In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD's owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:
...according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.
Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard "bombshell" testimony given under immunity by former Tiversa employee Richard Wallace:
After LabMD CEO Michael Daugherty refused to buy Tiversa's services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD's data, Wallace claimed in his testimony.
CNN headlined its story "Whistleblower accuses cybersecurity company of extorting clients" -- that is, by threatening to turn them in to the feds if they spurned its vendor services.
To be sure, allegations are merely allegations, and we haven't heard Tiversa's side of the story, except for a statement from its CEO Bob Boback: "This is an overblown case of a terminated employee seeking revenge. Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities." The advisory board of the Pittsburgh-based security services company includes former four-star Army general and former Democratic presidential candidate Wesley Clark.
Two years ago, Daugherty wrote up his experience in a book, The Devil Inside the Beltway. Tiversa tried to stop its publication, saying it had been defamed. While the book got write-ups in various places -- by our friend Edward Hudgins at the Atlas Society, for example -- and while the story has drawn the interest of a House oversight committee and the group Cause of Action, the threatened litigation probably did chill some media coverage.
As for last week's surprise testimony, it's not clear the FTC was prepared for it:
FTC attorneys declined to cross-examine Wallace at the May 5 FTC administrative session, but they could still introduce a rebuttal witness later.
And per CNN:
If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence.
The FTC declined to comment, citing an ongoing lawsuit against LabMD, which still hasn't reached its conclusion.
I was a little surprised that the FTC declined to comment. Should they change their mind, I've dashed off a comment that they might consider giving:
Much of our enforcement process against businesses is driven by complaints filed with us by jealous competitors, spurned vendors, and other vengeful or disappointed parties--often of some sophistication--as opposed to the consumers and small businesses who are frequently depicted as the beneficiaries of our work. We take very seriously the danger that such complaints will be used as a weapon or will be false themselves in whole or part. In all our investigations, we intend to respect a presumption of innocence; at the same time, we will not rest until we have uncovered the truth about the serious allegations Mr. Wallace has raised.
As for Mr. Daugherty's business and its 40 employees, the news comes too late. Unable to sustain the business amid the legal battle, he stopped testing specimens and wound down LabMD last year.