An interesting ruling was released by the Federal Trade Commission a few weeks ago.
The ruling dealt with a case in which LabMD, a cancer research company, was accused of improperly protecting consumer data that, if disclosed, is likely to cause substantial consumer injury.
The initial incident, which led to the FTC investigation, started back in 2008. The tortuous path that unfolded over the next seven years ultimately resulted in the demise of LabMD.
This case first came to my attention through a recent “Down The Security Rabbithole” podcast interview with LabMD CEO Mike Daugherty.
Here is an oversimplified summary of the case:
An employee at LabMD installed a peer-to-peer music file-sharing application on a company computer and (apparently unwittingly) flagged the entire “My Documents” folder as “Available for Sharing,” which in turn caused some of LabMD’s files to be exposed to the sharing site.
The file at the center of the case became known as the ‘1718 file,’ because it was 1,718 pages long. The file contained information that, if disclosed, could be used to commit identity theft
A breach detection company, Tiversa Holding Company, contacted LabMD to notify them that they had found the file on multiple file-sharing sites. This turned out to be a false statement, as testified by Tiversa’s former forensic analyst who was granted immunity for his testimony.
Tiversa made multiple attempts to sell their services to LabMD, which LabMD declined. In a separate investigation, the FTC requested information from Tiversa and the LabMD file was discovered, which resulted in the formal investigation.
This is no simple case of a company that is improperly targeted by a misguided government agency. It is such a bizarre and twisted tale that Daugherty wrote the book “The Devil Inside the Beltway,” which details the entire series of events. Indeed, it takes a book to understand the unfair treatment suffered by the folks at LabMD. Still, there is more to be learned from this event.
Tiversa’s business model was based on scanning file-sharing sites for files that they could then use to scare customers into paying what could only be viewed as a vulnerability bounty.
According to testimony, Tiversa would manipulate the findings to give the appearance that the files were downloaded to known identity theft sites. Many observers would characterize Tiversa’s actions as blatant extortion.
The presiding judge, Michael Chappell, dismissed all the charges against LabMD, indicating in his decision that the prediction of harm from a possible data breach does not equal the probability of that harm.
The FTC argued that identity theft could take years to occur and that there was no way to tell the outcome of the leaked file that was at the heart of the case. Judge Chappell noted that the case had taken more than seven years and the government could not identify one person in the leaked file who experienced identity theft.
This is unlike an earlier case in which the FTC was able to show harm caused by a breach. In fact, that case is cited by one of the experts who testified in the LabMD case.
The point that is important to the InfoSec community is that this is a case where theory alone is insufficient to prove probability. The fact that a file could be accessed by an unauthorized person does not instantly mean that the file has been accessed by unauthorized persons.
This means that just because a person can opine about what could go wrong should not trigger a federal investigation. Moreover, there has to be more than mere speculation of a likely risk of harm for a weakness to be actionable.
Imagine if the local home security company secretly came to your neighborhood and assessed the security of your home, and then reported all the weaknesses to the police who then arrest you because a burglar could break into your house. (I understand that the duty of care to protect your home may not be exactly the same as that required by a company to protect data, but the similarity of the scenario helps to clarify the events of this case.)
It is clear that mistakes were made by an employee at LabMD – and it is sad that LabMD had to suffer as a result – but in the end, this may be good for the InfoSec community, as it will deter others from attempting the unfair practices exhibited by Tiversa Holding Company.
It will also elevate the posture of those information security companies who practice honestly and ethically.
About the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock