1Well, changes everything may be a slight exaggeration. But, an FBI raid in early March on Tiversa, a Pittsburgh-based security company, whose business model involves examining filesharing networks and offering to help companies identify when their data has been stolen or leaked, is forcing a hard look at both the business practice and the Federal Trade Commission.

About a year ago, a former Tiversa employee alleged that the company would make up fake accounts of data breaches and then use them to pressure potential clients into buying their services. His testimony came in a case involving a small cancer testing company in Atlanta, Georgia. As reported by CNN Money, the allegation was that the whistleblower testified “he tapped into LabMD’s computers and pulled the medical records. The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency “incident response” cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the “data breach.”

When LabMD still refused, Tiversa let the Federal Trade Commission know about the “hack.”

The FTC went after the lab, giving the company a choice: sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court. LabMD CEO Michael Daugherty chose to fight because a plea deal would have tarnished his reputation and killed the business anyway, he said.

Daugherty lost that battle in 2014, having run out of steam. The lawsuit killed LabMD, which was forced to fire its 40 employees last year.”’

Tiversa defended itself and its business practices robustly, and filed suit against the original whistleblower as well as a second former employee. However, in the wake of the FBI raid, Tiversa’s CEO has been put on leave and the company dropped a defamation lawsuit against two people who have publicly claimed the company was operating an extortion racket.

As for the FTC, it’s been reported that based on data provided by Tiversa the FTC sent letters to more than 80 companies warning them that customer data had been made public on filesharing networks, and opened investigations into nine companies identified by Tiversa. LabMD got FTC Chief Administrative Law Judge D. Michael Chappell to dismiss the case against it last November. Judge Chappell called the evidence against the medical company  “unreliable, not credible, and outweighed by credible contrary testimony from Mr. Wallace” (the whistleblower). The FTC is appealing that decision, but the FBI action certainly suggests the possibility that the FTC has a serious problem.

It will take a bit longer for the dust to settle in this rather bizarre set of circumstances. But if Tiversa was guilty of scamming both prospective clients and the FTC, the reverberations from that bombshell will be felt throughout the cybersecurity industry.

By Tom Davis, SDI Cyber Risk Practice
March 22, 2016