FTC passes on presenting a rebuttal witness in FTC v. LabMD (Updated and Corrected)
The FTC will not be presenting any witness to rebut sensational testimony given by former Tiversa employee Richard (“Rick”) Wallace last week in the FTC’s data security enforcement case against LabMD.
Robert Boback, CEO of Tiversa, who was accused of essentially being a fraudster
and/or extortionist by his former employee, had this to say when asked by DataBreaches.net what he thought about the FTC’s decision:
I believe that the FTC chose not to rebut Wallace because he paved the way for their victory. In their obvious effort to attack Tiversa, it appears that LabMD’s counsel made a poor strategic decision in offering a witness that was able to remove the only potentially difficult defense argument that the FTC had to overcome. That being, that Tiversa was the only company with our “highly specialized technology” that would have been able to access the 1718 file. Wallace testified that he was able to download it with a stand-alone desktop and LimeWire, which is the same software and setup that millions of people use. No need to discuss spread or anything else after a defense witness confirms that he downloaded it. Wallace actually became the witness FOR the prosecution.
We would’ve liked to rebut his baseless and unsubstantiated claims that were not even relevant to this case. We will do so with overwhelming evidence and witness testimony from federal law enforcement agents in our case against Daugherty, Cause of Action, and him in the PA state court action.
On May 6, the FTC filed their opposition to LabMD’s most recent motion to dismiss. Judge Chappell has yet to rule on the motion. The FTC’s arguments in support of its claim that it has presented a prima facie case continue to concern this blogger, as I doubt many entities in 2007 and 2008 would have met all the standards they seem to be retroactively claiming as “reasonable security.”
So what did FTC really have when they started this? They had what is now alleged to be a fraudulent report about a file being found on computers outside of LabMD. If they had been told that the file was exposed but had never been downloaded by anyone other than Tiversa, would they have pursued this case? Surely LabMD wasn’t the only entity in this position, and the record demonstrates that LabMD made genuine efforts to address security and find appropriate software, etc. How many businesses and entities that are SMBs didn’t even do that? The FTC, in its opposition, cites a number of things LabMD “could have” done. But when did “could have” become “should have” or “was required to do to comply with Section 5?” (Update: post-publication, it was pointed out to me that the FTC filed their case against LabMD before they had any reports on “spread.” Therefore, the answer to my own question is “yes, they would have pursued it.” Whether they should have is another matter…)
This blogger has repeatedly urged the FTC to drop this damned case. It makes FTC look bad, does nothing to foster greater consumer protection, and it hurt a productive business that the healthcare sector needed and valued.
At this point, I hope Judge Chappell dismisses the case and the FTC cooperates fully with any investigation by its own Inspector General and/or House Oversight into its own methods and the methods of Tiversa. If Rick Wallace told the truth, there’s a lot that both the FTC and Tiversa need to answer for.
Reed Rubinstein of Cause of Action, who is involved in LabMD’s representation in this case, had this to say today:
“The FTC confirmed today that it found no reason to challenge the testimony given last week. The only evidence in the record now is that LabMD was telling the truth from the beginning that they were hacked by a cyber thief, and that the FTC did nothing to verify the information it was given by Tiversa.”
“This also shows that the government has spent millions of dollars to destroy an innovative cancer detection lab that was the victim of fraud, but is doing nothing to go after the fraudster.”
Well, I don’t think you can claim someone “hacked” you when you put information out there on a file-sharing network and they then download it. How are they to know what’s in it until they grab it? I don’t even think you can claim they “exceeded authorized access” because putting it on file-sharing meant you’re giving access.
All that said, human error accounts for most breaches if you believe current surveys. The FTC would have better spent its resources working constructively with LabMD than with this heavy-handed approach.
Enough is enough, FTC. Even if you “win” this case, you’re losing respect and Congress may decide to rein you in.
Update and Correction: This post was updated and also modified to delete reference to “extortionist.” Wallace never stated that his employer engaged in extortion. He testified that his employer directed him to fabricate ‘spread,’ i.e., make it look like a potential breach was worse than it actually was by creating phoney records showing where the file supposedly was found when it hadn’t been found there at all. My apologies for any confusion.