If you thought former Tiversa employee Rick Wallace’s testimony in FTC v. LabMD was sensational, wait until you read a staff report prepared for Darrell Issa, then-Chairman of the House Committee on Oversight and Government Reform.
The 99-page report, prepared in January but embargoed until after Wallace’s testimony, delves into Tiversa’s business practices and problems with the testimony provided by its CEO, Bob Boback. And while Boback has generally tried to paint negative testimony about him and Tiversa as the work of one disgruntled and mentally disturbed and alcoholic former employee, the staff report makes clear that the committee took testimony from a number of named former employees who confirm key aspects of Wallace’s testimony about Tiversa’s business model and who contradict what Boback had testified to.
Much of the report provides additional details about issues raised in OGR’s letter of last year: the contradictions in Boback’s testimony at different times, the seeming failure of Tiversa to turn over all documents when subpoenaed by the FTC, its seeming failure to produce all relevant documents when subpoenaed by OGR, and Tiversa’s claims that plans for Marine One had been found on an Iranian IP address. OGR was unable to determine whether that particular claim was true or not:
Tiversa’s counsel also repeatedly told the Committee that the federal government verified the information Tiversa provided about an Iranian computer being in possession of the Marine One document. But that is simply not the case. The Committee learned from NCIS that the joint task force investigating the incident was only able to verify that the IP address provided by Tiversa was located in Iran. The agents did not verify whether that computer actually possessed the Marine One file as this was outside the scope of the investigation.
Of course, the committee’s inability to confirm Tiversa’s claims does not mean that Tiversa’s claim was a lie, but the staff report outlines a number of reasons not to find Tiversa’s claims credible.
While many people are now aware of LabMD’s claims about Tiversa’s conduct (LabMD’s CEO Michael Daugherty wrote a book about his experience with the FTC and Tiversa in The Devil Inside the Beltway), one of the most troubling parts of the report concerns what Tiversa allegedly did to a non-profit clinic treating AIDS/HIV patients, the Open Door Clinic in Elgin, Illinois. Although the clinic’s Executive Director, David Roesler, testified in a hearing the House Committee on Oversight and Government Reform held on Tiversa, the full magnitude or Tiversa’s problematic conduct is only fully appreciated after reading the staff report. The report documents that:
- Tiversa found a file with information on the clinic’s patients had been leaked via P2P software.
- Tiversa contacted the clinic and tried to sell its remediation services at $475/hour. When asked to provide additional details, it wouldn’t.
- The clinic was unable to find any evidence that any P2P software was present on any of its computers and was puzzled by the reported find. Rather than help the non-profit, though, after the clinic declined Tiversa’s sales pitch and its subsequent sales pitch for its partner, LifeLock:
- Tiversa provided the patients’ contact information to an attorney associated with Tiversa, who then sent the patients solicitation letters for a lawsuit. Tiversa allegedly provided the attorney – at no charge – with the very detailed analysis that Open Clinic had requested but that they had refused to provide them for free. And although Tiversa claimed its sole motivation was to ensure that patients were notified of the breach and that they made no money from the lawsuit, that claim doesn’t pass the smell test because they turned the information over to an attorney who solicited the patients for a lawsuit instead of just providing information to Open Door.
- Tiversa seemed unable to satisfactorily explain why it testified that it never contacted patients directly and didn’t have the resources to do so when their phone logs indicated that they had called over 50 patients shortly before the attorney sent solicitation letters.
- Tiversa also turned over its very detailed analysis – the one they wouldn’t give to Open Door – to the FTC, who then sent Open Door a letter about the incident. According to the staff report (footnotes omitted):
On January 19, 2010, the FTC sent a letter to Open Door Clinic about the leak. The letter informed the clinic that a file had been exposed on the peer-to-peer network, and noted that the clinic’s failure to prevent the document from leaking could violate federal laws.
Of note, once the clinic was able to subpoena all the documents Tiversa had found as part of discovery in defending against the class action lawsuit, the clinic determined that the source of the leak appeared to be a computer that had been stolen in 2007. Open Door believes that the P2P software was installed on the computer after it was stolen. If they are correct, then yes, they had a breach as files with PHI were stolen, but the data leak was not due to any P2P software that they installed.
There’s much more to the report, of course, including allegations that Tiversa exaggerated its relationship with government agencies, and failed to notify the House Ethics Committee when it discovered a P2P leak involving its work. The report concluded that
when, in a position to prevent harm to companies or the federal government, he acted to benefit himself and Tiversa. Federal departments and agencies should be aware of these business practices when determining whether to do business with Tiversa.
Although the report was focused on Tiversa, the FTC came in for serious criticism, too, for allegedly misrepresenting the extent of its relationship with Tiversa to the Committee, for failing to question Tiversa’s creation of a shell organization, the Privacy Institute, to funnel information to the FTC, and for relying on Tiversa as its source of information about LabMD without fully verifying Tiversa’s claims:
FTC officials relied heavily on Tiversa’s “credible” reputation in “self-verifying” the produced information.197 The FTC explained to the Committee the steps it took in “self-verifying” the information:
- Tiversa, through the Privacy Institute, certified the information provided under penalty of perjury.
- FTC employees looked up the IP addresses provided by Tiversa to determine if the IP address was affiliated with the company.
- FTC employees looked at the metadata of the documents, when provided, to determine the author or the document.
- FTC employees performed “some” searches on the peer-to-peer networks, both for company names and specific documents. The FTC independently found only one of the files Tiversa submitted on the peer-to-peer network.
Ultimately, outside of some minimal work verifying IP addresses and looking at metadata, the FTC relied entirely on the list of companies and documents Tiversa provided.
In response to the report, Mike Daugherty of LabMD, had this to say:
I hope the work of Congress will help others understand how to fight back against the corrupt who are relentless in their pushback, coverup, and deception. It’s a bad day in America if people thinks it’s ok for agencies to conspire with companies like Tiversa.
Bob Boback of Tiversa was not immediately available to provide a comment, but this post will be updated if and when he does.
Update: Bob Boback provided a statement to DataBreaches.net that says, in part,
The report is 100% biased and false, which should come as no surprise to anyone as Daugherty went to the staffer, who wrote the report, with the apparent goal of getting Tiversa investigated.
The real story here is that Daugherty’s counsel, Cause of Action, a non-profit that allegedly seeks to combat Cronyism, is actually using what appears to be Cronyism to attack a private third party.
[…]
To further demonstrate the bias, the one (and only) former employee with the HR complaints cited in the report, specifically denied Wallace’s accusations toward Tiversa. He said that he did not know why Wallace would say what he had said as it made no sense. This individual directly oversaw Wallace’s activities at the time in question, and went on to say that there was no wrongdoing on behalf of Tiversa. It is curious that the staffer omitted this pertinent information from the “report.”
The entire report has multiple instances of omissions and false characterizations and assumptions of Tiversa. To comply with the OGR’s investigation, which has resulted in nothing more than this biased report, cost Tiversa over $1,000,000 and untold amounts to the American taxpayers. It is really a travesty of justice in this country.
[…]
The investigations, both by FTC and OGR, two very important groups in the world’s most powerful nation, were completely unwarranted considering that this entire waste of millions of dollars occurred because a single employee at a small company in Atlanta installed a free software (LimeWire) on a company computer. I think that perspective on this has gone out the window, unfortunately at the expense of the taxpayer.
Reading through the report I couldn’t help but notice how biased it sounded. Rather than a fair narrative we got a congressional ax being ground. The claims against Tiversa are troubling if true but there are two sides to every story. Did the Congress of the United States really concern itself with trivial internal activities at Tiversa including that employees frequently carried guns? Or that the CEO handed out swords? Really? How is this relevant other than trying to make Tiversa and Boback look bad. I think OGR lost credibility on this one.
Maybe, but what’s more significant is that Tiversa’s employees/multiple sources, including his own emails, disputed sworn testimony by Boback.
Did OGR lose any credibility? Maybe, but that doesn’t mean that Tiversa and its CEO didn’t lose a helluva lot more credibility.