The Federal Trade Commission’s data security trial against LabMD Inc. took an unexpected turn after lawyers revealed that the House Oversight Committee is investigating a key player, prompting the administrative law judge to put the proceedings on hold until June 12.
On Friday, lawyers disclosed in court that the congressional committee is looking into cybersecurity company Tiversa Holding Corp. A former Tiversa employee scheduled to testify before the FTC planned to plead the Fifth Amendment unless granted immunity, his lawyer told chief administrative law judge D. Michael Chappell. Tiversa’s chief executive officer said he needed time to learn more about the investigation before testifying, according to his lawyer. LabMD did not object.
The case against LabMD raises important questions about the Federal Trade Commission’s ability to go after companies for data security breaches—and Tiversa has played a crucial role.
The agency sued LabMD, a privately held company that performs blood, urine and tissue tests for doctors, in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act.
The FTC’s smoking gun: a file with information about 9,300 consumers, including names, birth dates, Social Security numbers and medical tests results for conditions such as cancer. According to the FTC complaint, a LabMD employee installed a peer-to-peer file sharing application on her work computer and inadvertently shared the file.
The file was found by Tiversa—but LabMD lawyers say just how that happened is unclear. Tiversa “has patented technology which allows it to search peer-to-peer networks in an unprecedented breadth and volume,” William Sherman II, a partner at Dinsmore & Shohl retained by nonprofit watchdog Cause of Action to represent LabMD, said during opening statements on May 20.
Sherman said LabMD employees couldn’t find the file on the peer-to-peer network even when searching using its precise name. “The evidence will show that the only entity able to find this file has patented technology,” Sherman said.
The FTC also alleges that in 2012 the Sacramento police department found LabMD documents in the possession of identity thieves, but it’s unclear how the identity thieves got the data. FTC lawyer Alain Sheer said the agency “will not be putting up identity theft victims, but that does not mean actual harm didn’t occur.”
For the FTC, the legal linchpin of the case is Section 5 of the FTC Act, which gives the agency the authority to go after companies for acts or practices that cause or are likely to cause substantial injury to consumers. But if no one but Tiversa could find the file, it would be difficult for the FTC to prove that LabMD’s data breach was likely to cause substantial injury to consumers.
According to LabMD and Cause of Action, the Oversight Committee is interested in Tiversa’s dealings with federal agencies. Sherman said the FTC might “reevaluate its case in light of evidence which may come out in the next few days so that they can make a determination as to whether or not they wish to continue to proceed with this complaint,” according to a transcript of the May 27 proceedings.
The committee is seeking testimony from a former Tiversa employee, Richard Wallace, who is represented by Quinn Emanuel Urquhart & Sullivan partner William Burck, who did not respond to a request for comment.
Burck told Chappell that “Mr. Wallace will not testify today. He will take the Fifth if he is required to appear. … My plan would be to allow him to testify if the immunity he’s granted [before the committee] would cover the testimony he’d provide here as well,” according to a transcript.
In an email, Tiversa CEO Robert Boback wrote that Wallace was fired by Tiversa. “It is no surprise that Mr. Wallace would consider ‘pleading the Fifth’ as we have recently become aware of activities that he was engaged in outside the scope and course of his employment at Tiversa,” he wrote.
Boback, who is represented by Reed Smith partner Jarrod Shaw, continued, “Tiversa has never had any contract or relationship with the FTC. The FTC reached out to Tiversa in August 2009 to presumably understand and investigate the loss of consumer’s data via file-sharing networks, after Tiversa had provided expert testimony before House Oversight in July 2009. Tiversa refused to allow them to take any information from us without a formal proceeding. The FTC then served a Civil Investigative Demand (CID), which legally required Tiversa to provide data on all companies that exposed large numbers of Social Security numbers. Reluctantly, and in compliance with the CID, Tiversa provided the information. No name of any specific company, including LabMD, was ever discussed between the FTC and Tiversa during that process.”
In September, Tiversa and Boback sued LabMD and its CEO Michael Daugherty for defamation, claiming that Daugherty’s book about the case, “The Devil Inside the Beltway,” is slanderous. The case is pending in U.S. District Court for the Western District of Pennsylvania.
Contact Jenna Greene at email@example.com or on Twitter @jgreenejenna.