Examining FTC's Data Security EnforcementHouse Panel Scrutinizes Healthcare Investigations
Is the Federal Trade Commission overstepping its regulatory authority - and using questionable sources of information - in pursuing data security enforcement actions against companies, including healthcare entities, for alleged unfair and deceptive trade practices?
Members of the House Committee on Oversight and Government Reform considered that and other questions during a July 24 hearing, which included testimony by two executives whose healthcare firms have had run-ins with the FTC over their data security practices.
Committee Chairman Darrell Issa, R-Calif., scheduled the hearing to examine the FTC's handling of data security cases. He said he hopes to hold another hearing to hear testimony from the FTC on security issues and continue the investigation.
"Safeguards are needed for how FTC looks at allegations" of unfair business practices involving data security, Issa says. "Cybersecurity is not a hard science, you can be sure."
Meanwhile, Sen. Jay Rockefeller, D-W.V., questioned the wisdom of the hearing, telling Issa in a July 23 letter that he was concerned the hearing could undermine the FTC by "expressing skepticism about the FTC's long-standing and well-established legal authority under Section 5 of the FTC Act to bring an action ... for negligent data-security practices."
Rockefeller noted that "because of Congress's repeated failure to pass strong data-security and breach notification legislation, the FTC stands as the primary federal entity protecting American consumers from harmful data breaches."
Among those testifying was Michael Daugherty, CEO of LabMD, an Atlanta-based medical lab testing firm that's been embroiled in an ongoing data security dispute with the FTC. Also testifying was David Roesler, executive director of Open Door Clinic, a small AIDS clinic in suburban Chicago, which was also contacted by the FTC about a data security issue.
Daugherty testified that due to the costs and resources LabMD has spent in fighting its FTC case, the company was forced to shut down most of its operations earlier this year. Daugherty spoke about that to Information Security Media Group in an interview earlier this year.
Testimony by Daugherty and Roesler also showed that what LabMD and Open Door have in common is that before they were each separately contacted by FTC about the agency's concerns over their respective data security, both organizations were alerted by the security firm Tiversa about confidential files found on peer-to-peer networks.
Pittsburgh-based Tiversa claimed to have found on peer-to-peer networks unsecured data files containing confidential patient information belonging to each of the entities, Daugherty and Roesler testified. LabMD and Open Door also both twice turned down Tiversa's offer to provide more information to the companies about the files if they signed up for security services for $475 an hour, Daugherty and Roesler contended.
Tiversa did not offer testimony at the hearing. But in a statement provided to ISMG, Tiversa CEO Robert Boback said: "Today's hearing included countless inaccurate and misleading statements that mischaracterized the way Tiversa does business. Tiversa's business is at all times above-board, proper and aimed at helping organizations and individuals protect themselves from cybercrime. The committee is being badly misinformed by LabMD. It would better if the committee focused on helping consumers fight cybercrime instead of influencing private litigation with the FTC."
Boback says Tiversa "routinely identifies inadvertently exposed files of organizations on P2P networks," and one of many such instances was a medical file exposed by LabMD, which contained the personal medical information of nearly 10,000 individuals. Tiversa promptly notified LabMD of the lost file and provided LabMD with a copy of it, he contends.
FTC in 2009 "required" Tiversa to provide information about organizations whose files were exposed on P2P networks, Boback says. "LabMD and Open Door were on the list simply because they met the FTC criteria," he adds.
Since last August, the FTC has been pursuing an administrative action against LabMD for alleged unfair and deceptive business practices related to the medical test lab's data security practices. LabMD has been fighting the allegations, and an administrative trial at the FTC about the case has been on hold since June, pending whether the Oversight Committee will grant immunity to a former Tiversa employee who provided information at an earlier closed "proffer" session about the security firm's business practices, Issa says.
Information provided to the committee by that former Tiversa employee brings into question the "accuracy" and "legitimacy" of information that Tiversa allegedly supplied to the FTC about the data security of companies that FTC subsequently pursued for enforcement actions, Issa says. It also brings into question whether Tiversa allegedly provided FTC with data security complaints only about companies that refused to buy Tiversa's services, says Issa, who adds that he's hoping to have both the FTC and Tiversa testify before the committee.
Rather than purchase security services from Tiversa, the Open Door Clinic used a different outside security firm to assess the clinic's security, which found no evidence of peer-to-peer software on the clinics' network, Roesler testified.
However, several months after refusing to buy Tiversa's security services, a Pittsburgh-based law firm notified Open Door that it was representing clients in a class action suit against the clinic for a breach involving another confidential patient data that had been found on a peer-to-peer network, Roesler testified. That lawsuit was later settled. It is unclear whether the clinic files found unsecured on peer-to-peer networks contained data that had been stored on an unencrypted laptop that had been stolen a year earlier, Roesler said.
Lack of Published Standards?
LabMD's Daugherty testified that FTC has refused to articulate the standards by which it decides to pursue data security cases. "There's nothing for companies to look at, there's no rulemaking," he says.
In contrast, another witness, Woodrow Hartzog, an associate professor at Samford University's Cumberland School of Law, testified: "The FTC currently remains a key lynchpin in the U.S. data protection regulatory regime."
In his written testimony, Hartzog noted: "The FTC does not pull rules out of thin air. Rather, it builds upon the formidable and evolving body of knowledge in the data security field, as well as the commonly implemented data security practices of companies to determine when custodians of personal information are engaging in unfair and deceptive data security practices."
FTC's approach to data security focuses on four areas, he says: identification of assets and risk; data minimization; administrative, technical and physical safeguards; and data breach response plans.
The FTC, however, has stopped short of providing details about what companies need to do in each of those areas because the needs of the companies vary by their size and industry, plus technology evolves quickly, he says. "Unfortunately, it is not possible to provide a 'one size fits all' detailed checklist of reasonable data security practices," Hartzog testified.
FTC largely looks for companies to embrace data security best practices and standards used in their industries, such as HIPAA in healthcare and Gramm-Leach-Bliley Act in financial services, he says.
But another witness argued that FTC is not transparent in the standards it uses in deciding whether to pursue data security enforcement actions.
In his written testimony, privacy and security attorney Gerard Stegmaier, a partner at law firm Goodwin Procter LLP, said: "The FTC has used the law's breadth to regulate a wide range of business practices, from the production of farm equipment to telephone bill processing. However, what constitutes 'unfair' data-security practices is far from clear."
Stegmaier compared FTC's regulatory enforcement approach to data security with driving a car "without a speed limit being posted," and then getting a ticket for speeding.
The FTC has failed to provide "fair notice" of what's expected by companies in their data security practices, Stegmaier testified. "Fair notice requires that entities be able to reasonably understand whether their behavior complies with the law," he says. "If an entity acting in good faith cannot identify with 'ascertainable certainty' the standards to which an agency expects it to conform, the agency has not provided fair notice."
The FTC declined to comment about the hearing or its case against LabMD.