DOJ probes allegations that Tiversa faked data breaches

Tiversa / FTCPreviously, we reported on the FTC’s fight with LabMD over data security.  As part of that coverage, we noted the testimony of former Tiversa employee, Richard Wallace, which alleged that Tiversa had given the FTC doctored evidence purporting to prove consumer data breaches.

DOJ/FBI Investigate Tiversa

Now it appears that the Department of Justice (“DOJ”) and the Federal Bureau of Investigation (“FBI”) are probing Wallace’s allegations regarding faked data breaches.

The DOJ/FBI’s investigation of Tiversa began following the allegations of Wallace during a 2015 FTC hearing in the LabMD case.  There, Wallace told the ALJ that Tiversa had falsified information to make it appear that sensitive data was being accessed by users across the country.

FTC Sues LabMD Upon Tiversa Faked Data Breaches Information

Upon that information, the FTC was led to investigate whether LabMD had failed to protect consumer data, which eventually resulted in the FTC bringing suit against LabMD.  The FTC’s complaint alleged two separate data breaches against LabMD.  First, the FTC alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (“P2P”) file-sharing network.  Second, in 2012, the FTC alleges LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.

At the time the complaint was filed, the FTC said:

The unauthorized exposure of consumers’ personal data puts them at risk.  The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.

ALJ Dismisses FTC’s Case Against LabMD, FTC Appeals

However, in the time since the complaint has been filed, the FTC has been locked up in a battle with LabMD over the purported data breaches.  In fact, the FTC’s case took a punishing blow when the presiding ALJ dismissed the FTC’s case on the grounds that the FTC had failed to show LabMD’s purportedly lax data security practices had caused any actual harm to consumers as required by Section 5(n) of the FTC Act.

While the ALJ’s decision is still being appealed, the problems for Tiversa may only be beginning.  David Schertler, an attorney for Tiversa, has said Tiversa is cooperating with the DOJ/FBI’s investigation.

Tiversa Provided FTC with Information on Nine Other Companies

In addition to the information provided to the FTC regarding the purported data breaches at LabMD, Tiversa also provided the FTC with information regarding nine other companies, according to a 2015 staff report to the House Committee on Oversight & Government Reform.  The current status of the FTC’s investigation into those nine companies is unknown.

Should the FTC Even be Policing Data Security?

The FTC’s fight against LabMD has raised questions over how/if the FTC should investigate data breaches.  Some have argued that Congress has never bestowed the FTC with the authority to police data security, nor do they argue the FTC is equipped to handle such investigations.  The use of third party security firms like Tiversa may lend itself to the argument that the FTC is not properly situated to investigate large-scale data breaches, like those at issue in the LabMD matter.  Furthermore, the fact that Tiversa is now under investigation for allegedly falsifying data breaches, raises questions about what involvement, if any, the FTC might have had in those doctored data breaches.  This is especially important in light of the recent revelation in the Staples/Office Depot merger case that the FTC asked an Amazon executive to lie in a declaration.

LabMD is one of a handful of companies that has been sued by the FTC in recent years for allegedly failing to protect consumer information from data breaches.  Since 2008, the FTC has targeted more than 50 companies for data breaches, including the likes of Twitter, CVS Caremark, and Wyndham Hotels, all of which have reached settlements with the FTC.

Tiversa Places CEO on Leave While it Conducts own Investigation

Following a FBI raid in March 2016, Tiversa has placed CEO Robert Boback on leave as the security firm conducts its own internal investigation regarding the alleged faked data breaches.  Robert Ridge, Boback’s attorney, has declined to comment on either Boback’s status or the investigations into Tiversa.

Wallace Lays Blame at Feet of Boback

As noted, the faked data breach allegations against Tiversa first arose last May, when former Tiversa employee, Richard Wallace, testified in a FTC hearing in the LabMD matter.  Wallace said that when Tiversa would learn that a company’s records were located on a P2P file-sharing network, Tiversa would reach out to the affected company and pitch its remediation service.  However, when companies such as LabMD would decline Tiversa’s offer, the company’s name would be included on a list that Boback would then hand over to the FTC.  For example, when LabMD refused Tiversa’s services, Boback “basically said, ‘f__ him, make sure he’s at the top of the list,’” according to Wallace’s testimony.

Wallace also testified that he was told to falsify evidence that LabMD’s patient file was rapidly being spread online into the hands of identity thieves.  Wallace said Boback told him, “‘We need this at four different IP addresses, and they need to be bad guys.’”

The DOJ has purportedly given Wallace immunity in exchange for his testimony against Tiversa.

The FTC has responded in court filings that while the information from Tiversa caused the FTC to begin its investigation into LabMD, its suit against LabMD was fully supported by the FTC’s own independent evidence.

* Photo Cred.: