The House Oversight Committee held a hearing this morning that was supposed to be about FTC authority under Section 5, but it wound up being more of Chairman Darrell Issa using his position as a bully pulpit to attack the FTC, Tiversa, and Democrats on the committee who would not give a potential whistleblower (a former employee of Tiversa) immunity from prosecution.
That House Oversight would even hold a hearing involving a case that is currently in progress before an FTC administrative law judge disturbed a number of members of the Committee, who felt that the House should not be interfering or second-guessing the FTC. It also disturbed Sen. Jay Rockefeller, who wrote to Issa yesterday.
Two of the four witnesses at today’s hearing were business executives who had been contacted by the FTC concerning exposed patient information found on the Internet. One of them, Michael Daugherty, is the CEO of LabMD, the cancer diagnostics laboratory the FTC brought charges against following two potential breaches (see PHIprivacy.net for my continuing coverage of that case). The other, David Roesler, is the director of the Open Door Clinic, who was sued in 2010 following allegations that AIDS patient information was exposed on the Internet. In that case, the FTC’s only action was to alert the clinic that a file had been found with patient information. Roesler’s participation in the hearing appeared to be solely to condemn Tiversa for offering to remedy an exposure it claimed to have found for $475/hour. His testimony certainly did not suggest any wrongdoing or questionable action by the FTC.
Indeed, Tiversa was repeatedly criticized during the hearing in absentia. Because the House Oversight’s mission is to investigate and oversee government agencies and not the private sector, much of the commentary and agenda seemed to me to be totally inappropriate. Only towards the end of the hearing, did Rep. Issa raise a valid question – whether Congress should criminalize the ability of firms to copy and download files that were never intended to be shared or publicly available, such as those containing patient information that are accidentally exposed on p2p networks. His other valid points concerned whether FTC had misled the committee (which would be a concern), and whether the FTC had appropriate measures and procedures in place to verify accusations about breaches or potential breaches. Issa indicated that both the FTC and Tiversa would be invited to testify at a later date.
The other two witnesses at today’s hearing were Gerry Stegmaier, who has consistently argued that Fair Notice is needed for FTC data security enforcement, and Woody Hartzog, who thinks that the “jurisprudence” or body of the FTC’s data security complaints should serve as sufficient notice to entities as to what the FTC considers “reasonable” and “unreasonable” data security practices. As Hartzog argued, you can have a simple checklist of “reasonable” security that will be outdated frequently, or you can have a “reasonableness” standard that defers to what the industry views as reasonable security, but you can’t have both.
You can find the witnesses written statements here:
Mr. Michael Daugherty
Mr. David Roesler
Mr. Gerard Stegmaier
Mr. Woodrow Hartzog
Brian Fung of the Washington Post covers the hearing, here, but seems to omit any of Gerry Stegmeir’s thoughtful testimony on Fair Notice and how difficult it is for entities to comply when there are no clear guidelines or rules to use to assess their compliance.
Jenna Greene of the National Law Journal also provides additional coverage of the hearing, including some of the statements concerning Tiversa, and Tiversa’s response to the hearing.
So, has the FTC gone too far or abused its authority? Will Congress seek to rein it in again as it did in 1980? Certainly there are those who would welcome it, but this blogger wants to see more data security enforcement, not less. That said, I definitely agree that the FTC can and must do more to make its shifting standards clear by publishing summaries of what it considers “reasonable” and “unreasonable” and how it adapts those standards to account for small businesses. Without such guidance, I don’t see how any small business can really determine whether it is in compliance. And enough with the 20-year monitoring plans in consent decrees: there should be cases that result in corrective action plans to protect consumer data without crushing businesses with costly 20-year plans.
Unless, of course, I think a 20-year plan is in order. 🙂