In Part 1 of this series, we began to tell the story of how one simple breach of a single rule by a single employee sank a $4 million per year company called LabMD, and how the breach triggered very expensive – and extensive – litigation.
As LabMD dealt with its new DC lawyers, owner Michael Daugherty has said he urged them to think about Tiversa’s role in the FTC’s interest in LabMD. As far as he knew, the only entity downloading the information had been Tiversa. For whatever reason, his lawyers were not interested. Turning back to the FTC, Daugherty did not want to sign a consent decree, which would be available to the general public. Knowledge of the breach going public, Daugherty reasoned, would lead his customers (doctors) to conclude that their patients’ information was not secure with LabMD. So, he fought.
Daugherty’s arguments concerning Tiversa finally caught the attention of FTC commissioner J. Thomas Rosch. In 2012, Rosch said in a dissenting FTC opinion, a few months before he left the agency, that the evidence provided by Tiversa shouldn’t be used against LabMD. Daugherty began to work with Cause of Action Institute, a conservative legal aid group, which has handled LabMD‘s defense before the FTC pro bono since 2013. Daugherty also began to build a relationship with US Representative Darryl Issa (R-CA) of the House Oversight Committee.
The FTC litigation began in 2013 when the FTC brought an administrative action against LabMD in the agency’s administrative courts. The FTC charged that not only had LabMD‘s information on 9,000 patients leaked from its system, but that the personal information of some 500 persons had fallen into the hands of identity thieves in California. The agency came full-on: In a 3-hour period on October 24, 2013, its lawyers sent notice of 20 depositions to be taken in various parts of the country, and scheduled them all on the same day.
The company’s legal fees had reached about $500,000 by now. LabMD‘s lawyers sought a protective order. But the stress and cost of the battle was destroying the company. LabMD’s revenues nose-dived and Daugherty finally shuttered it in 2014. After losing his company, Daugherty self-published a book about his experiences called The Devil Inside the Beltway.
As Daugherty was waiting for the administrative court trial to kick off, he received a call in April 2014 from Richard Wallace, a Tiversa employee who had just left the company. Wallace told Daugherty of Tiversa’s role in LabMD‘s demise. It was Wallace who originally discovered the files on a peer-to-peer file-sharing network. The files had never been anywhere else; when LabMD declined Tiversa’s services, Wallace claimed he was instructed to add LabMD to a list of companies which Tiversa reported to the FTC. Wallace further stated that he had been instructed to create fake evidence showing other places where the LabMD file had supposedly been found.
The FTC trial began in May and Wallace’s testimony was crucial – since the FTC’s case was based primarily on Tiversa’s evidence. Wallace testified in May 2015, just over a year after he first called Daugherty.
At the same time, the House Oversight Committee had prepared a report which was locked away until the completion of Wallace’s testimony. The report found that Tiversa faked evidence of data breaches to market its services. The report also disclosed an FTC-Tiversa relationship dating back to 2007. One writer summarized the findings this way:
The report concluded that the FTC had sacrificed “good government” in using Tiversa to “obtain information validating its regulatory authority” and with providing Tiversa with “actionable information it exploited for monetary gain.”
In November, the administrative judge in the case ruled in favor of LabMD, throwing out Tiversa‘s testimony and evidence. This left the FTC without much of a case. The judge characterized the FTC’s assertions regarding LabMD and the data of the 9,000 patients as “pure, unsupported speculation.”
But the story is not yet over. In the last installment of this series, we will discuss the litigation between Daugherty and Tiversa, as well as dueling Wall Street Journal op-eds on the issue, and a 48 page decision this summer by the FTC reversing the decision of the ALJ, imposing stringent requirements on LabMD. And we’ll learn the FTC’s reasons for doing so.
*AN IMPORTANT NOTE: The facts as summarized in this blog post are all according to published reports, and this blog post is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This blog post is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.