On Tuesday, Darrell Issa, the chairman the House Committee on Oversight and Government Reform, wrote a letter (PDF) to the Federal Trade Commission about the committee's concerns – that a security firm's “inaccurate” findings may have “played a role in the FTC's decision to initiate enforcement actions against LabMD.”
In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information were allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks. LabMD, an Atlanta-based medical testing lab, has since shuttered most of its operations after years of fighting the FTC's claims in court, which drained its coffers.
In its letter, the House committee also said it had “substantial concerns” about the relationship between the FTC and Pittsburgh-based Tiversa, a peer-to-peer intelligence provider. Issa even went as far as to say that Tiversa may have manipulated information pertaining to the LabMD breach.
Tiversa, which notified LabMD of its breach in May 2008, later provided its findings to the FTC after LabMD turned down its remediation services, Issa wrote.
“Apparently, Tiversa provided information to the FTC about companies that refused to buy its services,” Issa claimed in the letter, adding that Tiversa “may have manipulated information to advance the FTC's investigation” – particularly, the results of a spread analysis, or in-depth network scan.
Provided in the letter was part of a transcribed interview Tiversa CEO Robert Boback had with the House Committee. In the interview, Boback allegedly said that a Tiversa analyst, who had initially looked into the LabMD breach, provided him with “less than accurate information.”
In light of its claims, the House Committee has asked the FTC to examine it procedures for receiving information leading to data security or privacy enforcement actions. The committee also requested that FTC scrutinize its relationship, and seemingly questionable interactions, with Tiversa.
In a Thursday interview, Bradley Clanton, a shareholder in the Mississippi and Washington, D.C., offices of law firm Baker Donelson, told SCMagazine.com that the House committee's investigation marked a rare move.
“It's very unusual for an oversight committee to get involved in a matter that's pending like this,” Clanton said.
He later said that the move further demonstrated how “entities are pushing back against the FTC, and that courts are likely to require them to give more specificity to what [data security standards] they expect.”
In early May, an administrative law judge sided with LabMD in the ongoing FTC case, by backing its argument that the FTC should makes its data security standards plain.