House Oversight Committee chair Darrell Issa (R-Calif.) thinks the Federal Trade Commission shouldn't be allowed to sue companies for breaches of customer data using its main legal authority.
In a hearing Thursday, Issa slammed the agency for using what he called an "unlimited power" under Section 5 of the Federal Trade Commission Act. Section 5 is what gives the FTC the authority to take legal action against companies it believes has been behaving deceptively or unfairly. Now the scope of that authority is coming into question just as technology have opened up new risks of data-related crimes like fraud and identity theft.
What did the FTC do that drew Issa's attention, exactly? In 2012, the agency sued a company known as LabMD, which does cancer diagnosis, charging that the company didn't do enough to keep more than 9,000 customer records from getting stolen.
"In two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers," according to the FTC. "The complaint alleges that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves."
Sounds pretty bad, except LabMD's chief executive, Michael Daugherty, argues his company did nothing wrong. Instead, Daugherty told the House committee, an IT security company called Tiversa contacted LabMD and essentially tried to blackmail the firm, saying it had obtained copies of customer records. For a fee, according to Daugherty, Tiversa offered to help mitigate the security leak. When Daugherty refused, Tiversa eventually gave the files to Dartmouth University researchers who were writing a paper on data breaches.
The FTC's lawsuit is now on hold, pending the House Oversight Committee's investigation. In his remarks, Issa compared the alleged data breach to a home robbery, where a burglar breaks a padlock or hacks a garage door opener. Much as the personal analogy may help to illustrate the situation, the consequences for corporate data breaches are typically far more serious.
"Being accused of mishandling medical files is fatal to a cancer detection lab," Daugherty said in testimony Thursday. "We had built a company based upon the most precious commodities available — trust and integrity — and the FTC had destroyed it based upon nothing more than an unverified accusation by a self-interested commercial suitor whom we had scorned."
It's also worth mentioning that most homes aren't in the possession of thousands of people's medical data.
While the facts of the case are still being probed, the years-long battle has raised questions about how much leeway the FTC enjoys when it comes to using Section 5. The agency has taken an active role on data security and is particularly interested in the Internet of Things, mobile data and other areas where data breaches could compromise sensitive personal information.
Legal scholars say that while Section 5 is somewhat ambiguous on the question of data security — a fact that could land some companies in trouble without their realizing it — the breadth of the law was intentional. Moreover, what the FTC defines as reasonable behavior is generally set by private-sector standards.
"The FTC does not pull rules out of thin air," said Woodrow Hartzog, an associate professor of law at Samford University in Alabama, in his testimony. "The FTC doesn't create the standard at all. Rather, it says, 'What is the industry doing? What are the industry standards for data security and best practices?'"
Hartzog added that the FTC's complaint against LabMD closely resembled the agency's other enforcement actions, suggesting that the FTC's investigation of LabMD was consistent with its authority as applied to other areas.
Of more than 4,300 publicized data breaches since 2005, the FTC has filed only 55 complaints relating to data security, said Hartzog.
It doesn't look as though the FTC is going to be banned from pursuing data security cases, particularly considering that few other agencies in Washington seem up to the task. But that won't stop some in Congress from challenging the FTC's growing interest.
"The Federal Trade Commission cannot tell you what's right," said Issa. "They will only come in an demand a consent decree if through fault or no fault of your own, you become a victim of hacking or there is a recognition of vulnerability."