CORRECTION: In the original post, below, the CEO of Tiversa informed PHIprivacy.net that they never turned over the full 1718 File until October 2013, when it was subpoenaed by the FTC. The FTC’s own documents indicate that they obtained the 1718 File from the Privacy Institute in response to the CID, which means that they did get it from Tiversa (via the Privacy Institute created by their lawyers, it seems) some time in 2009.
The House Oversight committee has asked Acting Inspector General Kelly Tschibaka of the Federal Trade Commission to investigate the FTC’s procedures for receiving information it uses in its data security enforcement investigations, the FTC’s relationship with Tiversa, and the conduct of FTC employees involved in the Commission’s investigation of LabMD.
The June 17th letter, signed by Chairman Darrell Issa, reiterates previously stated concerns that Tiversa provided inaccurate information that formed the basis for the FTC’s investigation of LabMD, but also begins to focus on the FTC’s dealings with Tiversa:
Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities – including the FTC – may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches. The Committee seeks to understand the motivations underlying the relationship between Tiversa and the FTC.
In his testimony as part of the FTC’s administrative hearing against LabMD, Robert Boback, CEO of Tiversa, had stated that because Tiversa was in the middle of a business acquisition at the time, they did not want to be served with a CID, and the Privacy Institute was created as a vehicle to provide the FTC with the information. In a statement to PHIprivacy.net, Boback reiterated that as their sole reason:
Tiversa gave a spreadsheet that it created to the Privacy Institute (which our attorneys created) because our attorneys did not want any CID sent to Tiversa directly….or even indirectly, but it was inevitable that the FTC was issuing a CID to Tiversa if our attorney couldn’t get them to issue it the Privacy Institute instead. Tiversa was in talks with a public company to be acquired in 2009 and the last thing that we wanted to do is get a CID that we would need to deal with. A CID is a time-consuming pain to deal with. No one ever wants one. Tiversa was going to get one because we testified before House Oversight in July 2009 trying to educate Congress about the breach problem. When the FTC started contacting us after the hearing (and wanted to visit Tiversa) we thought it was just so that they could further understand the problem. We had no idea that it would result in our small company having to then deal with a CID.
The spreadsheet was the only thing given. Initially they wanted the actual files but the files were so large that they just ended up with spreadsheet.
The spreadsheet, Boback informs PHIprivacy.net, included entities who had exposed Social Security numbers via P2P programs:
We reluctantly responded to the FTC CID with 84 companies on a spreadsheet that had been found to breach large amounts of SSNs on file sharing networks pursuant to the CID. No company name was ever mentioned in the CID from the FTC.
We did not want to be any part of this from the beginning. We still don’t want to be a part of it.
Boback informs PHIprivacy.net that Tiversa did not actually turn over the 1718 File itself until the FTC subpoenaed it in October, 2013 – after it had already investigated LabMD and filed its complaint. (SEE CORRECTION)
In its letter and press release suggesting “corporate blackmail” was involved, the committee suggests that Tiversa may have selectively included companies in the spreadsheet:
“Apparently, Tiversa provided information to the FTC about companies that refused to buy its services.”
Asked about the Committee’s statement and whether companies that may have retained Tiversa were not included in the spreadsheet, while those that did not hire Tiversa (such as LabMD) were included, Boback noted that the Committee had not asked him any questions about the inclusion of companies on the spreadsheet or exclusion of companies, and that:
We responded exactly what the FTC through the CID required of us without holding back any files. Any assertion otherwise is just ridiculous.
Parenthetically, it appears that LabMD was not at the top of the spreadsheet Tiversa provided the FTC. Boback notes:
LabMD was NOT the highest number on the list (for the number of SSNs exposed).They were number 9. The other leaks were much much larger. Many times that of LabMD in regards to number of SSNs exposed.
The Oversight letter also alleges, “The Committee has also learned that Tiversa, or the Privacy Institute, may have manipulated information to advance the FTC’s investigation.” In response, Boback informs PHIprivacy.net:
The Committee staffers should have done some basic research on their “witness” prior to following such outrageous allegations. It seems as though the staffers are not trying to get to the truth as much as they are trying to find a political narrative. Oversight hasn’t revealed any of the information that [Rick] Wallace had suggested yet Tiversa still went openly and honestly to answer any and all of the questions posed of us.
The facts are and remain that Tiversa has not colluded in any way with the FTC. We only responded to the CID as we were required to do so. If the FTC was not authorized to send us the CID, then that is between Oversight and the FTC.
Tiversa did not provide false testimony before the Committee. Ever. In fact, Tiversa confirmed the accuracy of all Congressional testimonies after learning that the Oversight received the false allegations, presumably from Wallace, that it was not accurate.
Boback had previously informed PHIprivacy.net that he believes that LabMD and the Oversight committee have both been misled by Rick Wallace, whom Boback describes as a former disgruntled employee:
Mr. Wallace was terminated for cause and we feel that Mr. Wallace is seeking retribution for his termination by providing false information to LabMD counsel. His judgment is seriously in question given the multitude, frequency and nature of arrest by law enforcement that Mr. Wallace has experienced in 2014 alone. Mr. Wallace made no mention of any impropriety at Tiversa during his employment. He also sold over $250,000 of stock in Tiversa in April 2014 to an investor without ever mentioning a single instance of impropriety. If he knew of impropriety and sold his shares, he would be committing securities fraud.
PHIprivacy.net contacted Wallace’s attorney to request a response to Boback’s statement. Mr. Wallace declined to respond or comment.
In their newest letter, House Oversight asks Tschibaka to examine three issues:
- FTC procedures for receiving information that it uses to bring enforcement actions pursuant to its authority under Section 5, and whether FTC employees have improperly influenced how the agency receives information.
- The role played by FTC employees, including two named employees, in the Commission’s receipt of information from Tiversa, through the Privacy Institute or any other entity, and whether the Privacy Institute or Tiversa received any benefit for this arrangement.
- The reasons for the FTC’s issue of a civil investigative demand to the Privacy Institute instead of Tiversa, the custodian of the information.
Ironically, perhaps, Boback and Michael Daugherty, CEO of LabMD, do seem to agree on one point: they both think the FTC over-reached in its case against LabMD.