“The as­sump­tion’s al­ways that you’re guilty, even from the lawyers. The gov­ern­ment’s com­ing af­ter you— you must have done some­thing wrong”

It wasn't get­ting hacked that brought down LabMD—it was fight­ing the gov­ern­ment

Bloomberg Businessweek (North America) - - Con­tents - By Dune Lawrence Pho­tographs by Johnathon Kelso

The first phone call that changed Michael Daugh­erty’s life came in May 2008. Daugh­erty was a happy man, run­ning a good busi­ness in a nice place. That’s how he talks about it, like the open­ing five min­utes of a movie, set­ting up how great ev­ery­thing is be­fore dis­as­ter strikes. His At­lanta-based com­pany, LABMD, tested blood, urine, and tis­sue sam­ples for urol­o­gists, and had about 30 em­ploy­ees and $4 mil­lion in an­nual sales.

Daugh­erty is a mid­dle-aged guy dis­tin­guished by small, kind brown eyes and a big, meaty laugh—a busi­ness every­man of a cer­tain vin­tage, with a sales­man’s mix of friendly and ag­gres­sive. He’s from Detroit, and you can oc­ca­sion­ally hear it in his vow­els. Kevin Spacey could play him in the movie.

Here’s where the story turns dark. That Tues­day, Labmd’s gen­eral man­ager came in to tell Daugh­erty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have got­ten hold of a file full of LABMD pa­tient in­for­ma­tion. This was scary for a med­i­cal busi­ness that had to com­ply with fed­eral rules on pri­vacy, en­shrined in the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act. I need proof, Daugh­erty told his deputy. Get it in writ­ing.

Boback e-mailed the doc­u­ment. It was a LABMD billing re­port con­tain­ing data, in­clud­ing So­cial Se­cu­rity num­bers, on more than 9,000 pa­tients. Boback quickly got to the sales pitch: His com­pany, Tiversa, of­fered an in­ves­tiga­tive ser­vice that could iden­tify the source and sever­ity of the breach that had ex­posed this data and stop any fur­ther spread of sen­si­tive in­for­ma­tion.

Labmd’s four-per­son IT team found the prob­lem al­most im­me­di­ately: The man­ager of the billing depart­ment had been us­ing Limewire file- shar­ing soft­ware to down­load mu­sic. With­out know­ing it, she’d left her doc­u­ments folder, which con­tained the in­sur­ance re­port now in Tiversa’s pos­ses­sion, open for shar­ing with other users of the peer-to-peer net­work. The billing man­ager’s com­puter was the only ma­chine at LABMD with Limewire—hav­ing it was a vi­o­la­tion of com­pany pol­icy— and the tech staff re­moved it.

They also be­gan scour­ing peer-to-peer net­works and the In­ter­net for signs of the file on the loose, in case some­one out­side Tiversa had down­loaded it and shared it with oth­ers. They looked for months and never found it.

Boback kept e-mail­ing dur­ing this pe­riod, urg­ing swift ac­tion and claim­ing that Tiversa was see­ing searches and down­loads of the file. When LABMD asked for specifics, Boback said he could pro­vide those only after LABMD signed a ser­vice agree­ment. The sam­ple agree­ment he sent listed a rate of $475 an hour, and Boback said the fix for a prob­lem of this na­ture typ­i­cally took two weeks. (Two 40-hour weeks at that rate would to­tal $38,000.) His e-mails men­tioned neg­a­tive press re­lated to the leak of 1,000 So­cial Se­cu­rity num­bers by Wal­ter Reed Army Med­i­cal Cen­ter, and he of­fered to send over a break­down of data breach no­ti­fi­ca­tion laws in 43 states.

Boback had an un­usual back­ground for a cy­ber en­tre­pre­neur. Be­fore start­ing Tiversa, he’d been a chi­ro­prac­tor and dab­bled in real es­tate around Pitts­burgh, where he’d grown up. He founded the com­pany in his home­town in early 2004 with Sam Hop­kins, one of his chi­ro­prac­tic clients, who be­came the chief tech­nol­ogy of­fi­cer.

Boback proved an adept sales­man. By 2007, Tiversa had col­lected a group of high-pow­ered ad­vis­ers, most no­tably Wes­ley Clark, the re­tired four-star gen­eral. Boback tes­ti­fied that July be­fore the House Com­mit­tee on Over­sight and Govern­ment Re­form, in­tro­duced by the chair­man as “a lead­ing author­ity in the con­se­quences of in­ad­ver­tent in­for­ma­tion shar­ing.” (Clark said through a spokesper­son that he hasn’t been in­volved with Tiversa for sev­eral years.)

Tiversa mon­i­tored peer-to-peer net­works for its clients, us­ing a pro­pri­etary plat­form that gave it a broad view of what users of such net­works were search­ing for and shar­ing. By the time Boback called LABMD, Tiversa’s home page boasted that its tech­nol­ogy could mon­i­tor 450 mil­lion users do­ing 1.5 bil­lion searches a day. The com­pany over­view listed Tiversa’s core val­ues, in­clud­ing, “We are open, hon­est, and direct in all of our in­ter­ac­tions. We al­ways strive to ‘do the right thing’ for our cus­tomers and em­ploy­ees.”

Daugh­erty read Boback’s e-mails as po­lite ex­tor­tion notes. Boback stopped send­ing them only after Daugh­erty’s deputy told him in late July to direct all com­mu­ni­ca­tions to Labmd’s lawyers. That fall, a LABMD lawyer got a call from a Tiversa lawyer with what sounded to Daugh­erty like a threat: Tiversa was wor­ried about be­ing sued for not re­port­ing the LABMD file to the Fed­eral Trade Com­mis­sion.

The com­mis­sion came knock­ing in Jan­uary 2010. LABMD re­ceived an 11-page let­ter from the FTC Divi­sion of Pri­vacy and Iden­tity Pro­tec­tion, stat­ing that it was con­duct­ing an in­quiry into the com­pany re­lated to a file from its com­puter net­work that was avail­able on a peer-to-peer net­work. The let­ter listed 18 ques­tions, with as many as eight sub­parts each, about Labmd’s over­all se­cu­rity and tech­nol­ogy setup and prac­tices, and re­quested doc­u­men­ta­tion of any ex­po­sure of per­sonal in­for­ma­tion.

The FTC has a dual man­date: to pro­tect con­sumers and to pro­mote com­pe­ti­tion. Its pro­tec­tive pow­ers are laid out in Sec­tion 5 of the Fed­eral Trade Com­mis­sion Act, which pro­hibits “un­fair or de­cep­tive acts or prac­tices in or af­fect­ing com­merce.” Since the agency’s found­ing in 1914, that has meant go­ing after com­pa­nies for false ad­ver­tis­ing, fi­nan­cial scams, and the like. In this cen­tury, the FTC also ap­plies Sec­tion 5 to in­for­ma­tion se­cu­rity, cast­ing care­less han­dling of con­sumers’ in­for­ma­tion as a form of un­fair and de­cep­tive busi­ness prac­tices. The FTC reached its first set­tle­ment in this area in 2000, with a group of on­line phar­ma­cies over their col­lec­tion and use of cus­tomer in­for­ma­tion. Since then, the com­mis­sion has brought more than 60 cases re­lated to data se­cu­rity. In all but one, the com­pa­nies in­volved have set­tled, sign­ing con­sent de­crees that in many cases re­quire 20 years of se­cu­rity au­dits by an out­side firm and some­times fines. The al­ter­na­tive is lit­i­ga­tion, which the FTC can ini­ti­ate in fed­eral court or in its own ad­min­is­tra­tive court sys­tem.

The one com­pany that didn’t set­tle with the FTC is LABMD. Daugh­erty hoped, at first, that if he were as co­op­er­a­tive as pos­si­ble, the FTC would go away. He now calls that phase “the stupid zone.” LABMD mailed some 5,000 pages of doc­u­ments to Wash­ing­ton. The FTC asked the com­pany to re­ship ev­ery­thing by Fedex. In a fol­low-up phone call and let­ter, the com­mis­sion dis­missed Labmd’s doc­u­men­ta­tion as “in­ad­e­quate.” The com­pany sent more, and Daugh­erty and his lawyer flew up to Wash­ing­ton for a face-to-face meet­ing with two FTC lawyers that July. The agency re­quested still more in­for­ma­tion. LABMD sent an­other bun­dle of ma­te­ri­als in Au­gust, this time try­ing to go be­yond what the FTC had asked by in­clud­ing doc­u­men­ta­tion go­ing back to 2001. From Daugh­erty’s per­spec­tive, the FTC lawyers didn’t seem to ab­sorb or un­der­stand the de­tails and doc­u­ments they kept ask­ing for; he be­gan to won­der if the FTC was in­ten­tion­ally try­ing to bury LABMD un­der so many de­mands. (The FTC didn’t re­spond to nu­mer­ous e-mails and calls about its in­ves­ti­ga­tion of LABMD.)

In early 2011 the FTC called again, re­quest­ing sworn tes­ti­mony in per­son in Wash­ing­ton from LABMD staff who per­formed se­cu­rity checks. At the urg­ing of the com­pany’s At­lanta lawyer, Daugh­erty hired a Wash­ing­ton team that had dealt with the com­mis­sion be­fore. The Wash­ing­ton lawyers took over com­mu­ni­ca­tions with the FTC, re­sub­mit­ting much of the same ma­te­rial, rang­ing from Labmd’s writ­ten poli­cies to train­ing man­u­als to doc­u­men­ta­tion of fire­walls and pen­e­tra­tion test­ing. Since the 2008 in­ci­dent, the com­pany had spent about $230,000 on sys­tem up­grades and other se­cu­rity mea­sures.

Daugh­erty kept try­ing to talk to his lawyers about Tiversa’s role. As far as he knew, the only party that had ever down­loaded Labmd’s data was Boback’s com­pany. That was the only ex­po­sure, through a vul­ner­a­bil­ity that LABMD had moved quickly to fix. Tiversa should be pun­ished for hack­ing Labmd’s net­work, he ar­gued. Daugh­erty’s lawyers told him none of this was rel­e­vant to the FTC case. “The as­sump­tion’s al­ways that you’re guilty, even from the lawyers,” Daugh­erty says. “The govern­ment’s com­ing after you—you must have done some­thing wrong.”

The path of least re­sis­tance was to set­tle, put the mat­ter be­hind him, and fo­cus on his busi­ness. A set­tle­ment usu­ally doesn’t re­quire an ad­mis­sion of wrong­do­ing, but the FTC pub­lishes con­sent de­crees on­line and trum­pets them in press re­leases. This is, in fact, as close as the agency gets to pub­lish­ing clear rules. The con­sent de­crees form a body of prece­dent, show­ing what prac­tices were con­sid­ered un­fair or de­cep­tive in a par­tic­u­lar in­stance. Daugh­erty be­lieved sign­ing a con­sent de­cree would give doc­tors the im­pres­sion that LABMD had been lax in pro­tect­ing pa­tient data and kill his busi­ness.

The untested route was to force the FTC to lit­i­gate the case. By this point, Daugh­erty viewed the com­mis­sion’s

“It was death by suf­fo­ca­tion or death by fir­ing squad. I chose fir­ing squad be­cause I wanted peo­ple to see it”

ac­tions as part of a sin­is­ter plan: The FTC steam­rolled com­pa­nies with bur­den­some, never-end­ing de­mands un­til the only log­i­cal choice was to set­tle, thereby adding to a body of prece­dent that gave it stand­ing to bully more com­pa­nies.

“To me it was death by suf­fo­ca­tion or death by fir­ing squad,” Daugh­erty says. “I chose fir­ing squad be­cause I wanted peo­ple to see it.”

His tac­tics shifted to mul­ish re­sis­tance. He hoped to bring some scru­tiny to the FTC’S be­hav­ior by fight­ing ev­ery inch. Just be­fore Christ­mas in 2011, the FTC is­sued a civil in­ves­tiga­tive de­mand, or CID (sim­i­lar to a sub­poena), to Daugh­erty. He tied it up with ap­peals and mo­tions, forc­ing the com­mis­sion to seek a court or­der in fed­eral court in Ge­or­gia. He fi­nally agreed to com­ply with the CID a year later. He also be­gan writ­ing a book about his ex­pe­ri­ence. Daugh­erty’s ar­gu­ments about Tiversa con­tin­ued to fall on deaf ears, ex­cept those of then-ftc Com­mis­sioner J. Thomas Rosch. In June 2012, Rosch urged his col­leagues not to use the ev­i­dence pro­vided by Tiversa: The com­pany “is a com­mer­cial en­tity that has a fi­nan­cial in­ter­est in in­ten­tion­ally ex­pos­ing and cap­tur­ing sen­si­tive files on com­puter net­works, and a busi­ness model of of­fer­ing its ser­vices to help or­ga­ni­za­tions pro­tect against sim­i­lar in­fil­tra­tions,” he wrote in his dis­sent. “While there ap­pears to be noth­ing per se un­law­ful about this ev­i­dence, the Com­mis­sion should avoid even the ap­pear­ance of bias or im­pro­pri­ety by not re­ly­ing on such ev­i­dence or in­for­ma­tion.” Rosch’s col­leagues didn’t heed his ad­vice, and his term ended a few months later.

Daugh­erty saw a long fight ahead, and he needed al­lies. He set out to mas­ter the ways of Wash­ing­ton and build a sup­port net­work. He de­scribes him­self as an “eco­nomic-driven, fis­cally re­spon­si­ble, Ger­ald Ford-type” Repub­li­can. His story, how­ever, res­onated deeply with con­ser­va­tives in Wash­ing­ton, con­firm­ing their worst fears and sus­pi­cions about govern­ment agen­cies. He be­gan work­ing with Cause of Ac­tion In­sti­tute, a con­ser­va­tive le­gal aid group with a mis­sion to curb govern­ment abuse and over­reach. The group has han­dled Labmd’s de­fense in the FTC case pro bono since 2013. Daugh­erty also worked to build con­tacts at the House Over­sight Com­mit­tee, chaired by Rep­re­sen­ta­tive Dar­rell Issa (R-calif.). Boback had ap­peared be­fore the com­mit­tee at least twice, in one in­stance tes­ti­fy­ing about Tiversa’s dis­cov­ery a few months ear­lier of a leak of doc­u­ments re­lated to Marine One, the pres­i­den­tial he­li­copter. The claim made head­lines na­tion­ally.

The FTC filed a for­mal com­plaint against LABMD in Au­gust 2013 in its ad­min­is­tra­tive court sys­tem, al­leg­ing not only that LABMD had al­lowed billing in­for­ma­tion for some 9,000 con­sumers to leak out of its com­puter net­work, but also that sen­si­tive in­for­ma­tion for at least 500 more had wound up in the hands of iden­tity thieves in Sacra­mento. The agency quickly ramped up the pres­sure on LABMD. The com­pany’s le­gal fees had mounted to a half-mil­lion dol­lars. In a three-hour pe­riod on Oct. 24, 2013, com­mis­sion lawyers sent no­tice of 20 de­po­si­tions to be taken in var­i­ous parts of the coun­try, ini­tially all sched­uled at the same time on the same day. They re­quested de­po­si­tions from Labmd’s em­ploy­ees, for­mer em­ploy­ees, clients, and tech­nol­ogy ser­vice providers, and the po­lice in 11 states. Labmd’s lawyers tried to get a pro­tec­tive or­der and stay the pro­ceed­ings, ar­gu­ing that th­ese tac­tics seemed de­signed to wreck Labmd’s busi­ness rather than dis­cover rel­e­vant in­for­ma­tion.

LABMD was, in fact, crum­bling un­der the strain. Rev­enue de­clined to $2.1 mil­lion in 2013, from $4.6 mil­lion in 2012, the year the fight with the FTC be­came pub­lic. Daugh­erty’s deputy quit that July. Labmd’s in­sur­ers de­clined to re­new the com­pany’s gen­eral li­a­bil­ity, med­i­cal mal­prac­tice, and prop­erty poli­cies. Labmd’s em­ploy­ees grew in­creas­ingly restive and an­gry at Daugh­erty for his re­fusal to set­tle with the FTC.

“The psy­cho­log­i­cal war­fare the FTC did on the com­pany, the morale, the di­ver­sion, the fear—those em­ploy­ees blamed me,” he says. “It’s like, ‘Why don’t you just set­tle with them? Why are you be­ing so stub­born?’ ” In Jan­uary 2014 he shut the com­pany down, jam­ming med­i­cal equip­ment into his garage, home of­fice, and ex­tra bed­room, where it re­mains to­day.

Then came the sec­ond life-chang­ing phone call. Daugh­erty had spent the early months of 2014 wait­ing for the FTC trial to start and re­cov­er­ing from both the loss of his com­pany and the death of his fa­ther. He bought an RV in fore­clo­sure and fan­ta­sized about cross­ing the coun­try with his dogs, pro­mot­ing his book, which he’d self-pub­lished un­der the ti­tle The Devil In­side the Belt­way.

In April he was eat­ing din­ner with friends at a Thai restau­rant in At­lanta when his cell phone rang. It was Richard Wal­lace, an an­a­lyst who’d just left Tiversa. Daugh­erty re­calls pac­ing the park­ing lot as Wal­lace, his voice shaky, con­fessed his role in Labmd’s de­struc­tion. Wal­lace told Daugh­erty he’d been the one to dis­cover the LABMD file while prob­ing the com­pany through the open Limewire con­nec­tion. Tiversa had never found any copies of the files out­side Labmd’s own com­puter net­work, he said. Wal­lace told Daugh­erty that when LABMD re­fused to en­gage Tiversa’s ser­vices, Boback re­tal­i­ated by adding LABMD to a list of sup­pos­edly com­pro­mised com­pa­nies and or­ga­ni­za­tions, which was sent to the FTC in late 2009. Boback also in­structed him to cre­ate a fake trail of Web ad­dresses where the LABMD file had sup­pos­edly been found, Wal­lace said, as ev­i­dence for the FTC’S case.

“It was cathar­tic,” says Daugh­erty. “I al­ways knew I was right. I just knew I could never prove it in a court of law. And so you write the book, and you put the ev­i­dence to­gether, and you’re try­ing to scream out to the world and then—it hap­pened! It was very brave of him. He was very afraid that I was go­ing to at­tack him.”

The trial opened in the FTC’S ad­min­is­tra­tive court sys­tem that May. The agency’s case was based al­most en­tirely on the ev­i­dence pro­vided by Tiversa and Boback. Labmd’s re­sponse hinged on hav­ing Wal­lace tell the court what he told Daugh­erty, which he wouldn’t do un­til he was granted crim­i­nal im­mu­nity. By now, in part be­cause of Daugh­erty’s ag­i­tat­ing, the House Over­sight Com­mit­tee was in­ves­ti­gat­ing Tiversa, and it wanted to hear from Wal­lace, too. The U.S. Depart­ment of Jus­tice granted the im­mu­nity in late 2014. Wal­lace tes­ti­fied in the FTC case in May 2015, re­peat­ing what he told Daugh­erty in their cell phone call. (Wal­lace’s lawyer didn’t re­spond to e-mail re­quests for com­ment.)

In the FTC ad­min­is­tra­tive court sys­tem, com­mis­sion lawyers act as prose­cu­tors be­fore an ad­min­is­tra­tive law judge. Wal­lace tes­ti­fied that Tiversa gave the FTC a list of more than 80 com­pa­nies in 2009 that had suf­fered sup­posed breaches. The main cri­te­rion for in­clu­sion was an or­der from Boback, he said, and the list was scrubbed of ex­ist­ing Tiversa clients. The FTC did lit­tle to ver­ify any of the in­for­ma­tion Tiversa pro­vided, ac­cord­ing to Wal­lace.

The House Over­sight Com­mit­tee staff re­port on Tiversa, em­bar­goed un­til after Wal­lace’s ap­pear­ance in the FTC trial, ex­panded on the pat­tern Wal­lace out­lined in his LABMD tes­ti­mony. The com­mit­tee’s in­ves­ti­ga­tion found that Tiversa had faked ev­i­dence of data leaks to pro­mote its ser­vices. As to Boback’s rep­u­ta­tion-mak­ing claim that Tiversa had found doc­u­ments re­lat­ing to the pres­i­dent’s he­li­copter at an In­ter­net ad­dress in Iran—that was also faked, on Boback’s or­ders. In an­other in­stance, the re­port said, Tiversa knew about a breach at the House Ethics Com­mit­tee that ex­posed in­for­ma­tion about in­ves­ti­ga­tions into mem­bers of Congress. In­stead of no­ti­fy­ing the

“Those em­ploy­ees blamed me. It's like, ‘why don't you just set­tle with them? Why are you be­ing so stub­born?' ”

com­mit­tee, Tiversa sought pub­lic­ity for its dis­cov­ery of the leak.

The re­port also de­scribed an on­go­ing re­la­tion­ship be­tween the FTC and Tiversa at odds with pub­lic claims by both. Tele­phone and e-mail records showed that con­tact be­gan in 2007, when Boback par­tic­i­pated in a con­fer­ence call with com­mis­sion of­fi­cials and be­gan pro­vid­ing doc­u­ments to the FTC and con­tin­ued with ex­ten­sive back-and-forth in 2008 and 2009.

Based on Tiversa’s list of com­pa­nies that had leaked in­for­ma­tion into peer-to-peer net­works, the FTC in early 2010 sent warn­ing let­ters to 63 com­pa­nies and opened in­ves­ti­ga­tions into nine, ac­cord­ing to FTC records pro­vided to the House Over­sight Com­mit­tee. Months be­fore the FTC con­tacted those com­pa­nies, Boback was al­ready plan­ning to pig­gy­back on the agency ac­tion. He e-mailed ex­ec­u­tives at Lifelock, an iden­tity theft pro­tec­tion com­pany and one of Tiversa’s big­gest part­ners, sug­gest­ing that the FTC let­ters would be a wind­fall for Lifelock.

The re­port con­cluded that the FTC had sac­ri­ficed “good govern­ment” in us­ing Tiversa to “ob­tain in­for­ma­tion val­i­dat­ing its reg­u­la­tory author­ity” and pro­vid­ing Tiversa with “ac­tion­able in­for­ma­tion that it ex­ploited for mon­e­tary gain.”

Issa says the FTC is fo­cused on the wrong tar­gets. “Snake oil is the chal­lenge we face,” he says. “We need to get the FTC to de­velop real ex­per­tise in find­ing out whether in this new and emerg­ing area there are de­cep­tive prac­tices go­ing on in terms of claims about what some­body can do to pro­tect your data.”

In Novem­ber the judge pre­sid­ing over the FTC case, D. Michael Chap­pell, ruled for LABMD. He threw out Boback’s tes­ti­mony and Tiversa’s ev­i­dence as un­re­li­able and un­trust­wor­thy. That left the FTC with lit­tle in the way of a case, he con­cluded. Chap­pell called the FTC’S as­ser­tions re­gard­ing LABMD and the ex­po­sure of its pa­tient data “pure, un­sup­ported spec­u­la­tion.” He also dis­missed the Sacra­mento doc­u­ments, say­ing that the FTC had failed to show any link be­tween those records and Lab­mds se­cu­rity prac­tices—or even that the doc­u­ments came from Labmd’s com­puter sys­tems.

Craig New­man, chair of the pri­vacy prac­tice at the law firm Pat­ter­son Belk­nap Webb & Tyler, was sur­prised. “Com­pa­nies sub­ject to an FTC en­force­ment ac­tion have gen­er­ally made well­con­sid­ered busi­ness judg­ments that set­tle­ment makes more sense than years of lit­i­ga­tion and dis­cov­ery—es­pe­cially with an in-house ad­min­is­tra­tive process where the play­ing field seems tilted in the govern­ment’s fa­vor,” he says. “Now com­pa­nies may toughen their stance when the FTC pays a visit.”

The judge’s scathing ver­dict on Tiversa also un­der­mines ex­ist­ing FTC set­tle­ments, in the­ory. At least one FTC set­tle­ment is clearly based on ev­i­dence from Tiversa: a 2012 agree­ment with a small auto dealer in Ge­or­gia.

Dan Ep­stein of Cause of Ac­tion pointed out in a Wall Street Jour­nal op-ed after the de­ci­sion that while LABMD had won the bat­tle, it had lost the war: It had al­ready been hounded out of busi­ness by reg­u­la­tors. Boback wrote a let­ter in re­sponse, pub­lished in De­cem­ber. He de­fended Tiversa as a good Sa­mar­i­tan that had alerted a com­pany to leak­ing in­for­ma­tion—for free. He de­nied any spe­cial re­la­tion­ship with the FTC, say­ing Tiversa was forced to re­spond, as LABMD was, to a govern­ment sub­poena. And he at­tacked Wal­lace’s tes­ti­mony to the FTC as “demon­stra­bly false.” For this story, nei­ther Boback nor his lawyer re­sponded to calls and e-mails ask­ing for com­ment.

Daugh­erty is still in the mid­dle of de­fend­ing and at­tack­ing in a head-spin­ning num­ber of le­gal ac­tions. He sued Tiversa in 2011 in Ge­or­gia state court for hack­ing into Labmd’s net­work. The case was dis­missed for lack of ju­ris­dic­tion be­cause Tiversa is based in Penn­syl­va­nia. So he sued in Penn­syl­va­nia for con­ver­sion (tak­ing prop­erty), defama­tion, fraud, civil con­spir­acy, and rack­e­teer­ing. That case is on­go­ing, and Daugh­erty is at­tempt­ing to re­open the case against Tiversa in Ge­or­gia, based on doc­u­ments pro­duced for the House Over­sight Com­mit­tee; they show that in 2008, Tiversa was ac­tively so­lic­it­ing busi­ness and mak­ing con­tact with six Ge­or­gia com­pa­nies, in­clud­ing Co­caCola. Daugh­erty is also su­ing three FTC lawyers for de­priv­ing him of his con­sti­tu­tional rights.

Tiversa and Boback sued Daugh­erty and LABMD for defama­tion, just days after the FTC filed its com­plaint against LABMD. Boback con­tin­ues to pur­sue that case, with Wal­lace now added. In March, Tiversa sub­mit­ted a mo­tion to re­move it­self as a plain­tiff.

There are in­di­ca­tions that the FBI and the Jus­tice Depart­ment are in­ves­ti­gat­ing. On March 1 an anony­mous Twit­ter user posted a photo look­ing down from an of­fice win­dow on a line of black ve­hi­cles and claimed that the FBI was raid­ing Tiversa’s of­fice in down­town Pitts­burgh. On March 17, Reuters re­ported on the raid, cit­ing three un­named sources, and said the Jus­tice Depart­ment is in­ves­ti­gat­ing whether Tiversa gave the govern­ment false in­for­ma­tion about data breaches. A Tiversa lawyer told Reuters the com­pany was co­op­er­at­ing. (The Jus­tice Depart­ment di­rected ques­tions to the FBI Wash­ing­ton field of­fice. A spokesman de­clined to com­ment on the re­ports.) Jen­nifer Kelly, who han­dles pub­lic re­la­tions for Tiversa, an­swered the com­pany’s main phone num­ber on March 15 and is­sued a blan­ket no com­ment. A call made to Tiversa in April re­sulted in a hang-up.

The FTC dou­bled down in the LABMD case, ap­peal­ing Chap­pell’s rul­ing to the full com­mis­sion. The ap­peal hear­ing took place on March 8 in a wood-pan­eled cham­ber in the FTC build­ing in Wash­ing­ton. With­out the ev­i­dence from Tiversa to rely on, the FTC ar­gued that the ex­po­sure of the LABMD file con­sti­tuted ev­i­dence that Labmd’s se­cu­rity prac­tices were un­fair; it didn’t mat­ter that there was no ev­i­dence of ac­tual harm, and it didn’t mat­ter that the file never spread be­yond Tiversa. When asked about Tiversa’s role, the FTC’S lawyer, Laura Van­druff, dis­missed it as a “tip” that the FTC had in­ves­ti­gated on its own. The FTC has 100 days from the date of the hear­ing to is­sue a rul­ing.

In Daugh­erty’s mind, he has to lose in or­der to win. He wants the FTC to over­turn Chap­pell’s rul­ing. Then, at last, he’ll be able to sue the com­mis­sion in fed­eral court. That will fi­nally give him a fair fo­rum in which to air the FTC’S be­hav­ior. “I am ba­si­cally open­ing the play­book to the world, which is what I ul­ti­mately want to do,” he says. “We’re go­ing to have a fair fight.” <BW>

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.