House Oversight Committee Questions FTC’s Enforcement Practices

The FTC’s case seemed straightforward enough: it’s not a good idea to install file-sharing software on computers that hold unencrypted medical records.

That’s what LabMD, a Georgia-based medical testing facility, was accused of doing in a 2013 FTC complaint.  Most companies typically settle with the Federal Trade Commission to avoid the costs of protracted litigation (and because they typically don’t have to pay any fines given the FTC’s lack of penalty authority).  However, LabMD thought they were being unfairly picked on — they argue the FTC should be suing the file-sharing software maker, LimeWire, instead — so they made the FTC take them to court.

Yesterday’s House Oversight Committee hearing chaired by Rep. Darrell Issa (R-CA) purported to look at whether the FTC’s exercise of its enforcement powers under Section 5 of the FTC Act has been fair. The title of the hearing — The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge, and Jury — presaged a rough time for the FTC (they apparently were not invited to testify).

Unfortunately, the majority of yesterday’s hearing focused on a different issue: a private cybersecurity firm, Tiversa, that allegedly first informed the FTC about LabMD’s data security problems. LabMD claims they were extorted by Tiversa to pay them for security consulting work; if they didn’t, Tiversa would rat them out to the authorities. It is entirely possible that Tiversa’s motivations in reporting LabMD were impure in this case, but it’s not clear how that relates to the FTC’s security enforcement authority. I’m not sure how it would be unreasonable of the FTC to act on a tip from a notable security firm (Tiversa had previously testified before the House Oversight Committee on multiple occasions), and in any event, LabMD does not appear to contest the core allegation that file-sharing software had been installed on computers holding unprotected medical records.

The core allegation against LabMD — that file-sharing software exposes medical records to the public at large — went largely unexplored at the hearing. That’s too bad, since it would be good to come to a common understanding of how to give companies guidance on constantly evolving security requirements.

Surprisingly, one of the four witnesses at the hearing hadn’t even been the subject of FTC action — it just got a notice from the FTC that they had seen one of the company’s medical records publicly available through a file-sharing service. It’s hard to see how the FTC played the role of prosecutor, judge, or jury in this particular case (apparently they too had been contacted by Tiversa, who may have passed its information on to the FTC and class action lawyers). Tiversa may have behaved unethically or illegally in this and the LabMD case — however, if they committed extortion, presumably that’s a matter for state law or the Department of Justice, not the FTC or the House Oversight Committee.

The core allegation against LabMD — that file-sharing software exposes medical records to the public at large — went largely unexplored at the hearing. That’s too bad, since it would be good to come to a common understanding of how to give companies guidance on constantly evolving security requirements.

The hearing did fitfully address whether the FTC’s interpretation of its unfairness authority to require “reasonable” security of personal data provides sufficient clarity for companies. Gerald Stegmaier of Goodwin Procter testified that the Constitution requires “fair notice” of what and what is not legal, and the FTC’s episodic enforcement against bad data security practices (through consent decrees that a judge doesn’t decide) doesn’t provide clear rules of the road.

Samford University Professor Woody Hartzog disagreed, noting that much — if not most — law operates under similar subjective standards (such as tort law concerning negligence and recklessness), and that statutory security laws such as Gramm-Leach-Bliley and HIPAA utilize precisely the same reasonableness test used by the FTC. He noted that the FTC’s complaints have been extraordinarily consistent and provide detailed guidance about the types of behaviors that they consider to be unreasonable security practices.

This disagreement was best encapsulated when Chairman Issa noted that posted speed limits give drivers a clear standard to follow to avoid breaking the law. Hartzog responded that states also have more subjective prohibitions on reckless driving, and drivers can be pulled over under inclement conditions even when driving below the posted speed limit.

The FTC’s authority to bring data security cases is being challenged in the courts, not just by LabMD, but also by Wyndham Hotels.  Wyndham recently lost its motion to dismiss the FTC’s case against it for using poor data security practices, with the court noting that the FTC Act was designed to be broadly interpreted to cover a wide range of consumer protection cases.  Indeed, for decades, the courts have approved FTC Section 5 cases in a broad range of novel cases — from telephone cramming to adware — where the FTC had never previously offered formal guidance.

Surely it can’t be the case that Congress or the FTC should prescribe specific technical solutions or detailed business processes to ensure good security practices. Security is a process, and one best developed and iterated upon by industry.

I think the Wyndham case got it right, and I don’t think it’s a close call.  The FTC Act is a broad statutory grant to protect consumers, and security and identity theft protection has the largest source of complaints to the FTC for the past fourteen years. The FTC as a civil consumer protection agency can’t reasonably go after malicious hackers themselves — criminal syndicates are unlikely to comply with administrative subpoenas or be deterred by consent decrees with no monetary penalties. Instead, the FTC can enforce against companies that fail to safeguard the consumer data they hold, which it has with great success. Formal regulations — or even published guidelines — could never detail all the possible security considerations that any particular company should take into account. And even if they could, those considerations are constantly changing.  Surely it can’t be the case that Congress or the FTC should prescribe specific technical solutions or detailed business processes to ensure good security practices. Security is a process, and one best developed and iterated upon by industry. As Professor Hartzog noted at the hearing, “you can either have a checklist of seventeen things you need to do, or you can have good security. You can’t have both.”  I am sympathetic to companies’ concerns that they don’t know precisely what they have to do to safeguard consumer data. However, I also can’t think of a better alternative: detailed statutory requirements and no legal obligations whatsoever both seem dramatically worse security frameworks.

Congress certainly has an obligation to monitor civil enforcement agencies for potential abuse, but it’s hard to see where the FTC has overstepped its bounds on privacy and data security. Hopefully future hearings will look more closely at the core issues presented by the LabMD case, and  how to give companies a better understanding of evolving security requirements.

Share Post