Tiversa Cybersecurity and the FTC
Recently, a case involving a cybersecurity company, a whistleblower and the FTC has caused a massive rethink of the intertwined relationships between organizations and their outsourcing partners. An article from The Hill  discusses the case of a whistleblower who went to the House Oversight Committee seeking immunity with some startling news:
Cybersecurity company Tiversa was blackmailing their potential clients.
The article states that Tiversa would be hired to perform an analysis of an organization’s data security processes and policies to determine if an organization is secure or not. The organization in question is LabMD. According to the whistleblower, former Tiversa employee Richard Wallace, when LabMD refused to utilize the solutions Tiversa offered to remedy their data security issues, Tiversa reported LabMD to the FTC.
Aside from Wallace’s situation, the story creates broad concerns about the risks of working with vendors, undermining the belief that current procedures are adequate protection. It would be good to know if this was an isolated incident or common practice for Tiversa and perhaps others, but Wallace has not been granted immunity and he has been withholding his testimony.
So what is an organization to do? A non-disclosure agreement (NDA) should be part of any service contract but that only helps to a certain point. If a whistleblower is granted immunity through the Non-Federal Employees Whistleblower Protection Act (H.R. 6406) , the federal government protects them from retaliation and penalties even if an NDA is signed.
The major concern is that this is legalized extortion that one organization can leverage against another using the federal government as the weapon. It has the potential to damage relationships between organizations and their service providers and highlights the need for diligence when choosing partners and when making system decisions. Certainly, this situation was good for no one.
 Sparks fly over FTC whistleblower
 New whistleblower bills target private sector