(UPDATE: After this piece originally appeared, former Bryan Cave partner Mary Beth Buchanan called me, along with her client Richard Wallace, the former cybersecurity employee at the heart of LabMD’s allegations, to say LabMD’s allegations are false at their very core. See the new commentary below.)
Last June, in a decision with important repercussions for the Federal Trade Commission’s enforcement of corporate data security, the 11th U.S. Circuit Court of Appeals tossed the FTC’s cease-and-desist order against LabMD, a Georgia cancer detection company accused of failing to safeguard patient files. The ruling came too late to save LabMD, which went out of business in the course of defending against the FTC’s allegations.
Want more On the Case? Listen to the On the Case podcast.
But in a new Manhattan State Supreme Court complaint, the company is looking for recompense from the law firm Bryan Cave Leighton Paisner and a former Bryan Cave partner, Mary Beth Buchanan, whom LabMD accuses of covering up crucial information that would have shut down the FTC’s enforcement action.
The complaint alleges a truly wild story of skullduggery: a supposedly rogue cybersecurity outfit with FBI ties; a former U.S. attorney determined to hide her office’s work with the data security firm; and government investigators who sanctioned the coverup. If the suit’s allegations prove true, LabMD and its CEO, Michael Daugherty (who is also a plaintiff), were victimized by a shocking scheme.
That’s a big if, of course. The just-filed complaint includes allegations that flatly contradict the record in the FTC case. LabMD’s lawyer, James Hawkins, told me that’s because the coverup was initially successful. As Daugherty and his company fended off the FTC, the complaint alleged, Bryan Cave lawyers made sure they didn’t obtain crucial information that would have undermined the government’s case.
A Bryan Cave spokeswoman declined to comment on the allegations in the complaint. Bryan Cave also said Buchanan’s departure to Kraken, a cryptocurrency exchange where she is now general counsel, was unrelated to LabMD’s assertions. Tiversa, the cybersecurity firm LabMD has accused of improperly accessing its patient files, has vehemently denied similar LabMD allegations in other litigation. Indeed, Tiversa has sued LabMD CEO Daugherty for defamation in an ongoing case in the Allegheny County Court of Common Pleas in Pittsburgh.
With those caveats in mind, the LabMD story begins with Richard Wallace, an employee at the cybersecurity firm Tiversa. In 2007, according to the complaint, then Pittsburgh U.S. Attorney Buchanan hired Wallace and Tiversa to help her office track down child pornographers. The complaint alleges that Buchanan authorized Wallace and Tiversa to use proprietary FBI software to search and seize evidence from child porn suspects.The complaint’s key allegation is that Wallace and Tiversa used the FBI surveillance tools authorized by Buchanan to tap LabMD’s computers.
According to Wallace, he did not use FBI surveillance tools to access LabMD’s computers and never told LabMD’s CEO that he did – flatly contradicting a key accusation in LabMD’s suit. Wallace said the only FBI program he used in connection with child pornography investigations overseen by Buchanan back in 2007, when she was a U.S. attorney in Pittsburgh, was publicly available and simply facilitated searches of file-sharing networks.
The FTC also claimed otherwise in its case against LabMD. As the 11th Circuit recounted in its decision vacating the government’s cease-and-desist order, the FTC asserted that LabMD left itself open to hackers when an employee downloaded peer-to-peer file-sharing software, likely LimeWire, from the Internet. In the government’s account, Tiversa discovered that hackers accessed LabMD patient files through the peer-to-peer program, then spread the patient files across the dark web.
LabMD claims that Tiversa obtained the patient files from the company’s own computers, using the FBI hacking tools authorized by Buchanan. It alleges that Tiversa then manipulated metadata to make it seem as though hackers shared the files.
LabMD and Daugherty claim Tiversa’s play was to use the information to pressure LabMD into hiring the cybersecurity firm to shore up its data protection. When LabMD refused, the company’s suit claims, Tiversa went to the FTC.
Wallace, the Tiversa employee, eventually became a whistleblower against Tiversa. He and LabMD’s CEO, Daugherty, formed a partnership to pursue a False Claims Act suit against Tiversa, accusing the cybersecurity firm of fraudulently obtaining millions of dollars of government contracts. The Justice Department declined to join the case, filed in federal court in Manhattan, but last month, U.S. District Judge Denise Cote denied Tiversa’s motion to dismiss all of the FCA allegations. (Judge Cote tossed claims related to a $29 million government grant to Dartmouth College but ruled Daughtery could proceed with claims based on much-smaller contracts between Tiversa and the TSA.)
You’re probably wondering how Bryan Cave and Mary Beth Buchanan fit into this picture. After all, even if LabMD’s allegations about Tiversa prove true, the former Pittsburgh U.S. Attorney couldn’t be held liable to LabMD for a contractor’s alleged misuse of FBI software.
Here’s where things get interesting. Years after Buchanan’s office supposedly contracted with Tiversa to assist in child porn investigations, ex-Tiversa employee Wallace hired Buchanan as his lawyer in the FTC investigation. Buchanan was Wallace’s third lawyer, and by the time he engaged her, he had already allied with LabMD CEO Daughtery in the False Claims Act case against Tiversa, where he was no longer employed.
LabMD’s complaint alleges that Buchanan and Bryan Cave counseled Wallace to hide his use of FBI software to access its computers in testimony to the administrative law judge overseeing the FTC case. It further contends FTC officials allowed Buchanan to shape Wallace’s testimony. If the truth had come out during the case, LabMD contends, the company’s fortunes would have been completely different.
LabMD claims Buchanan violated the Ethics in Government Act by agreeing to represent Wallace, with whom she had previously worked on a matter directly related to the LabMD case, placing her at risk of criminal exposure.
Wallace and Buchanan deny any overlap between Wallace’s work for Buchanan’s office in 2007 and her representation of him in connection with the Federal Trade Commission’s LabMD investigation. In fact, Wallace said, when he first contacted Buchanan to represent him in the LabMD case, she did not remember him at all.
“This is all made up,” Wallace said of the LabMD suit against Buchanan and her former law firm. “It’s all horsecrap.”Added Buchanan: “I wasn’t involved in any way in what Rick was doing with the FBI” in the child pornography investigation. “This is completely absurd.”
Bryan Cave’s supposed liability to LabMD, however, stems from Wallace’s business relationship with Daugherty in the False Claims Act suit. The complaint alleges that under New York law, Buchanan had a special relationship with Daugherty by virtue of her client’s fiduciary duty to his business partner.
LabMD alleges that Buchanan negligently and deliberately defrauded the company and is also liable for contributing to Wallace’s breach of fiduciary duty. In addition, the suit claims damages under a New York judiciary rule prohibiting attorneys from deceiving parties in litigation.
LabMD previously filed a similar suit in federal court in Manhattan, citing diversity jurisdiction. That case was dismissed sua sponte by U.S. District Judge Paul Oetken, who said there was not complete diversity and he did not have subject matter jurisdiction over the suit’s state-law claims. Filing in Manhattan State Supreme Court, said LabMD lawyer Hawkins, should solve that jurisdictional problem.
The big factual hurdles for the company will be establishing that Wallace did, in fact, use FBI surveillance tools to tap LabMD’s computers. If he didn’t, instead detecting a hack via LimeWire, then LabMD has no case against Buchanan and Bryan Cave. Nor would Buchanan be culpable under the Ethics in Government Act, according to LabMD counsel Hawkins.
Hawkins told me LabMD only learned from Wallace that he used the FBI tools in 2017, after Daugherty confronted him. The complaint, however, alleges that Buchanan knew years earlier that Wallace deployed FBI tools she had authorized Tiversa to use in child porn investigations.
Like I said, it’s a wild tale. I’m looking forward to seeing LabMD’s account tested in court.