A Leak Wounded This Company. Fighting the Feds Finished It Off
Bloomberg Businessweek|May 2 - May 8, 2016
A Leak Wounded This Company. Fighting the Feds Finished It Off

It wasn't getting hacked that brought down LabMD - it was fighting the government. 

Dune Lawrence

The first phone call that changed Michael Daugherty’s life came in May 2008. Daugherty was a happy man, running a good business in a nice place. That’s how he talks about it, like the opening five minutes of a movie, setting up how great everything is before disaster strikes. His Atlanta-based company, LabMD, tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales.

Daugherty is a middle-aged guy distinguished by small, kind brown eyes and a big, meaty laugh—a business everyman of a certain vintage, with a salesman’s mix of friendly and aggressive. He’s from Detroit, and you can occasionally hear it in his vowels. Kevin Spacey could play him in the movie.

Here’s where the story turns dark. That Tuesday, LabMD’s general manager came in to tell Daugherty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have gotten hold of a file full of LabMD patient information. This was scary for a medical business that had to comply with federal rules on privacy, enshrined in the Health Insurance Portability and Accountability Act. I need proof, Daugherty told his deputy. Get it in writing.

Boback e-mailed the document. It was a LabMD billing report containing data, including Social Security numbers, on more than 9,000 patients. Boback quickly got to the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information.

LabMD’s four-person IT team found the problem almost immediately: The manager of the billing department had been using LimeWire file-sharing software to download music. Without knowing it, she’d left her documents folder, which contained the insurance report now in Tiversa’s possession, open for sharing with other users of the peer-to-peer network. The billing manager’s computer was the only machine at LabMD with LimeWire—having it was a violation of company policy— and the tech staff removed it.

They also began scouring peer-to-peer networks and the Internet for signs of the file on the loose, in case someone outside Tiversa had downloaded it and shared it with others. They looked for months and never found it.

Boback kept e-mailing during this period, urging swift action and claiming that Tiversa was seeing searches and downloads of the file. When LabMD asked for specifics, Boback said he could provide those only after LabMD signed a service agreement. The sample agreement he sent listed a rate of $475 an hour, and Boback said the fix for a problem of this nature typically took two weeks. (Two 40-hour weeks at that rate would total $38,000.) His e-mails mentioned negative press related to the leak of 1,000 Social Security numbers by Walter Reed Army Medical Center, and he offered to send over a breakdown of data breach notification laws in 43 states.

Boback had an unusual background for a cyber entrepreneur. Before starting Tiversa, he’d been a chiropractor and dabbled in real estate around Pittsburgh, where he’d grown up. He founded the company in his hometown in early 2004 with Sam Hopkins, one of his chiropractic clients, who became the chief technology officer.

Boback proved an adept salesman. By 2007, Tiversa had collected a group of high-powered advisers, most notably Wesley Clark, the retired four-star general. Boback testified that July before the House Committee on Oversight and Government Reform, introduced by the chairman as “a leading authority in the consequences of inadvertent information sharing.” (Clark said through a spokesperson that he hasn’t been involved with Tiversa for several years.)

Tiversa monitored peer-to-peer networks for its clients, using a proprietary platform that gave it a broad view of what users of such networks were searching for and sharing. By the time Boback called LabMD, Tiversa’s home page boasted that its technology could monitor 450 million users doing 1.5 billion searches a day. The company overview listed Tiversa’s core values, including, “We are open, honest, and direct in all of our interactions. We always strive to ‘do the right thing’ for our customers and employees.”

Daugherty read Boback’s e-mails as polite extortion notes. Boback stopped sending them only after Daugherty’s deputy told him in late July to direct all communications to LabMD’s lawyers. That fall, a LabMD lawyer got a call from a Tiversa lawyer with what sounded to Daugherty like a threat: Tiversa was worried about being sued for not reporting the LabMD file to the Federal Trade Commission.

The commission came knocking in January 2010. LabMD received an 11-page letter from the FTC Division of Privacy and Identity Protection, stating that it was conducting an inquiry into the company related to a file from its computer network that was available on a peer-to-peer network. The letter listed 18 questions, with as many as eight subparts each, about LabMD’s overall security and technology setup and practices, and requested documentation of any exposure of personal information.

The FTC has a dual mandate: to protect consumers and to promote competition. Its protective powers are laid out in Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Since the agency’s founding in 1914, that has meant going after companies for false advertising, financial scams, and the like. In this century, the FTC also applies Section 5 to information security, casting careless handling of consumers’ information as a form of unfair and deceptive business practices. The FTC reached its first settlement in this area in 2000, with a group of online pharmacies over their collection and use of customer information. Since then, the commission has brought more than 60 cases related to data security. In all but one, the companies involved have settled, signing consent decrees that in many cases require 20 years of security audits by an outside firm and sometimes fines. The alternative is litigation, which the FTC can initiate in federal court or in its own administrative court system.

articleRead

You can read up to 3 premium stories before you subscribe to Magzter GOLD

Log in, if you are already a subscriber

GoldLogo

Get unlimited access to thousands of curated premium stories, newspapers and 5,000+ magazines

READ THE ENTIRE ISSUE

May 2 - May 8, 2016