26 Apr BusinessWeek reports on the FTC destruction of LabMD
Reblogged from Bloomberg Businessweek
A Leak Wounded This Company. Fighting the Feds Finished It Off
Michael Daugherty learns the high price of resistance.
The first phone call that changed Michael Daugherty’s life came in May 2008. Daugherty was a happy man, running a good business in a nice place. That’s how he talks about it, like the opening five minutes of a movie, setting up how great everything is before disaster strikes. His Atlanta-based company, LabMD, tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales.
Daugherty is a middle-aged guy distinguished by small, kind brown eyes and a big, meaty laugh—a business everyman of a certain vintage, with a salesman’s mix of friendly and aggressive. He’s from Detroit, and you can occasionally hear it in his vowels. Kevin Spacey could play him in the movie.
Here’s where the story turns dark. That Tuesday, LabMD’s general manager came in to tell Daugherty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have gotten hold of a file full of LabMD patient information. This was scary for a medical business that had to comply with federal rules on privacy, enshrined in the Health Insurance Portability and Accountability Act. I need proof, Daugherty told his deputy. Get it in writing.
Boback e-mailed the document. It was a LabMD billing report containing data, including Social Security numbers, on more than 9,000 patients. Boback quickly got to the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information.
LabMD’s four-person IT team found the problem almost immediately: The manager of the billing department had been using LimeWire file-sharing software to download music. Without knowing it, she’d left her documents folder, which contained the insurance report now in Tiversa’s possession, open for sharing with other users of the peer-to-peer network. The billing manager’s computer was the only machine at LabMD with LimeWire—having it was a violation of company policy—and the tech staff removed it.
They also began scouring peer-to-peer networks and the Internet for signs of the file on the loose, in case someone outside Tiversa had downloaded it and shared it with others. They looked for months and never found it.
Boback kept e-mailing during this period, urging swift action and claiming that Tiversa was seeing searches and downloads of the file. When LabMD asked for specifics, Boback said he could provide those only after LabMD signed a service agreement. The sample agreement he sent listed a rate of $475 an hour, and Boback said the fix for a problem of this nature typically took two weeks. (Two 40-hour weeks at that rate would total $38,000.) His e-mails mentioned negative press related to the leak of 1,000 Social Security numbers by Walter Reed Army Medical Center, and he offered to send over a breakdown of data breach notification laws in 43 states.
Boback had an unusual background for a cyber entrepreneur. Before starting Tiversa, he’d been a chiropractor and dabbled in real estate around Pittsburgh, where he’d grown up. He founded the company in his hometown in early 2004 with Sam Hopkins, one of his chiropractic clients, who became the chief technology officer.
Boback proved an adept salesman. By 2007, Tiversa had collected a group of high-powered advisers, most notably Wesley Clark, the retired four-star general. Boback testified that July before the House Committee on Oversight and Government Reform, introduced by the chairman as “a leading authority in the consequences of inadvertent information sharing.” (Clark said through a spokesperson that he hasn’t been involved with Tiversa for several years.)
Tiversa monitored peer-to-peer networks for its clients, using a proprietary platform that gave it a broad view of what users of such networks were searching for and sharing. By the time Boback called LabMD, Tiversa’s home page boasted that its technology could monitor 450 million users doing 1.5 billion searches a day. The company overview listed Tiversa’s core values, including, “We are open, honest, and direct in all of our interactions. We always strive to ‘do the right thing’ for our customers and employees.”
Daugherty read Boback’s e-mails as polite extortion notes. Boback stopped sending them only after Daugherty’s deputy told him in late July to direct all communications to LabMD’s lawyers. That fall, a LabMD lawyer got a call from a Tiversa lawyer with what sounded to Daugherty like a threat: Tiversa was worried about being sued for not reporting the LabMD file to the Federal Trade Commission.
The commission came knocking in January 2010. LabMD received an 11-page letter from the FTC Division of Privacy and Identity Protection, stating that it was conducting an inquiry into the company related to a file from its computer network that was available on a peer-to-peer network. The letter listed 18 questions, with as many as eight subparts each, about LabMD’s overall security and technology setup and practices, and requested documentation of any exposure of personal information.
The FTC has a dual mandate: to protect consumers and to promote competition. Its protective powers are laid out in Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Since the agency’s founding in 1914, that has meant going after companies for false advertising, financial scams, and the like. In this century, the FTC also applies Section 5 to information security, casting careless handling of consumers’ information as a form of unfair and deceptive business practices. The FTC reached its first settlement in this area in 2000, with a group of online pharmacies over their collection and use of customer information. Since then, the commission has brought more than 60 cases related to data security. In all but one, the companies involved have settled, signing consent decrees that in many cases require 20 years of security audits by an outside firm and sometimes fines. The alternative is litigation, which the FTC can initiate in federal court or in its own administrative court system.
The one company that didn’t settle with the FTC is LabMD. Daugherty hoped, at first, that if he were as cooperative as possible, the FTC would go away. He now calls that phase “the stupid zone.” LabMD mailed some 5,000 pages of documents to Washington. The FTC asked the company to reship everything by FedEx. In a follow-up phone call and letter, the commission dismissed LabMD’s documentation as “inadequate.” The company sent more, and Daugherty and his lawyer flew up to Washington for a face-to-face meeting with two FTC lawyers that July. The agency requested still more information. LabMD sent another bundle of materials in August, this time trying to go beyond what the FTC had asked by including documentation going back to 2001. From Daugherty’s perspective, the FTC lawyers didn’t seem to absorb or understand the details and documents they kept asking for; he began to wonder if the FTC was intentionally trying to bury LabMD under so many demands. (The FTC didn’t respond to numerous e-mails and calls about its investigation of LabMD.)
In early 2011 the FTC called again, requesting sworn testimony in person in Washington from LabMD staff who performed security checks. At the urging of the company’s Atlanta lawyer, Daugherty hired a Washington team that had dealt with the commission before. The Washington lawyers took over communications with the FTC, resubmitting much of the same material, ranging from LabMD’s written policies to training manuals to documentation of firewalls and penetration testing. Since the 2008 incident, the company had spent about $230,000 on system upgrades and other security measures.
Daugherty kept trying to talk to his lawyers about Tiversa’s role. As far as he knew, the only party that had ever downloaded LabMD’s data was Boback’s company. That was the only exposure, through a vulnerability that LabMD had moved quickly to fix. Tiversa should be punished for hacking LabMD’s network, he argued. Daugherty’s lawyers told him none of this was relevant to the FTC case. “The assumption’s always that you’re guilty, even from the lawyers,” Daugherty says. “The government’s coming after you—you must have done something wrong.”
The path of least resistance was to settle, put the matter behind him, and focus on his business. A settlement usually doesn’t require an admission of wrongdoing, but the FTC publishes consent decrees online and trumpets them in press releases. This is, in fact, as close as the agency gets to publishing clear rules. The consent decrees form a body of precedent, showing what practices were considered unfair or deceptive in a particular instance. Daugherty believed signing a consent decree would give doctors the impression that LabMD had been lax in protecting patient data and kill his business.
“Those employees blamed me. It’s like, ‘why don’t you just settle with them? Why are you being so stubborn?’ ”
The untested route was to force the FTC to litigate the case. By this point, Daugherty viewed the commission’s actions as part of a sinister plan: The FTC steamrolled companies with burdensome, never-ending demands until the only logical choice was to settle, thereby adding to a body of precedent that gave it standing to bully more companies.
“To me it was death by suffocation or death by firing squad,” Daugherty says. “I chose firing squad because I wanted people to see it.”
His tactics shifted to mulish resistance. He hoped to bring some scrutiny to the FTC’s behavior by fighting every inch. Just before Christmas in 2011, the FTC issued a civil investigative demand, or CID (similar to a subpoena), to Daugherty. He tied it up with appeals and motions, forcing the commission to seek a court order in federal court in Georgia. He finally agreed to comply with the CID a year later. He also began writing a book about his experience. Daugherty’s arguments about Tiversa continued to fall on deaf ears, except those of then-FTC Commissioner J. Thomas Rosch. In June 2012, Rosch urged his colleagues not to use the evidence provided by Tiversa: The company “is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations,” he wrote in his dissent. “While there appears to be nothing per se unlawful about this evidence, the Commission should avoid even the appearance of bias or impropriety by not relying on such evidence or information.” Rosch’s colleagues didn’t heed his advice, and his term ended a few months later.
Daugherty saw a long fight ahead, and he needed allies. He set out to master the ways of Washington and build a support network. He describes himself as an “economic-driven, fiscally responsible, Gerald Ford-type” Republican. His story, however, resonated deeply with conservatives in Washington, confirming their worst fears and suspicions about government agencies. He began working with Cause of Action Institute, a conservative legal aid group with a mission to curb government abuse and overreach. The group has handled LabMD’s defense in the FTC case pro bono since 2013. Daugherty also worked to build contacts at the House Oversight Committee, chaired by Representative Darrell Issa (R-Calif.). Boback had appeared before the committee at least twice, in one instance testifying about Tiversa’s discovery a few months earlier of a leak of documents related to Marine One, the presidential helicopter. The claim made headlines nationally.
The FTC filed a formal complaint against LabMD in August 2013 in its administrative court system, alleging not only that LabMD had allowed billing information for some 9,000 consumers to leak out of its computer network, but also that sensitive information for at least 500 more had wound up in the hands of identity thieves in Sacramento. The agency quickly ramped up the pressure on LabMD. The company’s legal fees had mounted to a half-million dollars. In a three-hour period on Oct. 24, 2013, commission lawyers sent notice of 20 depositions to be taken in various parts of the country, initially all scheduled at the same time on the same day. They requested depositions from LabMD’s employees, former employees, clients, and technology service providers, and the police in 11 states. LabMD’s lawyers tried to get a protective order and stay the proceedings, arguing that these tactics seemed designed to wreck LabMD’s business rather than discover relevant information.
LabMD was, in fact, crumbling under the strain. Revenue declined to $2.1 million in 2013, from $4.6 million in 2012, the year the fight with the FTC became public. Daugherty’s deputy quit that July. LabMD’s insurers declined to renew the company’s general liability, medical malpractice, and property policies. LabMD’s employees grew increasingly restive and angry at Daugherty for his refusal to settle with the FTC.
“The psychological warfare the FTC did on the company, the morale, the diversion, the fear—those employees blamed me,” he says. “It’s like, ‘Why don’t you just settle with them? Why are you being so stubborn?’ ” In January 2014 he shut the company down, jamming medical equipment into his garage, home office, and extra bedroom, where it remains today.
Then came the second life-changing phone call. Daugherty had spent the early months of 2014 waiting for the FTC trial to start and recovering from both the loss of his company and the death of his father. He bought an RV in foreclosure and fantasized about crossing the country with his dogs, promoting his book, which he’d self-published under the title The Devil Inside the Beltway.
In April he was eating dinner with friends at a Thai restaurant in Atlanta when his cell phone rang. It was Richard Wallace, an analyst who’d just left Tiversa. Daugherty recalls pacing the parking lot as Wallace, his voice shaky, confessed his role in LabMD’s destruction. Wallace told Daugherty he’d been the one to discover the LabMD file while probing the company through the open LimeWire connection. Tiversa had never found any copies of the files outside LabMD’s own computer network, he said. Wallace told Daugherty that when LabMD refused to engage Tiversa’s services, Boback retaliated by adding LabMD to a list of supposedly compromised companies and organizations, which was sent to the FTC in late 2009. Boback also instructed him to create a fake trail of Web addresses where the LabMD file had supposedly been found, Wallace said, as evidence for the FTC’s case.
“It was cathartic,” says Daugherty. “I always knew I was right. I just knew I could never prove it in a court of law. And so you write the book, and you put the evidence together, and you’re trying to scream out to the world and then—it happened! It was very brave of him. He was very afraid that I was going to attack him.”
The trial opened in the FTC’s administrative court system that May. The agency’s case was based almost entirely on the evidence provided by Tiversa and Boback. LabMD’s response hinged on having Wallace tell the court what he told Daugherty, which he wouldn’t do until he was granted criminal immunity. By now, in part because of Daugherty’s agitating, the House Oversight Committee was investigating Tiversa, and it wanted to hear from Wallace, too. The U.S. Department of Justice granted the immunity in late 2014. Wallace testified in the FTC case in May 2015, repeating what he told Daugherty in their cell phone call. (Wallace’s lawyer didn’t respond to e-mail requests for comment.)
In the FTC administrative court system, commission lawyers act as prosecutors before an administrative law judge. Wallace testified that Tiversa gave the FTC a list of more than 80 companies in 2009 that had suffered supposed breaches. The main criterion for inclusion was an order from Boback, he said, and the list was scrubbed of existing Tiversa clients. The FTC did little to verify any of the information Tiversa provided, according to Wallace.
The House Oversight Committee staff report on Tiversa, embargoed until after Wallace’s appearance in the FTC trial, expanded on the pattern Wallace outlined in his LabMD testimony. The committee’s investigation found that Tiversa had faked evidence of data leaks to promote its services. As to Boback’s reputation-making claim that Tiversa had found documents relating to the president’s helicopter at an Internet address in Iran—that was also faked, on Boback’s orders. In another instance, the report said, Tiversa knew about a breach at the House Ethics Committee that exposed information about investigations into members of Congress. Instead of notifying the committee, Tiversa sought publicity for its discovery of the leak.
The report also described an ongoing relationship between the FTC and Tiversa at odds with public claims by both. Telephone and e-mail records showed that contact began in 2007, when Boback participated in a conference call with commission officials and began providing documents to the FTC and continued with extensive back-and-forth in 2008 and 2009.
Based on Tiversa’s list of companies that had leaked information into peer-to-peer networks, the FTC in early 2010 sent warning letters to 63 companies and opened investigations into nine, according to FTC records provided to the House Oversight Committee. Months before the FTC contacted those companies, Boback was already planning to piggyback on the agency action. He e-mailed executives at LifeLock, an identity theft protection company and one of Tiversa’s biggest partners, suggesting that the FTC letters would be a windfall for LifeLock.
The report concluded that the FTC had sacrificed “good government” in using Tiversa to “obtain information validating its regulatory authority” and providing Tiversa with “actionable information that it exploited for monetary gain.”
Issa says the FTC is focused on the wrong targets. “Snake oil is the challenge we face,” he says. “We need to get the FTC to develop real expertise in finding out whether in this new and emerging area there are deceptive practices going on in terms of claims about what somebody can do to protect your data.”
In November the judge presiding over the FTC case, D. Michael Chappell, ruled for LabMD. He threw out Boback’s testimony and Tiversa’s evidence as unreliable and untrustworthy. That left the FTC with little in the way of a case, he concluded. Chappell called the FTC’s assertions regarding LabMD and the exposure of its patient data “pure, unsupported speculation.” He also dismissed the Sacramento documents, saying that the FTC had failed to show any link between those records and LabMDs security practices—or even that the documents came from LabMD’s computer systems.
Craig Newman, chair of the privacy practice at the law firm Patterson Belknap Webb & Tyler, was surprised. “Companies subject to an FTC enforcement action have generally made well-considered business judgments that settlement makes more sense than years of litigation and discovery—especially with an in-house administrative process where the playing field seems tilted in the government’s favor,” he says. “Now companies may toughen their stance when the FTC pays a visit.”
The judge’s scathing verdict on Tiversa also undermines existing FTC settlements, in theory. At least one FTC settlement is clearly based on evidence from Tiversa: a 2012 agreement with a small auto dealer in Georgia.
Dan Epstein of Cause of Action pointed out in a Wall Street Journal op-ed after the decision that while LabMD had won the battle, it had lost the war: It had already been hounded out of business by regulators. Boback wrote a letter in response, published in December. He defended Tiversa as a good Samaritan that had alerted a company to leaking information—for free. He denied any special relationship with the FTC, saying Tiversa was forced to respond, as LabMD was, to a government subpoena. And he attacked Wallace’s testimony to the FTC as “demonstrably false.” For this story, neither Boback nor his lawyer responded to calls and e-mails asking for comment.
Daugherty is still in the middle of defending and attacking in a head-spinning number of legal actions. He sued Tiversa in 2011 in Georgia state court for hacking into LabMD’s network. The case was dismissed for lack of jurisdiction because Tiversa is based in Pennsylvania. So he sued in Pennsylvania for conversion (taking property), defamation, fraud, civil conspiracy, and racketeering. That case is ongoing, and Daugherty is attempting to reopen the case against Tiversa in Georgia, based on documents produced for the House Oversight Committee; they show that in 2008, Tiversa was actively soliciting business and making contact with six Georgia companies, including Coca-Cola. Daugherty is also suing three FTC lawyers for depriving him of his constitutional rights.
Tiversa and Boback sued Daugherty and LabMD for defamation, just days after the FTC filed its complaint against LabMD. Boback continues to pursue that case, with Wallace now added. In March, Tiversa submitted a motion to remove itself as a plaintiff.
There are indications that the FBI and the Justice Department are investigating. On March 1 an anonymous Twitter user posted a photo looking down from an office window on a line of black vehicles and claimed that the FBI was raiding Tiversa’s office in downtown Pittsburgh. On March 17, Reuters reported on the raid, citing three unnamed sources, and said the Justice Department is investigating whether Tiversa gave the government false information about data breaches. A Tiversa lawyer told Reuters the company was cooperating. (The Justice Department directed questions to the FBI Washington field office. A spokesman declined to comment on the reports.) Jennifer Kelly, who handles public relations for Tiversa, answered the company’s main phone number on March 15 and issued a blanket no comment. A call made to Tiversa in April resulted in a hang-up.
The FTC doubled down in the LabMD case, appealing Chappell’s ruling to the full commission. The appeal hearing took place on March 8 in a wood-paneled chamber in the FTC building in Washington. Without the evidence from Tiversa to rely on, the FTC argued that the exposure of the LabMD file constituted evidence that LabMD’s security practices were unfair; it didn’t matter that there was no evidence of actual harm, and it didn’t matter that the file never spread beyond Tiversa. When asked about Tiversa’s role, the FTC’s lawyer, Laura VanDruff, dismissed it as a “tip” that the FTC had investigated on its own. The FTC has 100 days from the date of the hearing to issue a ruling.
In Daugherty’s mind, he has to lose in order to win. He wants the FTC to overturn Chappell’s ruling. Then, at last, he’ll be able to sue the commission in federal court. That will finally give him a fair forum in which to air the FTC’s behavior. “I am basically opening the playbook to the world, which is what I ultimately want to do,” he says. “We’re going to have a fair fight.”