Congressman calls for halt to FTC breach probe amid claims of 'corporate blackmail'

House Oversight Committee questions reliability of Tiversa data used by FTC in filing complaint against LabMD

A U.S. House committee has called on the Federal Trade Commission's Inspector General to probe the agency's relationship with a peer-to-peer network-monitoring firm whose data is key evidence in an FTC complaint filed against LabMD.

The agency's case is dependent on claims by Tiversa that in 2008 it found a 1,718 page billing spreadsheet belonging to LabMD floating about on a public file-sharing network. Tiversa said the data included Social Security Numbers, treatment codes and insurance data on about 10,000 people.

At the time, Tiversa said the document was one of several sensitive files belonging to multiple firms it found when conducting research on the inadvertent leakage of personal health data on P2P networks.

The House Committee on Oversight and Government Reform disputes Tiversa's claims.

In a letter sent Wednesday, Committee Chairman Darrell Issa (R-Calif.) requested that FTC acting Inspector General Kelly Tshibaka investigate those claims and allegations of "corporate blackmail" against Tiversa.

In the letter, Issa said the oversight committee is investigating Tiversa and its relationships with the FTC and other federal agencies. "The Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities," Issa said in the letter.

The FTC filed its complaint in August 2013, alleging that LabMD practiced deceptive and unfair trade practices for allowing a document containing sensitive health information to sit on a peer-to-peer network. The complaint was filed after a lengthy two-year discovery process.

FTC Chief administrative law judge Michael Chappell has delayed the trial due to the oversight committee's questions about the case.

Issa contends that Tiversa attempted to sell its security monitoring services to LabMD immediately after its purported discovery of the file. When LabMD refused the services, Tiversa then provided the information to the FTC, Issa said in his letter.

Though there are competing claims about who is responsible for disseminating false information, "it is now clear, however that Tiversa provided incomplete and inaccurate information to the FTC," Issa said

Issa also said the oversight committee has also learned of allegations that Tiversa, in conjunction with the FTC, created an entity called the Privacy Institute to provide information about data breaches to the agency. "If these allegations are true, such coordination between Tiversa and the FTC would call into account the LabMD enforcement action, and other FTC regulatory matters that relied on Tiversa supplied information," the letter said.

The FTC declined to comment on Issa's letter.

In an email to Computerworld, Tiversa CEO Robert Boback, denied that his company has a special relationship with the FTC.

"This is absolutely and unequivocally NOT true," Boback said. "Tiversa has never been paid by the FTC nor was a contract ever discussed in any way!"

Boback said the FTC contacted Tiversa after the company provided testimony before Congress on its research findings related to data leaks on P2P networks. The FTC demanded that Tiversa either hand over its information or be subject to a formal Civil Investigative Demand. "Tiversa had no choice but to comply with the demand," Boback said.

He said that a former Tiversa employee cited by Issa is seeking retaliation for being terminated earlier this year. "This employee is clearly seeking retaliation for his termination and unfortunately is attempting to manipulate Congress into an investigation to achieve his goal," Boback said.

Boback also rejected previous claims made by LabMD CEO Michael Daugherty about a conspiracy between Tiversa and the FTC. "Tiversa has freely and honestly answered any questions by the Committee," he said.

Daugherty earlier this year claimed that the FTC's pursuit of his company since 2010 had forced him to shut down operations and lay off his employees.

Daugherty has accused the FTC of overstepping its authority in investigating LabMD, contending that the agency does not have authority to regulate data security practices.

He has also questioned the standards used by the FTC in judging whether a company has reasonable security measures. He has said it's unfair to hold companies to data security standards that have not yet been formally promulgated by the FTC or other federal body.

LabMD and Wyndham Worldwide are the only companies to challenge the FTC's data breach enforcement actions in recent years. In other cases, the FTC has extracted settlements from its targets.

Meanwhile, several business groups, including the U.S. Chamber of Commerce, TechFreedom, the American Hotel and Lodging Association, National Federation of Independent Businesses and the International Franchise Association, are calling for a review of the FTC's enforcement authority

Government watchdog Cause of Action, (CoA) which has taken up LabMD's defense, welcomed the House Oversight Committee investigation demand for an investigation into its relationship with Tiversa.

"The House Oversight Committee's investigation should send a message to federal agencies, the President and the courts that the arbitrary abuse of administrative power will not go unchecked," Cause of Action's executive director Dan Epstein said. "This is why it has investigated and litigated for LabMD to stop the FTC from arbitrarily expanding and abusing its power by victimizing an entrepreneur who did nothing wrong."

The CoA contends that there is no evidence that the FTC has taken steps to independently authenticate Tiversa's claims.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about gov't legislation/regulation in Computerworld's Gov't Legislation/Regulation Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationFederal Trade CommissionsecurityregulationlegalgovernmentLabMDGov't Legislation

More about Federal Trade CommissionFTCTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place