FTC v LabMD – Truth is Stranger than Fiction
After months of legal and procedural wrangling, the showdown between the Federal Trade Commission (“FTC” or “Commission”) and LabMD over whether LabMD provided “reasonable security” for personal information stored on its networks reached some resolution. The Administrative Law Judge (“ALJ”) tasked with ruling on this matter dismissed the FTC’s complaint and issued its initial decision. He explained that the Commission failed to satisfy the first prong of an unfairness claim, which is that the act or practice is likely to cause substantial injury. Then, in a significant passage, he noted that the underlying evidence on which the Commission relied in bringing its action – information that Tiversa allegedly found on the Internet showing that LabMD had left its data exposed via LimeWire and that it had been downloaded by identity thieves – had been falsified. Moreover, Tiversa had offered it to the FTC as retribution for LabMD’s failure to hire Tiversa to improve its security. According to the decision in the case, the key witness – who had been granted immunity from the Department of Justice – testified that:
Tiversa’s business model was to “monetize” documents that it downloaded from peer-to-peer networks, by using those documents to sell data security remediation services to the affected business, including by representing to the affected business that the business’ information had “spread” across the Internet via peer-to-peer sharing networks, when such was not necessarily the case, and by manipulating Tiversa’s internal database of peer to-peer network downloads (the “Data Store”) to make it appear that a business’ information had been found at IP addresses belonging to known identity thieves. Mr. Wallace further testified that these practices were followed with regard to Tiversa’s discovery of LabMD’s 1718 File. In order to retaliate against LabMD for refusing to purchase Tiversa’s services, Mr. Wallace testified, Tiversa reported its discovery of the 1718 File to the FTC; and Mr. Wallace, at the direction of Mr. Boback, manipulated Tiversa’s Data Store to make it appear that the 1718 File had been found at four IP addresses, including IP addresses of known identity thieves, and fabricated a list of those IP addresses, which Complaint Counsel introduced into evidence as CX0019..
This makes Commissioner’s Rosch’s June 21, 2012 dissent from the FTC’s decision not to limit or quash the Civil Investigative Demand to LabMD especially prescient. In that dissent, Commissioner Rosch warned the FTC of the dangers of relying on evidence that had been obtained from “a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations.” He suggested that the FTC disavow any reliance on that evidence in the investigation. Unfortunately, his words went unheeded.
Although this surprise outcome with all of its accompanying drama ended this segment of the years-long LabMD saga, we suspect that the story is not over yet. In fact, the FTC may still appeal this initial decision. Nevertheless, both the FTC and security consultants who solicit information security work based on evidence that the consultants have discovered, all have some lessons to draw from this decision. If sometimes truth is stranger than fiction, sometimes evidence that is handed over on a silver platter must be examined closely for the tarnish.