14 Jul More from the Oversight Committee….
Ms. Kelly Tshibaka Acting Inspector Oeneral
Federal Trade Commission Room CC-5206
600 Pennsylvania Avenue, NW Washington, D.C. 20580
Dear Ms. Tshibaka:
The Committee on Oversight and Government Reform is investigating the activities of Tiversa, Inc., a company that provided information to the Federal Trade Commission in an enforcement action against LabMD, Inc.
1 In 2008, Tiversa allegedly discovered a document containing the personal information of thousands of patients on a peer-to-peer network.
2 Tiversa contacted LabMD in May 2008, explaining that it believed it had identified a data breach at the company and offering “remediation” services through a professional services agreement.
3 LabMD did not accept Tiversa’s offer because LabMD believed it had contained and resolved the data breach. Tiversa, through an entity known as the Privacy Institute, later provided the FTC with a document it created that included information about LabMD, among other companies.
4 Apparently, Tiversa provided information to the FTC about companies that refused to buy its services. In the case of LabMD, after Tiversa provided questionable information to the FTC, the Commission sought an enforcement action against the company under its Section 5 authority related to deceptive and unfair trade practices.
5 In addition to concerns about the merits of the enforcement action with respect to the FTC’s jurisdiction, the Committee has substantial concerns about the reliability of the information Tiversa provided to the FTC, the manner in which Tiversa provided the information, and the relationship between the FTC and Tiversa. For instance, according to testimony by
1 See Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Aug. 29, 2013), available at
http://www.ftc.gov/sites/default/fi les/documents/cases/2013/08/13 0829labmdpart3. pdf.
2 Respondent LabMD, Inc. ‘s Answer and Defenses to Administrative Complaint, In re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Sept. 17, 2013), at 5.
3 Respondent LabMD, Inc.’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings,
Jn re LabMD, Inc., No. 9357 (Fed. Trade Comm’n, Nov. 12, 2013), at 5.
4 H. Comm. on Oversight & Gov’t Reform, Transcribed Interview of Robert Boback, Chief Executive Officer, Tiversa, Inc., Transcript at 42 (June 5, 2014) [hereinafter Boback Tr.].
5 See generally 15 U.S.C. § 45.
Tiversa CEO Robert Boback, the Committee has learned of allegations that Tiversa created the Privacy Institute in conjunction with the FTC specifically so that Tiversa could provide information regarding data breaches to the FTC in response to a civil investigative demand. The Committee has also learned that Tiversa, or the Privacy Institute, may have manipulated information to advance the FTC’ s investigation. Ifthese allegations are true, such coordination between Tiversa and the FTC would call into account the LabMD enforcement action, and other FTC regulatory matters that relied on Tiversa supplied information.
Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC. In a transcribed interview with Oversight and Government Reform Committee staff, Mr. Boback testified that he received “incomplete information with regard to my testimony of FTC and LabMD.”6 He stated that he now knows “[t]he original source of the disclosure was incomplete.”7 Mr. Boback testified:
Q How did you determine that it was incomplete or that there was a problem with the spread analysis?
A I had . . . [Tiversa Employee A] perform[] an analysis, again, remember, data store versus the peer to peer. So the information in the data store, he performed another analysis to say, what was the original source of the file from LabMD and what was the disclosure, a full analysis of it which then provided to me, which expanded upon what [Tiversa Employee B] had told me when I asked [Tiversa Employee B]prior to my testimony. And the only reason why I asked [Tiversa Employee B] in the first place was because [Tiversa Employee B] was the analyst on it at the time when it was found, so I asked the analyst who was most familiar
with this. I didn’t know [Tiversa Employee B] was going to provide me with less than accurate information. 8
* * *
Q So at the time that you were first made aware of the 1718 document in April, May of 2008, Tiversa employees had not conducted the spread analysis?
A No.
Q And you did not know the original source of the 1718 document?
6 Boback Tr. at 129.
7 Id.
8 Id. at 129-130.
A I did not. No.
* * *
Q Did there come a point at which a Tiversa employee determined who the original source of the 1718 document was?
A Well, that’s – yes. A Tiversa employee told me who the original source was . . . just before I testified . . . in the deposition [in the FTC LabMD case] in November
of last year. And, subsequently, we have done a new search and found that the origin was different than what was provided to me . . . in November. 9
The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter. The FTC’s enforcement actions have resulted in serious financial difficulties for the company. 10 Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities-including the FTC-may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches. The Committee seeks to understand the motivations underlying the relationship between Tiversa and the FTC.
The Committee is currently considering next steps, including the possibility of holding hearings, agreeing to take certain testimony in executive session, and, based on information provided, to immunize certain future testimony pursuant to 18 U.S.C. § 6005. Concurrent with the Committee’s investigative efforts, I request that you unde1iake a full review of the FTC’s relationship with Tiversa.
Specifically, I ask that your office examine the following issues:
1. FTC procedures for receiving information that it uses to bring enforcement actions pursuant to its authority under Section 5, and whether FTC employees have improperly influenced how the agency receives information.
2. The role played by FTC employees, including, but not limited to, Alain Sheer and Ruth Yodaiken, in the Commission’s receipt of information from Tiversa, Inc. through the Privacy Institute or any other entity, and whether the Privacy Institute or Tiversa received any benefit for this arrangement.
3. The reasons for the FTC’ s issuance of a civil investigative demand to the Privacy Institute instead of Tiversa, the custodian of the information.
9 Id. at 162-163.
10 Rachel Louise Ensign, FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says, WALL ST. J., Jan. 28, 2014, http://blogs.wsj, com/riskandcompliance/2014/01/28/ftc-cyber-case-has-nearly-put-us-out-of-business-firm
says/.
The Committee on Oversight and Government Reform is the principal oversight committee of the House of Representatives and may at “any time” investigate “any matter” as set forth in House Rule X.
If you have any questions about this request, please contact Tyler Grimm or Jennifer Barbian of the Committee staff at (202) 225-5074. Thank you for your prompt attention to this matter.
Chairman
cc: The Honorable Elijah E. Cummings, Ranking Minority Member
To download a PDF copy of this letter, click HERE
