Court Stays FTC's LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill

from the killing-a-horse-just-to-beat-it dept

Despite turning LabMD into a stone -- based on some suspect data breach allegations by a data protection company engaged in shady sales tactics -- the FTC is still seeking to extract as much blood as possible. Thanks to the FTC's ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.

The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee's use of Limewire at work. (The file was in folder that end up being "shared" by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.

Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.

The FTC overturned an Administrative Law Judge's (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach -- ones the ALJ had dismissed. The FTC claims LabMD "left" the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to "retrieve" it once it had been uploaded.

Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won't be collecting in the future is better protected.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)

The appeals court points out [PDF] several things about the stay the FTC is contesting, not the least of which is the company's inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.

The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. [...] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.

LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.

Given the company's financial ruin, the injunction would serve no possible deterrent purpose. There's nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.

Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.

Furthermore, the court feels there's absolutely no risk to the further exposure of patients' data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.

As for the FTC's claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.

For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.

Finally, the court has a few choice words for the FTC's dictionary attack -- used to shore up its weak claims of future harm from the escaped file.

[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.

Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.

The sick thing is that even if LabMD ultimately prevails, it won't matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company's shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC's investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa's tactics both before and after the FTC's investigation of LabMD.

Filed Under: court, data breach, file sharing, ftc, injunction
Companies: labmd, tiversa

Cybersecurity Firm With A History Of 'Corporate Blackmail' Raided By The FBI

from the fate-of-CEO-Robert-'Whitey'-Boback-currently-unknown dept

Cybersecurity is a crowded field. Not every competitor will make it. That's inevitable. Tiversa is one of the also-rans.

Tiversa is helmed by Robert Boback. Back in 2009, Boback was already well-versed in the cybersecurity hard sell. Here's what he had to say about P2P software in front of a Congressional audience -- an audience well-versed in the art of selling fear to fund additional government products.

Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make -- along with how much it was willing to pay. Also included in the document were still-private details about the company's financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial.

Boback was stealthily pitching his company's P2P monitoring service. During this hearing, he also claimed to have come across documents containing details about the President's helicopter on an Iranian computer.

Boback may have overplayed his hand. There were no discussions about purchases of his software. But there were discussions about legislation banning the use of P2P software on government computers.

Boback's next interaction with Congress wasn't nearly as pleasant. The House Oversight Committee -- led by Darrell Issa -- was asking the FTC to take a good look at Tiversa and its habit of engaging in "corporate blackmail."

A year before Boback's mob-and-helicopter show in front of Congress, Tiversa was trying to get LabMD to buy its services. It claimed to have found a document containing thousands of LabMD's customers' information while monitoring P2P traffic. When LabMD refused to sign a contract with Tiversa, it took the info to the FTC. The FTC went after LabMD. But the data breach details Tiversa handed to the FTC were bogus.

“The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter,” said Chairman Issa in today’s letter. “The FTC’s enforcement actions have resulted in serious financial difficulties for the company. Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities—including the FTC—may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches.”

The letter continues: “Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC.”

Among this new information was the testimony of Richard Wallace, a former employee of Tiversa. As Wallace explained, the general business model of Tiversa was to fake a data breach, approach potential customer with a sales pitch and a threat to turn them over to the FTC if they refused to purchase Tiversa's protection. LabMD told Tiversa to beat it, which Boback didn't appreciate. From Wallace's testimony:

Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?

A. Yes.

Q. And what was that reaction?

A. Do I say it?

MS. BUCHANAN: Answer the question.

THE WITNESS: He basically said f--- him, make sure he's at the top of the list.

According to the Congressional investigation, not only did Tiversa engage in corporate blackmail, but it faked metadata so it could claim sensitive documents had spread much further than they actually had. It also approached "affected" users directly, hoping to provoke reluctant companies into buying its services.

One of the customers it sought was the US government. But Tiversa lied to it as well. The supposed sensitive document it traced back to an Iranian computer? Sure, the document existed. But Tiversa could provide no proof that it had ever resided on that computer.

Fast-forward to earlier this month: Tiversa has been raided by the FBI.

Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.

The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.

The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.

An unnamed inside source sheds a little more light on the company and the FBI's visit.

When asked whether any others were involved in the kind of fraud Boback is allegedly being investigated for, the source stated that “it was always between Bob (Boback) and Rick (Wallace). Not too many people realized what was going on. Now people are looking into the data.” And the more they look into things, the source claims, the more they uncover in the way of lies and Boback asking or directing employees to falsify findings. The source later told DataBreaches.net that he was aware of one other instance where allegedly Boback asked someone to have multiple files spread to multiple IP addresses. It is not clear to DataBreaches.net whether that employee – whose identity is unknown to DataBreaches.net – ever cooperated with that request.

Was the claim to Congress and the media about plans for Marine 1 being found on an Iranian IP a lie, DataBreaches.net asked? “Yes,” was the simple answer.

“You have to understand that Tiversa had a great technology that is the real deal but RB fucked it up. Greed. Above the law, untouchable,” the source tells DataBreaches.net.

The DOJ's move isn't surprising, considering the allegations in the House Oversight Committee's report. The problem now is what to do about the FTC, which relied on tips from Tiversa to go after nearly 100 companies for supposed data breaches.

One would hope that if more concerns about Tiversa become public, then to the extent the FTC relied up on Tiversa at all for any investigation, they will do some internal contemplation about their methods and the need to independently investigate and verify third-party representations. Would FTC v. LabMD ever have happened if not for Tiversa? I seriously doubt it.

Whatever happens now, it's likely too late to be much comfort to LabMD. Between the FTC's action and Boback's defamation lawsuit, the company has been run into the ground. The good news is the defamation suit has been dropped and Tiversa's legal representation is quickly running as far away from the toxic company as humanly possible.

Filed Under: corporate blackmail, cybersecurity, fbi, ftc, p2p, robert boback
Companies: labmd, tiversa

Whistleblower Claims Cybersecurity Company Generated Fake Data Breaches To Sell Protective Services

from the selling-you-fixes-you-don't-need-for-problems-you-don't-have dept

Making money without actually having to earn it is the American dream, isn't it?

In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud -- and mafia-style shakedowns.

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.

"Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained¹ a transcript of the hearing.

Tiversa would allegedly turn over "information" about these fake breaches to the FTC and push the agency to come down hard on the companies who refused to hire it. Once the FTC started asking questions, Tiversa would again approach these companies and ask them if they'd reconsidered the use of their services.

Wallace's testimony suggests Tiversa engaged in several unethical practices at the behest of CEO Bob Boback. One of the companies it targeted with its fake breaches was LabMD. After LabMD expressed reluctance to hire Tiversa, Bob Boback delivered a simple message to Wallace.

Q. Are you aware of whether or not LabMD agreed or refused to do business with Tiversa?

A. I think initially I don't think that there was a -- I don't think that they did not want to do business with Tiversa initially, and I think that as the communication advanced back and forth from Bob and different people with LabMD, I think that that's when they decided that they did not want to do business with Tiversa.

Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?

A. Yes.

Q. And what was that reaction?

A. Do I say it?

MS. BUCHANAN: Answer the question.

THE WITNESS: He basically said f--- him, make sure he's at the top of the list.

The "list" was a compilation of prospective Tiversa customers, compiled with the assistance of investigators who had managed to secure personally identifiable information from companies' servers. This was the information that was threatened to be turned over to the FTC (or in some cases, was turned over before contacting the companies) if these companies refused to purchase Tiversa's services.

Q. Why does their name appear on the list?

A. So that the FTC would contact them and notify them of a data breach and hopefully we would be able to sell our services to them.

Q. Did someone tell you to put their name on the list?

A. Yes.

Q. Who?

A. Our CEO, Bob Boback.

Q. Why?

A. To use -- to be able to use any means necessary to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak.

Q. Did you, at the time this was created, have information on companies who fit the threshold but whose names do not appear on that list?

A. Yes.

Q. Why does their name not appear on the list?

A. The list was scrubbed of all clients in the past and future clients that we felt that there might be, you know, the prospect of doing business with them. Their information was removed.

Q. Clients of Tiversa?

A. Yes.

Q. Who made the decision to remove their names from the list?

A. Bob Boback.

In order to make the breaches look legit, Tiversa's investigators would download sensitive files, move them to the company's servers and alter information to make it appear as though the files had been accessed or stored by a variety of IP addresses, including those of known/suspected identity thieves.

THE WITNESS: Usually it would be after the fact, Bob would make contact with the company, without coming to me or coming to anyone else first, and say, you know, your file has spread to three additional IP addresses, it's in Europe and Nigeria and Poland and who knows. So then it would be up to me to make it appear that way in the data store so, if there was ever an audit or, you know, somebody was catching on, the data would be there if you -- Coveo is basically a front end for the data store. It's like a Google site, so you could type in there "insurance aging" and it's going to come up with a list of IP addresses along with the file, date and time.

More on that tactic:

JUDGE CHAPPELL: If I understood you correctly, it was not true that the file was at this IP address.

THE WITNESS: That is correct.

JUDGE CHAPPELL: And if I were Company B in my earlier scenario, do I have any way to go to Apache Junction and see if they've downloaded my data?

THE WITNESS: We would see that in our -- in our real data store, we would show -- like, for example, with this one, this individual had over -- I was very familiar with this guy. He had over 3,000 tax returns, and he was zipping them up and selling them. Therefore, we knew that he was a bad actor, and it made it easy to put this file there, so to speak, even though he never had it physically on that computer, but we made it look -- appear like he did.

JUDGE CHAPPELL: All right. So if I follow you correctly, you never -- the file was never actually at Apache Junction.

THE WITNESS: No.

JUDGE CHAPPELL: But I, Company B, had no way of ever verifying that or knowing that.

THE WITNESS: Right.

Wallace's testimony may be useful in placing Tiversa in the FTC's sights, something Darrell Issa brought to its attention last year. But it won't do much for LabMD, which appears to have been prosecuted out of existence based on Tiversa's phony claims.

Tiversa claims Wallace's testimony is nothing more than a fired employee being vindictive and cites its multiple awards from law enforcement agencies as evidence of its forthrightness and honesty. All well and good, but if law enforcement agencies have been subjected to the same tactics -- bogus problems and bogus fixes -- they might be handing out awards based on perceived effectiveness rather than Tiversa's actual cybersecurity skills.

The House Oversight Committee looked into Tiversa's allegations against LabMD last year and was none too impressed by the supposedly upstanding company's inability/unwillingness to turn over the information it requested.

The Committee has obtained documents and information indicating Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of data on peer-to-peer computer networks. In fact, it appears that, in responding to an FTC subpoena issued on September 30, 2013, Tiversa withheld responsive information that contradicted other information it did provide about the source and spread of the data, a billing spreadsheet file.

Despite a broad subpoena request, Tiversa provided only summary information to the FTC about its knowledge of the source and spread of the file.

The letter details Tiversa's evasiveness in response to the HOC's requests, noting that while it did turn over nearly 8,700 pages in response to the subpoena, 8,500 of those were five identical copies of the 1,718-page LabMD insurance aging file at the center of the FTC's investigation, leaving only 79 pages of other materials, none of which substantiated Tiversa's claims.

If the allegations are true, Tiversa is likely looking at altering its business model. Being just another name in the cybersecurity business means even less when that name is increasingly tied to fraudulent behavior.

¹ Let's address CNN's claim about "obtaining" a transcript of the hearing. Like far too many press outlets, CNN seems to believe publicly-filed documents are trade secrets and refuses to provide download links or pointers as to where these might be obtained. In this case, it apparently obtained the transcript from former LabMD CEO Michael Daugherty's website. Or it may have had it sent to it by Daugherty himself. But either way, it did not "obtain" something no one else could have obtained, no matter how much its wording suggests some sort of exclusivity. And it could have done what Daugherty did: posted the transcript so readers could read it for themselves. But it didn't. TL;DR: CNN "obtained" this transcript in the non-exclusive way that you and I "obtain" air or any other non-rival good. (Yes, air becomes rivalrous in air-free environments, but non-pedantically, the comparison holds.)

Filed Under: bob boback, cybersecurity, data breaches, fake data breaches, ftc, hacks, richard wallace, shakedown, whistleblower, white hat
Companies: labmd, tiversa