DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

House Oversight’s lopsided hearing on the FTC

Posted on July 24, 2014 by Dissent

The House Oversight Committee held a hearing this morning that was supposed to be about FTC authority under Section 5, but it wound up being more of Chairman Darrell Issa using his position as a bully pulpit to attack the FTC, Tiversa,  and Democrats on the committee who would not give a potential whistleblower (a former employee of Tiversa) immunity from prosecution.

That House Oversight would even hold a hearing involving a case that is currently in progress before an FTC administrative law judge disturbed a number of members of the Committee, who felt that the House should not be interfering or second-guessing the FTC. It also disturbed Sen. Jay Rockefeller, who wrote to Issa yesterday.

Two of the four witnesses at today’s hearing were business executives who had been contacted by the FTC concerning exposed patient information found on the Internet. One of them, Michael Daugherty, is the CEO of LabMD, the cancer diagnostics laboratory the FTC brought charges against following two potential breaches (see PHIprivacy.net for my continuing coverage of that case). The other,  David Roesler, is the director of the Open Door Clinic, who was sued in 2010 following allegations that AIDS patient information was exposed on the Internet. In that case, the FTC’s only action was to alert the clinic that a file had been found with patient information. Roesler’s participation in the hearing appeared to be solely to condemn Tiversa for offering to remedy an exposure it claimed to have found for $475/hour. His testimony certainly did not suggest any wrongdoing or questionable action by the FTC.

Indeed, Tiversa was repeatedly criticized during the hearing in absentia. Because the House Oversight’s mission is to investigate and oversee government agencies and not the private sector, much of the commentary and agenda seemed to me to be totally inappropriate. Only towards the end of the hearing, did Rep. Issa raise a valid question – whether Congress should criminalize the ability of firms to copy and download files that were never intended to be shared or publicly available, such as those containing patient information that are accidentally exposed on p2p networks.  His other valid points concerned whether FTC had misled the committee  (which would be a concern), and whether the FTC had appropriate measures and procedures in place to verify accusations about breaches or potential breaches.  Issa indicated that both the FTC and Tiversa would be invited to testify at a later date.

The other two witnesses at today’s hearing were Gerry Stegmaier, who has consistently argued that Fair Notice is needed for FTC data security enforcement, and Woody Hartzog, who thinks that the “jurisprudence” or body of the FTC’s data security complaints should serve as sufficient notice to entities as to what the FTC considers “reasonable” and “unreasonable” data security practices. As Hartzog argued, you can have a simple checklist of “reasonable” security that will be outdated frequently, or you can have a “reasonableness” standard that defers to what the industry views as reasonable security, but you can’t have both.

You can find the witnesses written statements here:

Mr. Michael Daugherty
Mr. David Roesler
Mr. Gerard Stegmaier
Mr. Woodrow Hartzog

Brian Fung of the Washington Post covers the hearing, here, but seems to omit any of Gerry Stegmeir’s thoughtful testimony on Fair Notice and how difficult it is for entities to comply when there are no clear guidelines or rules to use to assess their compliance.

Jenna Greene of the National Law Journal also provides additional coverage of the hearing, including some of the statements concerning Tiversa, and Tiversa’s response to the hearing.

So, has the FTC gone too far or abused its authority? Will Congress seek to rein it in again as it did in 1980? Certainly there are those who would welcome it, but this blogger wants to see more data security enforcement, not less.  That said, I definitely agree that the FTC can and must do more to make its shifting standards clear by publishing summaries of what it considers “reasonable” and “unreasonable” and how it adapts those standards to account for small businesses. Without such guidance, I don’t see how any small business can really determine whether it is in compliance.  And enough with the 20-year monitoring plans in consent decrees: there should be cases that result in corrective action plans to protect consumer data without crushing businesses with costly 20-year plans.

Unless, of course, I think a 20-year plan is in order. 🙂


Related:

  • Two more entities have folded after ransomware attacks
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
Category: Breach IncidentsCommentaries and AnalysesFederal

Post navigation

← Dismissal of Sutter Health lawsuit to be appealed
Former University of Nebraska student sentenced for computer fraud →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.