel R. Levinson, recently sent a letter to Centers for Medicare & Medicaid Services expressing concern that Obamacare state exchanges may be unlawfully spending federal grant dollars to fund operations… Read More

CNN: IRS watchdog finds 6,400 missing Lois Lerner emails – The Treasury Inspector General for Tax Administration has found emails from Lerner that were previously thought to be permanently deleted… Read More

Washington Times: Obama clean energy loans leave taxpayers in $2.2 billion hole – Even after Obama administration officials promised that these projects would pay for themselves, taxpayers have now been left holding the bag… Read More