A number of people were hopeful that the FTC would disclose more information about its data security standards in testimony to be provided by Daniel Kaufman, Deputy Director of the FTC’s Bureau of Consumer Protection, in FTC v. LabMD.
If you were expecting new insights, however, you will likely be disappointed. Rather than having Kaufman testify last week during the heading before Administrative Law Judge Chappell, both LabMD and the FTC agreed to simply enter Kaufman’s deposition into the record.
So what was in his deposition? Here’s a sample exchange. The following is in response to a question by LabMD’s counsel, who pointed Kaufman to paragraph 10 of the FTC’s complaint and asked:
Q: And so my question, then, in that regard is, is it the Bureau’s position that in order to comply with Section 5 of the Federal Trade Commission Act, that an entity must have in place a comprehensive information security program?
A: Assessing whether certain data security practices are unfair under Section 5 of the FTC Act requires a case-by-case factual analysis of the situation. So whether a company has developed, implemented, or maintained a comprehensive information security program may be required under Section 5.
Q: Is it the Bureau’s position that, based on ts analysis of the facts in this case, that it will hold LabMD to the standard of requiring a comprehensive information security plan?
[…]
A: The Bureau will allege that one of LabMD’s failings, among others, was the failure to have a comprehensive information security program.
Q: Has the Bureau published or otherwise informed the public that HIPAA-covered entities such as LabMD must have a written comprehensive information security program in place in order to comply with FTC or Bureau data security standards?
A: I am not sure whether the Commission has issued material specifically relating to the HIPAA-covered entities, but the Bureau has published a great deal of consumer and business education on the issue of what is reasonable data security. The Commission has testified on it on a number of occasions, and there’s a lot of other publicly available information on what constitutes reasonable data security.
Q: Is it the Bureau’s position that reasonable data security, as it has analyzed this case, as it does on a case-by-case basis, includes having in place a comprehensive information security plan?
[…]
A: In this case the Bureau has alleged that LabMD should have had a comprehensive information security program in place.
Q: Is the Bureau’s definition of a comprehensive information security program the same as the definition for a comprehensive information security program as set out in Dr. Raquel Hill’s expert witness report?
A: I am not aware of a specific definition we have used for comprehensive information security program, but I can certainly look at her definition and see if it seems consistent with my general understanding.
[…]
Q Has the Bureau published any information which would indicate to HIPAA-covered entities like LabMD that they are expected to apply the seven principles of best practices as it relates to a comprehensive information security program as explained in Dr. Hill’s report?
A: The Bureau has published a great deal of materials that provide guidance regarding comprehensive information security programs from the 50 or so settlement orders that have been issued by the FTC that provide such information to business educational, to speeches, to Congressional testimony, and there’s additional information available from other organizations as well.
Q: In any of that literature or the documents that you referenced, is the phrase “comprehensive information security program” used?
A: I’m not sure.
Q: In any of the information that you just referenced, do they contain the seven principles as stated in Dr. Hill’s report with regard to best practices to establish a comprehensive security — I’m sorry, a comprehensive information security program and list those seven principles as don’t keep what you don’t need, patch, ports, policies, protect, probe, and physical?
A: The concepts that are set forth by the seven principles are very consistent with other information that I have seen in some of our materials, including our business educational materials.
The short version: for pretty much every aspect of the complaint in paragraph 10, Kaufman testified that the FTC had communicated that standard via its speeches, business guidance documents, testimony to Congress, and previous settlements, but he would not go so far as to say whether LabMD could have violated any of those standards and still be found to have complied with “reasonableness” under Section 5.
So where does that leave entities? It seems that we all must follow all of the FTC’s speeches, blog entries, and testimony to Congress, in addition to reading all of their settlements and closing letters if we want to deduce what all the standards are that we must comply with to stay on the safe side of the FTC.
And that, I think, is utterly unreasonable and unduly burdensome. While I understand a case-by-case approach, the FTC needs to have a document that lays out all the things it knows it has already looked at, and provides examples of what was found to be reasonable and what was found to be unreasonable. HIPAA is very clear that the standards are somewhat flexible in the sense that they take the size and complexity of an organization into account as well as the sensitivity of the information. Does FTC have a comparable flexibility standard? If so, where does it tell small businesses or solo practitioners such as doctors and lawyers how much documentation we need in writing, and whether we need to arrange for pen-testing, etc.
Give us a clue, FTC. BEFORE you come after us.
I’ve uploaded the second day of Kaufman’s deposition here (pdf), if you’d like to read it in its entirety.