By Joel Schectman
WASHINGTON (Reuters) - Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.
The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.
The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.
Wallace testified that Tiversa falsified information to make it appear that sensitive data was being accessed by users across the country.
Tiversa's information led the FTC to examine whether companies failed to protect consumer data, according to testimony from Wallace and people with knowledge of the FTC inquiries, which can lead to civil charges and settlements with the companies.
David Schertler, an attorney at Schertler and Onorato LLP who is representing Tiversa, said the company is cooperating with the investigation.
Spokespeople for the Justice Department, the FBI and the FTC declined to comment.
The blog Databreaches.net first raised the possibility of an FBI raid on Tiversa earlier this month, citing a photo of black vehicles outside the company’s office that was posted on Twitter.
Tiversa, a Pittsburgh-based security company, scours filesharing networks, often used to share music, and offers to help companies and government agencies identify when their data has been stolen by hackers or inadvertently leaked.
Data provided by Tiversa led the FTC to send letters to more than 80 companies in early 2010, warning them that customer data had been made public on filesharing networks, according to people familiar with the FTC actions.
The FTC also opened investigations into nine companies identified by Tiversa, according to a 2015 staff report from the House Committee on Oversight & Government Reform, which did not name the companies. The status of those cases is not clear.
The FTC's involvement with Tiversa raises questions about how the agency investigates data breaches. Critics in the legal community have argued that Congress never granted the FTC power to police data security nor equipped the agency for that mission.
"They have an incredibly broad mandate, and that means enforcement on a shoe-string," said Gerald Ferguson, an expert in data protection law at Baker & Hostetler LLP.
The FTC began ramping up its actions against organizations accused of slack security practices in 2008, on the grounds that failing to protect consumer data is an "unfair" or "deceptive" trade practice. Unrelated to the Tiversa matter, Twitter (N:TWTR), CVS Caremark (N:CVS) and Wyndham Hotels & Resorts (N:WYN) are among more than 50 companies the FTC has reached settlements with over alleged lax data security, according to the agency.
The settlements with the FTC typically do not involve fines but require the companies to take often costly steps to improve data security.
Since the FBI raid earlier in March, Tiversa has placed its CEO Robert Boback on leave as the company conducts an internal investigation about the allegations of improper conduct, according to a person briefed on the case who declined to be named because the investigation is ongoing.
Robert Ridge, an attorney for Boback, declined to comment.
The allegations against Tiversa first surfaced last year during testimony in the FTC's civil data security case against the cancer testing company LabMD. The case represented the first instance when a company fought and beat the FTC in the agency’s administrative court over data security allegations.
The FTC alleged that poor security practices at LabMD allowed a patient insurance file to get released through the LimeWire peer-to-peer filesharing network, which was often used for downloading music. Both the FTC and LabMD said the information that Tiversa gave the agency was used in the investigation of the cancer testing company.
But in FTC’s administrative court in Washington, D.C. last May, Wallace testified that when Tiversa determined that a company’s files were available on filesharing software, Tiversa would reach out to the affected company and pitch its remediation service.
When companies such as LabMD declined the offer, their names were included on a list that Boback handed over to the FTC, according to court transcripts of Wallace's testimony.
For example, when LabMD refused Tiversa’s services, Boback “basically said, ‘f__ him, make sure he’s at the top of the list,’” according to Wallace's testimony.
Wallace said that he was also instructed to falsify evidence that LabMD’s patient file was rapidly spreading online and falling into the hands of identity thieves. Wallace testified that Boback told him, “'We need this at four different IP addresses, and they need to be bad guys.'”
The Justice Department granted Wallace immunity from prosecution in exchange for his testimony.
The FTC has said in court filings that while information from Tiversa caused the agency to begin the probe, its case against LabMD was supported by its own independent investigation.
LabMD CEO Michael Daugherty said in an interview with Reuters that he is a victim of a Tiversa extortion scheme. The costs and distraction associated with the case had driven LabMD out of business, Daugherty said. He acknowledges that one of his employees, in violation of company policy, installed a filesharing software on her computer for her personal use.
But Daugherty said the issue harmed no patients. No one outside LabMD ever accessed the file, Daugherty said, and evidence of its spread was falsified by Tiversa. “What concerns me is the collaboration between the FTC and bad actors,” Daughterty said. “This case is not just about LabMD, it’s about every company contacted by the FTC.”
That testimony led FTC Chief Administrative Law Judge D. Michael Chappell to dismiss the case against LabMD last November, ruling that the evidence against the medical company was “unreliable, not credible, and outweighed by credible contrary testimony from Mr. Wallace,” according to court records.
A Tiversa spokeswoman said in November that the company "acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation.”
The agency appealed Judge Chappell’s ruling and is now re-arguing the case against LabMD before the agency’s commissioners.