Author: Scripta Ad Astra Staff
On Thursday, July 24, 2014, Congressman Darrell Issa (R- CA 49), Chairman of the House Oversight Committee, held a hearing on the Federal Trade Commission’s prosecution of LabMD for alleged data security breaches leading to the release of its customer’s personal data. Needless to say, Congressman Issa was not happy with the FTC.
Background of FTC v. LabMD
On August 28, 2013, the FTC filed an administrative complaint against LabMD alleging a variety of data security breaches that lead to the release of consumer information. LabMD conducts clinical laboratory tests on specimen samples from consumers and reporting test results to consumers’ health care providers.
The FTC alleged that LabMD’s data security procedures were deficient in that they:
1. did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
2. did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
3. did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
4. did not adequately train employees to safeguard personal information;
5. did not require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
6. did not maintain and update operating systems of computers and other devices on its networks; and
7. did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.
Aside from denying any wrongdoing, LabMD argued that the FTC was not forthcoming about its data security standards, so it was impossible for a business to determine whether it was compliant. For purposes of trial, in order to determine whether it was in compliance with FTC standards, LabMD moved to compel deposition testimony as to what data security standards the FTC applied to determine whether a company’s data security practices were reasonable or not. LabMD was successful in its motion. But, of course, the testimony was not helpful.
Congressman Issa Not Happy with the FTC
On June 17, 2014, Congressman Issa sent a letter to the FTC inquiring about its relationship with Tiversa, specifically with respect to the FTC’s investigation into LabMD. Congressman Issa was concerned that the Tiversa’s CEO, Robert Boback, did not provide the FTC with complete information about LabMD. Congressman Issa called the July 24 hearing in order to “understand the motivations” underlying the relationship between the FTC and Tiversa.
The fact of this hearing did not go unnoticed. In response to the called hearing, Senator John D. Rockefeller IV (D – W. VA) sent a letter to Congressman Issa explaining that he was troubled by the investigation and defending the FTC and its role in regulating data security practices. Senator Rockefeller noted that this sentiment was expressed recently by the court in FTC v. Wyndham Worldwide Corp. (though the Third Circuit recently granted a petition for an interlocutory appeal of portions of a district court opinion). Senator Rockefeller noted that the FTC’s role in ensuring data security standards is especially important in wake of the recent Target data breach and the fact that Congress has not been able to work together to pass strong data security and breach notification legislation.
At the hearing, the Committee invited a number of speakers to testify, including two law professors who testified as to some of the legal issues surrounding the FTC’s investigations into data security breaches; the executive director of Open Door, a non-profit organization that, like LabMD, was also contacted by Tiversa about alleged missing documents it found on P2P servers; and finally, LabMD’s CEO, Michael Daugherty. The FTC declined to testify.
Mr. Daugherty stated that Tiversa contacted him about documents that the firm allegedly found on P2P networking sites. Tiversa then offered LabMD consulting services, which LabMD declined. At that point, Tiversa informed the FTC about LabMD and the FTC began an investigation. The end result, Mr. Daugherty testified, was that LabMD had to shutter its doors because of the costs of its legal fees. (link: provide links to testimony of each person).
The FTC and its Role Regulating Data Privacy Standards
The FTC has a tough job. On the one hand, it is given great flexibility in investigating unfair business practices. Congress intended to delegate broad authority “to the [C]ommission to determine what practices were unfair,” rather than “enumerating the particular practices to which [the term ‘unfair’] was intended to apply… There is no limit to human inventiveness in this field. Even if all known unfair practices were specifically defined and prohibited, it would be at once necessary to begin over again.” On the other hand, because of this flexibility, it hesitates to set firm boundaries to avoid trapping itself and losing that ability to adapt.
Of course, the FTC’s strategy to maintain flexibility does not make it any easier on businesses because they lack certainty with respect to the standards that they must adhere to. It’s a difficult balance to maintain, but it should not be incumbent upon businesses to have guess what the FTC is thinking. Businesses should have some certainty, especially in an ever-changing technological landscape.
As Senator Rockefeller pointed out, Congress should work together to pass cybersecurity legislation, including data breach security standards, that gives businesses the tools to help them develop strong cybersecurity practices that are certain to comply with the law. Unfortunately, as Congress has left for summer recess, cybersecurity is an issue that will have to wait until September.