Media

Read the full story: Cato Institute 

In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD’s owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:

 

…according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.

 

Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard “bombshell” testimony given under immunity by former Tiversa employee Richard Wallace:

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony.

 

CNN headlined its story “Whistleblower accuses cybersecurity company of extorting clients” – that is, by threatening to turn them in to the feds if they spurned its vendor services.

 

To be sure, allegations are merely allegations, and we haven’t heard Tiversa’s side of the story, except for a statement from its CEO Bob Boback: “This is an overblown case of a terminated employee seeking revenge. Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.” The advisory board of the Pittsburgh-based security services company includes former four-star Army general and former Democratic presidential candidate Wesley Clark.

 

Two years ago, Daugherty wrote up his experience in a book, The Devil Inside the Beltway. Tiversa tried to stop its publication, saying it had been defamed. While the book got write-ups in various places – by our friend Edward Hudgins at the Atlas Society, for example – and while the story has drawn the interest of a House oversight committee and the group Cause of Action, the threatened litigation probably did chill some media coverage.

 

Read the full story: Gov Info Security 

The Federal Trade Commission has confirmed that it will not call a witness to refute damaging testimony given last week by a former employee of Tiversa, the peer-to-peer security firm at the center of the FTC’s security enforcement case against medical testing company LabMD. That means the case potentially could proceed to closing arguments in the coming weeks.

 

The case is being closely watched by Congress and others because it has raised questions about the FTC’s jurisdiction on security cases as well as its methods for gathering evidence for these cases.

 

Last week, after months of delay in the FTC administrative hearing on the LabMD data security investigation, former Tiversa employee Richard Wallace testified with immunity that the Pittsburgh-based security firm exaggerated the extent to which a LabMD insurance-related spreadsheet file containing information on 9,000 individuals was exposed and “spread” on the Internet in 2008.

 

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony. Wallace additionally testified that it was a “common practice” by Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that Tiversa found “speading” on the Internet in an attempt to sell the company’s security monitoring and remedial services.

 

“The FTC has confirmed that it found no reason to challenge the testimony given last week,” says attorney Reed Rubinstein of Cause of Action, a non-profit organization representing LabMD in the FTC legal dispute. “The only evidence in the record now is that LabMD was telling the truth from the beginning that they were hacked by a cyberthief, and that the FTC did nothing to verify the information it was given by Tiversa.”

Read the full story: We Live Security

Last week, a former employee of Tiversa claimed in court in Washington D.C. that the company would routinely hack systems belonging to prospective clients to motivate them to purchase the cybersecurity firm’s services. It is alleged that the company would break into the prospect’s systems, without permission, then make a sales call to the prospect to offer security services to fix the problems it had just found and/or created. According to ESET security researcher Stephen Cobb, “Obviously, if these allegations are substantiated, they will be seen as some of the most egregious violations of professional ethics that the security industry has ever seen; but we do need to bear in mind that these proceedings are still ongoing and nothing is yet proven.”

 

This has all come to a head because a cancer testing laboratory, LabMD, has accused the cybersecurity firm, Tiversa, of stealing its client data back in 2010. It is alleged that Tiversa then claimed that the stolen data was being shared by known identity thieves. When the lab refused to buy the security firm’s services it threatened to report the lab to the FTC (Federal Trade Commission) for not securing their records properly. This is ultimately what happened, allegedly leading to the medical facility’s ultimate bankruptcy, according to a report in The Register.

 

As CNN Money puts it, the FTC gave LabMD a choice: “sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court.” Given that a plea deal would damage the reputation of the business, LabMD took the latter option. This initial case was lost, but following the release of a book about the case, a government watchdog, Cause of Action, has taken up the matter to pursue it further.

Read the full story: CNNMoney

In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud — and mafia-style shakedowns.

 

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.

 

“Hire us or face the music,” Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained a transcript of the hearing.

 

The results were disastrous for at least one company that stood up to Tiversa and refused to pay.

 

In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD’s computers and pulled the medical records.