The House Committee on Oversight and Government Reform Thursday jumped in the middle of the Federal Trade Commission’s ongoing data security trial against medical testing facility LabMD, holding a three-hour hearing that questioned whether the agency’s case is appropriate or fair.
The FTC is “using its regulatory authority not to help protect consumers but to get simple consent decrees using the unlimited power it has,” said committee chairman Darrell Issa, R-Calif.
But some committee Democrats questioned whether the oversight hearing itself was appropriate or fair. “We cannot substitute ourselves for a regulatory agency in the midst of proceedings,” said Gerry Connolly, D-Va., who called it a “dangerous precedent.” Connolly said “our role is not to hear the case all over again.”
The FTC sued LabMD, a privately held company that performs cancer detection tests for doctors, in August 2013 for failing to protect consumer privacy in violation of Section 5 of the FTC Act. According to the agency, a file with information about 9,300 LabMD patients, including names, birth dates, social security numbers and medical test results, turned up on a peer-to-peer file sharing network in 2008.
The case went to trial before FTC Chief Administrative Law Judge D. Michael Chappell on May 20, but is now stayed pending a decision by the Oversight Committee whether to grant a key witness limited immunity.
Of particular interest to the committee is the role of the witness’s former employer, cyber intelligence company Tiversa Inc., in the FTC case.
LabMD president Michael Daugherty said in committee testimony that his “nightmare” began when Tiversa president Robert Boback called him out of the blue and said his company found LabMD patient data on the Internet but “refused to tell us more unless we paid and retained them.”
Daugherty said Tiversa, which has patented search technology, wanted $40,000 to fix the breach. Unable to find any compromised data online, LabMD said no. Tiversa called back a few months later and said it was giving its LabMD files to the FTC—information that has figured prominently in the FTC’s case.
Another witness, David Roesler, executive director of the Open Door Clinic of Greater Elgin, testified that his non-profit AIDs service organization was also contacted by Tiversa and told of a peer-to-peer data breach. Roesler said Tiversa wanted $475 an hour to fix it, but Open Door said it could not find any evidence of a breach and declined.
Open Door was then hit with a class action lawsuit based on the information breach, which it settled without admitting responsibility for the disclosure, and also received a warning letter from the FTC.
“To me, it looks a little like an extortion game,” said John Mica, R-Fla.
Issa added, “I bet if you had paid Tiversa, you never would have gotten that letter.”
In all, Tiversa has turned in almost 100 companies to the FTC, according to John Duncan, R-Tenn. “The FTC should check on something like that…it’s seemingly an almost criminal conflict of interest,” he said.
Tiversa CEO Boback disputed the criticism. “Today’s hearing included countless inaccurate and misleading statements that mischaracterized the way Tiversa does business…The committee is being badly misinformed by LabMD,” Boback said in an email. “It would better if the committee focused on helping consumers fight cybercrime instead of influencing private litigation with the FTC.”
He continued: “In the course of doing business, Tiversa occasionally identifies exposed files of random organizations that are not retained by Tiversa that are publically available on peer-to-peer networks. When possible, Tiversa directly contacts the organization to inform them of the exposed file and return it to them. On occasion, some of those exposed organizations subsequently retain Tiversa to mitigate their vulnerability. Only about 1 percent of Tiversa’s business stems from these instances.”
A spokesperson for the FTC declined to comment.
Committee members also questioned whether the FTC has the authority to go after companies for data security breaches. The agency has not issued formal rules laying out compliance.
“People have the right to know what the law expects of them before they’re prosecuted,” said Gerard Stegmaier, a partner at Goodwin Procter, in testimony before the committee. “The agency has offered no formal rulemaking. It appears to regulate data security primarily through complaints or consent orders…. The situation is ripe for overreach, unfairness and uneven application of the law.”
But Woodrow Hartzog, a professor at Samford University’s Cumberland School of Law, responded that the FTC’s authority to act under Section 5 is intentionally broad and covers data security practices—an assertion bolstered by a New Jersey federal judge, who ruled in April that the FTC has the authority to bring a data security case against Wyndham Worldwide Corp.
The FTC defers to industry standards to determine whether a company is taking reasonable steps to safeguard private information, Hartzog said.
Given how quickly technology evolves, as well as the need to differentiate appropriate practices for a small business versus a mega-retailer like Amazon.com, he argued it was wise way to proceed.
“For example, in tort law, you’re expected to build a product safely, but you’re not given a manual,” Hartzog said. “A one-size-fits-all checklist for data security would never work.”