[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR,
JUDGE, AND JURY
=======================================================================
HEARING
before the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
JULY 24, 2014
__________
Serial No. 113-142
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
90-892 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia PETER WELCH, Vermont
THOMAS MASSIE, Kentucky TONY CARDENAS, California
DOUG COLLINS, Georgia STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan Vacancy
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on July 24, 2014.................................... 1
WITNESSES
Mr. Michael Daugherty, Chief Executive Officer, LabMD, Inc.
Oral Statement............................................... 7
Written Statement............................................ 10
Mr. David Roesler, Executive Director, Open Door
Oral Statement............................................... 84
Written Statement............................................ 86
Mr. Gerald Stegmaier, Partner, Goodwin Procter
Oral Statement............................................... 88
Written Statement............................................ 90
Mr. Woodrow Hartzog, Associate Professor, Samford University
Oral Statement............................................... 122
Written Statement............................................ 124
THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR,
JUDGE, AND JURY
----------
Thursday, July 24, 2014
House of Representatives,
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 9:37 a.m., in Room
2154, Rayburn House Office Building, Hon. Darrell E. Issa
[chairman of the committee] presiding.
Present: Representatives Issa, Mica, Turner, Duncan,
Jordan, Chaffetz, Walberg, Lankford, Gosar, Massie, Collins,
Meadows, Bentivolio, DeSantis, Cummings, Maloney, Norton,
Tierney, Clay, Lynch, Connolly, Duckworth, Kelly and Lujan
Grisham.
Staff Present: Jen Barblan, Senior Counsel; Molly Boyl,
Deputy General Counsel and Parliamentarian; Ashley H. Callen,
Deputy Chief Counsel for Investigations; Sharon Casey, Senior
Assistant Clerk; Steve Castor, General Counsel; John Cuaderes,
Deputy Staff Director; Adam P. Fromm, Director of Member
Services and Committee Operations; Linda Good, Chief Clerk;
Tyler Grimm, Senior Professional Staff Member; Christopher
Hixon, Chief Counsel for Oversight; Mark D. Marin, Deputy Staff
Director for Oversight; Ashok M. Pinto, Chief Counsel,
Investigations; Andrew Shult, Deputy Digital Director; Rebecca
Watkins, Communications Director; Jeff Wease, Chief Information
Officer; Sang H. Yi, Professional Staff Member; Meghan Berroya,
Minority Deputy Chief Counsel; Courtney Cochran, Minority Press
Secretary; Jennifer Hoffman, Minority Communications Director;
Julia Krieger, Minority New Media Press Secretary; Lucinda
Lessley, Minority Policy Director; Juan McCullum, Minority
Clerk; Dave Rapallo, Minority Staff Director; and Brandon
Reavis, Minority Counsel/Policy Advisor.
Chairman Issa. The committee will come to order. Without
objection, the chair is authorized to declare a recess of the
committee at any time. Today's hearing, ``The Federal Trade
Commission and Its Section 5 Authority: Prosecutor, Judge, and
Jury.''
The Oversight Committee mission statement is that we exist
to secure two fundamental principles. First, Americans have a
right to know that the money Washington takes from them is well
spent. And second, Americans deserve an efficient, effective
government that works for them. Our duty on the Oversight and
Government Reform Committee is to protect these rights. Our
solemn responsibility is to hold government accountable to
taxpayers, because taxpayers have a right to know what they get
from their government. It is our job to work tirelessly, in
partnership with citizen watchdogs, to deliver the facts to the
American people and bring genuine reform to the Federal
bureaucracy.
With that, I would recognize the ranking member for his
opening statement.
Mr. Cummings. Thank you very much, Mr. Chairman.
Today's hearing will cover several new issues for this
committee. First, the Republican briefing memo says that the
committee will examine, ``whether the FTC has the authority to
pursue data security enforcement actions under its current
Section 5 authority.'' In Section 5 of the FTC Act, Congress
gave the FTC authority to protect American consumers, that is
our constituents, and ensure that their personal, medical,
financial, and other information is protected from unauthorized
disclosure. The FTC has been using this authority to ensure
that companies who receive this type of consumer information
take appropriate steps to safeguard it. In fact, a Federal
judge recently upheld this authority and rejected an attempt
to, ``carve out a data security exception.''
Yesterday, Senator Rockefeller, the chairman of the Senate
Commerce Committee and an expert on this issue, sent a letter
to the chairman emphasizing this point. He wrote, ``Another
apparent purpose of your hearing is to express skepticism about
the FTC's long-standing and well-established legal authority
under Section 5 of the FTC Act. This skepticism is unfounded,
and your public position was recently rejected by a Federal
judge in the FTC data security case against Wyndham
Corporation.''
He goes on to say, ``Over the past 13 years, the Commission
has initiated dozens of administrative adjudicatory proceedings
in cases in Federal court challenging practices that
compromised security of consumers' data and that resulted in
improper disclosures of personal information collected from
consumers.''
According to the Republican memo, today the committee will
also examine, ``recent FTC actions related to data security
practices.'' One of the witnesses testifying today is Michael
Daugherty, the CEO of a company called LabMD. The FTC has
brought an enforcement action against LabMD, and Mr. Daugherty
admits that more than 900 files on his billing manager's
computer were accessible for public sharing and downloading,
which is a major security breach.
Mr. Daugherty has written a book entitled ``The Devil
Inside the Beltway.'' In it, he refers to the FTC as,
``terrorists,'' He also accuses the FTC of engaging in,
``psychological warfare'' and ``torture,'' and of
``administering government chemotherapy.'' Of course he has a
right to his opinion, but this committee should base its
oversight work on facts rather than the extreme rhetoric of a
defendant in an ongoing enforcement action.
As part of our investigation, we have also received
competing allegations about Tiversa, a data security firm that
provided information to the FTC about LabMD's security breach.
Obviously, we all agree that the FTC should rely only on
evidence it believes to be legitimate. If allegations are
ultimately verified that Tiversa provided intentionally
falsified data, that data clearly should not be used in any
enforcement action. But to date, we have obtained no evidence
to corroborate these allegations. So they remain just that,
unconfirmed allegations.
Unfortunately, on June 17th, the chairman sent a letter to
the FTC inspector general alleging coordination and
collaboration between the FTC and Tiversa, and suggesting that,
``the FTC aided a company whose business practices allegedly
involved disseminating false data about the nature of data
security breaches.'' The chairman wrote that, ``the FTC appears
to have acted on information provided by Tiversa without
verifying it in any meaningful way.'' He also requested that
the inspector general examine the actions of several specific
FTC employees.
I do not know how the chairman had reached these
conclusions since the committee has not yet spoken to a single
FTC employee. The committee just requested documents from the
FTC less than a week ago, and the committee has obtained no
evidence to support claims that the FTC officials directed
Tiversa employees to fabricate information. To the contrary,
every single current and former Tiversa employee interviewed by
the committee staff has uniformly denied receiving any requests
from FTC employees relating to fabricating information.
In response to the chairman's request for an investigation,
the inspector general has now informed the committee that one
of the employees named in his letter in fact was, ``brought in
to assist with the LabMD case after Tiversa was no longer
involved, and she has not been working on the case for the past
year.'' As I close, so it appears that some of the chairman's
information was incorrect.
I am sure we will hear a lot of allegations today from
parties in this ongoing litigation. Our job is not to take
sides, but rather to serve as the neutral overseers and base
our conclusions on the facts and the evidence.
The consequences of having personal information compromised
can be devastating. As the new Republican majority leader Kevin
McCarthy has said, ``Nothing can turn a life upside down more
quickly than identity theft.'' I agree with him. That is why I
wrote to Chairman Issa in January proposing the committee
examine the massive data security breach at Target, which may
have compromised the personal information of more than 100
million American consumers. Instead of holding hearings like
today's, which seeks to cast doubt on whether the FTC even has
the authority to protect our constituents, the consumers, the
American consumers, I hope the committee will turn to
constructive efforts to improve corporate data security
standards across the board. And I thank you, Mr. Chairman.
Chairman Issa. I thank the ranking member.
Chairman Issa. Today's hearing concerns the Federal Trade
Commission and information this committee has uncovered that
raises some important questions. As long as I have been
chairman, and as long as I am chairman, this committee will
focus, as its name implies, Government Oversight and Reform
Committee. It is not for us to look first to the private
sector. It is not for us to issue subpoenas and target private
sector for their beliefs, for their practices, or for the
failures that they certainly are paying a high price for, as
Target is and should.
During my tenure, healthcare.gov was launched. Anyone of
ordinary skill could have gone into the Web site, changed a few
statements, a few of the letters in the top of the screen,
while looking at their record, and seen somebody else's record
at the launch. On a billion-dollar Web design, it was
vulnerable to ordinary hacking and accidents at the time it was
launched.
The FTC did not sue President Obama or any of the chief
information officers responsible for this failure. They did not
sue the Secretary. They did not even sue the companies who
delivered this shoddy work. Instead these were systematically,
when discovered, corrected at taxpayers' expense. That was the
right thing to do. When mistakes are made, when vulnerabilities
are recognized, it's the responsibility of the entity to do its
best to fix them.
If the Federal Trade Commission was overseeing companies
whose vulnerabilities are exposed, demanding that they fix it
or face the consequences, absolutely we would say they were
doing their job. If the Federal Trade Commission had even
published a best practices minimum requirement for data
security, we would be able to say that the law was clear, and
that somebody failed to live up to those stated guidelines. But
none of these exist. The Federal Trade Commission cannot tell
you what is right; they only will come in and demand a consent
decree if, in fact, you, through fault or no fault of your own,
become a victim of hacking or a recognition of a vulnerability.
The FTC is using its regulatory authority not to help
protect consumers, but, in fact, to get simple consent decrees
using the unlimited power it has to not only sue at government
expense, but to force you before administrative law judges
that, in fact, are part of the executive branch. Millions of
dollars will be spent attempting to defend yourself against the
Federal Trade Commission even if you are right. And what if
you're wrong? What if you're wrong? What if something happened?
What is your choice?
Several years ago, under Chairman Waxman, I watched a
demonstration of a vulnerability created by a third-party
software that people were using to share music. I'm a techie. I
was impressed. I saw that this software was downloaded by
hundreds of thousands of people, put onto computers they owned
or didn't own, and it created a vulnerability. It was
deceptive--at least according to testimony, it was deceptive in
how it did it. And our own people loaded the software and
agreed that when you loaded it, the default would make the hard
drive of the computer it was loaded on vulnerable in every one
of its directories, when, in fact, you were really only
attempting to make your music directory available for sharing.
In both public and private systems around the country, this
software was downloaded and created what people thought was a
peer-to-peer music sharing, and, in fact, created a
vulnerability in which people could look at what was on your
hard drive.
We were aghast. We thanked our witnesses for making us
aware of it, and we committed ourselves to stop the deceptive
practice of this software company, something over which the FTC
had authority and should have acted.
But, in fact, what we are finding is that what we were told
was only a part of the story. When information does--the
question today is how is the FTC using that regulatory
authority, and are they doing their job? Are they targeting the
culprit or the victim? What information does the agency
consider to be a reliable basis to embark?
Mr. Lynch. Mr. Chairman, could I ask you why the clock is
not running on any of this?
Chairman Issa. We didn't stop the ranking member from going
as long as he wanted, well over the time. That's the practice
of the committee. I thank you.
Mr. Lynch. That's a good answer. Thank you.
Chairman Issa. What information does the agency consider to
be a reliable basis to embark on often erroneous inquisitions,
in the chairman's opinion, into the activities of American
companies?
The committee held two hearings in the past, as I
mentioned, one in 2007 and another in 2009, about the potential
for individuals using peer-to-peer file-sharing programs to
inadvertently share sensitive or otherwise confidential
information. The key witness in both of these hearings was Mr.
Robert Boback, the CEO of a cyber intelligence firm, Tiversa,
Incorporated. That CEO outlined numerous data breaches that
deeply troubled members of the committee.
Mr. Boback specifically spoke about an Open Door Clinic, a
nonprofit AIDS clinic in Chicago's suburbs in 2009. He said,
``These are AIDS victims, 184 patients, who are now victims of
identity theft. The clinic released their information and has
not addressed it.'' But the Open Door Clinic has told us they
have no information of any of their patients having had their
identities stolen. We do not know why Mr. Boback made the claim
to this committee previously, and we will hear that today.
Earlier this year this committee became aware, on a
bipartisan basis, of serious accusations that Tiversa engaged
in a business model that was not focused on protecting
consumers alone, but obtaining what we would say effectively is
a new form of protection payments from businesses. As is often
the case with protection payment demands, many businesses that
did not pay up faced serious consequences.
Here's how it worked. Tiversa would contact a company or
organization and tell them that they had engaged in a practice
that left customers' data vulnerable. Tiversa would offer to
sell the company or organization remediation services. Many
companies took their services and paid, at least for a while.
Others refused and found themselves turned over to the Federal
Trade Commission.
The cost and concerns created by an FTC investigation can
be immense, particularly to a small business that in many cases
were the ones that Tiversa focused on. But this isn't just
about allegations of unethical corporate behavior. The
committee has asked the Federal Trade Commission to provide us
with evidence that it independently verified information
provided by Tiversa about businesses before pursuing action. As
the ranking member said, it's been a short time, but having
engaged in suits, received consent decrees, and litigated for
years, we expected that the Federal Trade Commission would be
able to give us at least a few examples of independent
confirmation immediately. We are still waiting for the FTC to
show us such evidence. We look forward to it. And as I will say
again, we look forward to hearing from the FTC in the future
directly.
It's one thing for a company like Tiversa to report all of
its concerns about consumer data breaches to appropriate
authorities. It's quite another when enforcement authorities
are selectively used, through a special relationship, to punish
firms who refuse to pay for those services.
The committee has reason to believe that information
provided by Tiversa on which the FTC relied was inaccurate. Two
of our witnesses this morning were approached by Tiversa and
the FTC regarding data breaches. Tiversa provided information
that alleged data breaches in these organizations to--about
these breaches in these organizations to the FTC only after
they refused to sign up for Tiversa's services.
Mr. Daugherty, the CEO of LabMD, according to my opening
statement, has been to hell and back. I don't think he's gotten
back yet. In fact, his fight with the FTC has gone on for
years. The Commission wanted him to acquiesce to a consent
decree admitting that he did not take proper precautions to
avoid data breaches.
Given that Mr. Daugherty did not believe the allegations
against him were true or fair, he fought back, and he did so at
great personal expense. His specialized cancer-screening
company is now effectively nonexistent.
I will let Mr. Roesler explain his experience with Tiversa
and the tribulations he experienced thereafter, but I
especially want to thank him for being here today. Mr. Roesler
runs, as previously mentioned, a nonprofit AIDS clinic near
Chicago, Illinois, and has taken time away from his important
work and agreed to join us this morning because of how
important he believes it is to tell his story.
I also want to thank Mr. Stegmaier for appearing this
morning. He will be providing invaluable testimony about the
FTC's actions as they relate to going after companies that are
alleged to have unfair, deceptive trade practices.
Today's hearing is an opportunity to hear from alleged
victims of these arrangements made between Tiversa and the
Federal Trade Commission. Neither the FTC nor Tiversa are here
today, but I do expect to have both of them here at a future
date to respond to the concerns and allegations that I expect
we will hear today.
Today's hearing is the result of a whistleblower who at
great personal expense came to this committee. This committee
is grateful to all the brave individuals who come forward to
provide information as whistleblowers. It is only through
whistleblowers that we see an exposure of wrongdoing by the
government as well as private companies. Whistleblowers are not
always without responsibility. Whistleblowers may, in fact,
know what they know because for a time they participated in the
wrongdoing. Nevertheless, whistleblowers are invaluable. When
someone's conscience, whether they were involved or not, brings
them forward, they should never be the target of this
committee.
This whistleblower gave us a proffer, seeking immunity only
for what he was to testify to that he had done on behalf of
Tiversa. He detailed for this committee information that was
invaluable to our ongoing--to our investigation, which is only
ongoing because of his coming forward.
At a point in the future, I expect this committee will need
to schedule a vote on granting immunity for this whistleblower.
To date, we have not been able to convince the minority to
consider immunity for this whistleblower. Instead, at every
turn the minority has chosen to seek accusations against the
whistleblower; against his personal wrongdoing, his personal
misconduct, his personal life. But, in fact, to our knowledge,
no evidence has come forward that would in any way dispute the
accuracy of the detailed story that he told.
For those Members here on both sides of the aisle, if you
have not already seen his video proffer of how he participated
in the activity, I ask you to schedule time, Members only, to
see this proffer, because as we consider immunity, it is
important that you understand the nature and detail of the
evidence and accusations brought by this whistleblower.
I make no credible statement as to a whistleblower's
authenticity. What I can say in this case is without the
whistleblower, we would not be having this hearing today. And
if the whistleblower is guilty of a crime, the crime had to be
committed by others that he is accusing. There can be no crime
if, in fact, he is not telling the truth. And if he is telling
the truth, he participated in a deception that affected both
the Federal Trade Commission and the United States Congress.
I would ask all Members, please, take time out of your busy
schedule to view the proffer. It is detailed, it takes nearly
an hour, but it will lead, I believe, to the kind of
recognition that you cannot see here today in an open hearing.
Chairman Issa. It is now my honor to welcome our witnesses.
Mr. Michael Daugherty is the chief executive officer of LabMD.
Mr. David Roesler is executive director of Open Door Clinic in
Illinois. Mr. Gregory Stegmaier is a partner at Goodwin Procter
in D.C., in Washington, D.C. And Mr. Woodrow N. Hartzog is an
associate professor at the Cumberland School of Law at Samford
University.
Gentlemen, pursuant to the committee rules, would you
please rise to take the oath and raise your right hand?
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
Please be seated.
Let the record indicate that all witnesses answered in the
affirmative.
For our first two witnesses in particular, you are here to
tell your story. I know testimony is new to you. We have a 5-
minute rule. Your entire opening statements as prepared will be
placed in the record. But I understand that you may go over
slightly. We are not going to hold you exactly to 5 minutes,
but to the greatest extent possible, try to stay within the 5
minutes, which will help us ask you more questions in follow-up
dialogue.
Mr. Daugherty.
WITNESS STATEMENTS
STATEMENT OF MICHAEL DAUGHERTY
Mr. Daugherty. Thank you.
Good morning, Chairman Issa, Ranking Member Cummings, and
members of the committee. My name is Michael Daugherty, and I
am the president and CEO of LabMD, a cancer-detection
laboratory based in Atlanta, Georgia. We were a private company
that I founded in 1996, a small medical facility that at its
peak employed approximately 40 medical professionals who
touched nearly 1 million lives. Thank you for the opportunity
to speak to you as a small businessman and medical professional
about my experience and opinion at the hands of the Federal
Trade Commission.
What happened to my company, its employees, physicians, and
their patients is what springs from the FTC's unsupervised
playbook, and that playbook relies upon coercive and
extortionist strategies to make large and small companies alike
quickly succumb to FTC demands.
In May 2008, our nightmare began with a call that could
happen to any American. It was from Robert Boback, the CEO of
Tiversa. And in the words of former FTC Commissioner Rosch,
Tiversa is more than an ordinary witness, informant, or
whistleblower. It is a commercial entity that has a financial
interest in intentionally exposing and capturing sensitive
files on computer networks.
Mr. Boback told LabMD that Tiversa had found LabMD patient
data on the Internet, but refused to tell us more unless we
paid and retained them. Everyone in medicine knows you cannot
go out intentionally looking for vulnerable medical files so
you can take them, read them, keep them, distribute them. This
is probably a crime, but it's definitely vigilante behavior,
and it's outrageous.
In January of 2010, Alain Sheer, an attorney with the FTC,
contacted LabMD with an 11-page, single-spaced letter opening a
nonpublic inquiry. We responded by sending in nearly 10,000
pages of documents, and we invited the FTC to come to Atlanta
to see our facility, to tell us what to do differently, to tell
us what their standards were. The FTC declined. We quickly
discovered that until told otherwise by the courts or Congress,
the FTC presumes to have jurisdiction to investigate any
company or person.
When we asked the FTC where they were going with this, they
would obscurely mention consent decrees, and we learned that
FTC consent decrees actually are this: You sign up for 20 years
of audits, you enter the FTC ``hall of shame'' via craftily
worded press releases and half-truth congressional testimony.
The fact that you have not been found any wrongdoing stays
buried deep in the fine print. And the threat of being tied up
for years in court and drained financially is their gun to the
head to extract false confessions.
In August 2010, I had to find out what was going on here,
because something felt odd and wrong. And I learned that
Homeland Security gave $24 million to Dartmouth to partially
fund their data hemorrhage study. And Dartmouth stated that it
got the LabMD file by using Tiversa's unique and powerful
technology.
Tiversa put out a press release in May 2009 I found, which
in part stated, Tiversa--this is their words--``Tiversa today
announced the findings of new research that revealed 13 million
breached files emanating from over 4 million sources. Tiversa's
patent-pending technology monitors over 450 million users,
issuing 1.5 billion searches per day. Over a 2-week period,
Dartmouth College researchers and Tiversa searched file-sharing
networks and discovered a treasure trove, a spreadsheet from an
AIDS clinic with 232 client names; a 1,718-page document from a
medical testing laboratory. And requiring no software or
hardware, Tiversa detects, locates, and identifies exposed
files in real time.''
What does Tiversa want you to think ``exposed'' means? Out
of 13 million files found by Tiversa, how odd is it that the 2
mentioned in their press release are sitting at this table
today?
I was stunned that nobody was asking who this private
company was who was stockpiling other people's sensitive
information. What gave them the right to assume ownership?
September 2013 to April 2014, the FTC pursued litigation
against LabMD via their optional administrative process rather
than in Federal court. FTC Commissioner Wright said this
process provides the FTC with institutional and procedural
advantages. This is lawyerspeak for the FTC stacks the deck way
in favor via rules Congress allows them to make. They admit
hearsay that would never fly in Federal court, which is why we
aren't in Federal court. Federal courts won't intervene because
Congress says they can't.
When asked about the FTC data security standards, Alain
Sheer said, ``There is nothing out there for a company to look
at. There is no rulemaking. No rules have been issued.'' Yet
even without any standards, they show others what happens if
you push back. They subpoenaed approximately 40 different
individuals from my company, long-gone LabMD employees that
left the company up to 7 years before, current staff, managers,
outside physicians, vendors. These witnesses were forced to
retain counsel and were intimidated and scared. Here is the
message to all that are watching from the FTC: This is FTC
justice, and this is going to happen to you if you don't play
along.
And then the penny dropped. During the trial, a former
Tiversa employee who was to testify regarding Tiversa's
acquisition of LabMD data and subsequent submission of the data
to the FTC invoked his Fifth Amendment right against self-
incrimination.
All Americans should be outraged by the FTC's unchecked
ability to pursue a claim that is not based on any legal
standard; outraged that the FTC's administrative proceedings do
not afford the same guarantees of due process that our Federal
courts provide; and outraged with the FTC's use of, and
reliance upon, information from a private for-profit entity. If
this has happened to LabMD, a small medical facility, a cancer-
detection center, this can happen to anyone.
This does nothing to help Americans adapt to the constantly
changing cybersecurity landscape. We are not mind readers; we
are law-abiding citizens. I call on the FTC to stop attacking
victims of crimes. And I thank the committee for its time and
attention to this matter.
Chairman Issa. Thank you.
[Prepared statement of Mr. Daugherty follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. Mr. Roesler.
I'm sorry, you're finished, right?
Mr. Daugherty. Oh, yeah.
Chairman Issa. Thank you.
Mr. Roesler.
STATEMENT OF DAVID ROESLER
Mr. Roesler. Good morning, committee members. My name is
David Roesler. I am and have been the executive director of
Open Door Clinic in Elgin, Illinois, the far western suburbs of
Chicago, for the past 15 years. I am appearing today in
response to an invitation to testify on behalf of Open Door
regarding its involvement with the FTC and a company called
Tiversa.
Between September of 2008 and March of 2013, Open Door was
involved in a class-action lawsuit due to a file that was found
on the Internet that contained names, some with Social Security
numbers, some with addresses, some with birth dates.
Open Door is a small, not-for-profit AIDS organization.
Currently we have about 30 employees. We had about 15 during
this time. We provide medical care, support services for our
clients.
In July of 2008, a company called Tiversa contacted Open
Door and said that they had had access to a confidential
document obtained from a P2P network on the Internet.
Communications with Tiversa included a contract for services.
The suggested fees for the contract were $475 an hour. We
contacted our IT service provider, who researched our network;
found no evidence of any P2P networks at that time.
In September of 2009, Tiversa contacted Open Door again to
report that documents were still available on the P2P software.
Open Door's IT provider once again reviewed its network to
confirm that there was no evidence of any P2P software at that
time.
Two months after that, in November of 2009, clients began
calling their case managers at the clinic, reporting that they
were receiving phone calls from a law firm asking them to join
a class-action lawsuit because their information had been
released by Open Door. At Open Door's November board meeting,
shortly after the clients started calling, one of the board
members is a client. He brought in a letter that he got in the
mail, also from this out-of-State law firm, telling them that
they had their information out on the Internet, and would they
join a class-action lawsuit.
Then in January of 2010, we received a letter from the FTC.
The letter indicated that they had found a file on a peer-to-
peer network, and it had a different title than the document
that had been reported found by Tiversa.
Also in January that same month, in 2010, Open Door was
successful at getting a law firm to provide us some pro bono
work to help us understand what our compliance and
responsibilities were. Open Door and its IT provider once again
reviewed our network, all of our workstations to confirm that
there was no P2P software at that time.
In February, a month later, February of 2010, a class-
action lawsuit was filed in Kane County against Open Door.
Sensational newspaper headlines; numerous media outlets began
showing up at our door. And 3 years later Open Door's
settlement agreement was approved by the court, dismissing the
class action. Open Door and its insurers agreed to these
motions.
Open Door denied, and continues to deny, any legal
responsibility for the disclosure. Had the case been tried, we
would have expected to prevail, but because of the
uncertainties, the expense of litigation, Open Door and its
insurers agreed to terminate this litigation under these terms.
Thank you for letting me tell my story.
Chairman Issa. Thank you.
[Prepared statement of Mr. Roesler follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. Mr. Stegmaier.
STATEMENT OF GERARD M. STEGMAIER
Mr. Stegmaier. Mr. Chairman Issa, Ranking Member Cummings,
members of the subcommittee, my name is Gerry Stegmaier, and
I'm pleased to be here today to discuss the Federal Trade
Commission's data security enforcement activities under Section
5 of the FTC Act. The views I express are my own, not of our
clients or of our firm.
I'm a partner at Goodwin Procter LLP, and an adjunct
professor at George Mason University School of Law, where I've
taught privacy, consumer protection, and constitutional law
courses for the last 13 years. I regularly appear before the
Federal Trade Commission, State attorneys general, and assist
businesses with all aspects of their privacy and information
governance concerns. I appreciate the opportunity to appear
before you today.
In 2013, there were 63,437 reported security incidents, and
1,367 confirmed data breaches. That is not a number reporting
the number of accessible information, which is one of the
things that Mike spoke about. According to Verizon's 2014 data
breach investigation report, 44 million data records across the
globe have been exposed.
Companies are aware of the need for data security, and have
taken steps to be more secure. Data security is important to
consumers, the economy, and business, but equally important is
the basic constitutional principle that people have a right to
know what the law expects of them before we prosecute them.
I think a simple analogy helps illustrate this in practice.
When we want people to regulate how fast they drive their cars,
we post speed limit signs. If you violate that posted limit,
and the sign has been there for more than 60 days, you will
likely receive a citation. The law calls this fair notice, and
the Constitution protects us from government overreach with it.
It is the shield that protects us from the deference that
agencies receive.
While this analogy may not be a good one, it's important to
note that it represents the feelings of many organizations that
confront FTC enforcement actions relating to data security.
The agency has offered no formal rulemakings or
adjudications related to data security, and the FTC appears to
regulate data security primarily through complaints and consent
orders, as we've heard. Neither the complaints nor the consent
orders are binding, reliable precedent. They are
nonprecedential. Some might call this stop-and-frisk black box
justice.
FTC complaints and consent orders are inconsistent and
often lack critical information. For example, it is often
unclear whether implementing some or all of the measures in a
given order would result in fair data security, or even serve
to avoid future enforcement actions had the underlying company
admitted them in the first instance or practiced them.
The FTC's often repeated position is that security
standards can't be enforced in an industry-specific, case-by-
case manner without more guidance provides little comfort to
those appearing before the agency. Because the FTC decides on
an individual and postinfraction basis whether a company is
noncompliant, the risk of enforcement actions is unimaginable
and unpredictable, as we have heard. The penalties that may
result from noncompliance are potentially ruinous. Combined
with ambiguity of the law, unnecessary compliance risks for
regulated entities has created a situation ripe for overreach,
unfairness, and an uneven application of the law.
The FTC's existing enforcement and guidance practices also
pose serious due process concerns relating to fair notice of
the law's requirements. Current enforcement environment
consists of aggressive enforcement against the victims of
third-party criminal hacking who operate in a realm without
clear and unmistakable data security law. Improved
authoritative--and I emphasize authoritative-- interpretations
of Section 5 by the agency and the courts are crucial to
improve compliance and provide entities with sufficient
information to understand how to respond.
Let me be clear. The FTC has the means to more clearly
define the law and provide useful, reliable guidance. The
existing tools are there. Sadly, there's plenty of room for
improvement with the use of these existing tools, and
improvements are essential to clarify the underlying
uncertainty, which we have heard about, and, more importantly,
to address the constitutional issue of fair notice and due
process.
The current reasonableness test, absent additional
flexible, principles-based authoritative guidelines or court-
resolved litigation, will do little or nothing to clarify the
data security obligations of companies. Using the standards
reasonable and appropriate without articulating such factors as
the nature of business, the kind of information collected, or
any other factors that may come into play may not ensure that
fair notice occurs.
In essence, we tell our clients do what you say and say
what you do. We need to hear from the agency what they're doing
and what they're saying so that the people who are subject to
prosecution can understand how to respond and how to behave in
the first instance.
The FTC itself has not consistently defined what sensitive
information is, and without clarification, the agency's
enforcement will continue to be perceived as arbitrary, and we
will lack an understanding of reasonableness.
I thank you for your time and attention. I'm pleased to
answer any questions you might have.
Chairman Issa. Thank you.
[Prepared statement of Mr. Stegmaier follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. Mr. Hartzog.
STATEMENT OF WOODROW HARTZOG
Mr. Hartzog. Chairman Issa, Ranking Member Cummings, and
members of the committee, thank you very much for inviting me
to provide testimony today. My name is Woodrow Hartzog, and I'm
an associate professor at Samford University's Cumberland
School of Law and affiliate scholar at the Center for Internet
and Society at Stanford Law School. I am testifying today in my
personal academic capacity, and not on behalf of any entity.
For the past 2 years, my coauthor, Daniel Solove, and I
have researched the Federal Trade Commission's regulation of
privacy and data security breaches, which I will collectively
call data protection. We have analyzed all 170-plus FTC data
protection complaints to find trends and understand what the
FTC's data protection jurisprudence actually tells us. I would
like to make two main points regarding what I've learned about
the FTC's regulation in this area.
First, the FTC's regulation of privacy and data security
under Section 5 has served a vital role in the U.S. system of
data protection. The FTC's involvement has given a heavily
self-regulatory system of data protection necessary legitimacy
and heft. The FTC also fills significant gaps left by the
patchwork of statutes, torts, and contracts that make up the
U.S. data protection scheme.
The FTC's regulation of data protection also helps foster
consumers' trust in companies. It is very difficult for
consumers to determine whether a company has reasonable data
security practices or not. The FTC's regulation of data
protection helps give consumers confidence that their personal
information will be safe and properly used.
The second point that I would like to make is that the
overwhelming pattern that is apparent from the FTC's data
protection jurisprudence is that the agency has acted
judiciously and consistently in outlining the contours of
impermissible data protection practices. Section 5 of the
Federal Trade Commission Act generally prohibits unfair or
deceptive trade practices. This is an intentionally broad grant
of authority. Congress explicitly recognized the impossibility
of drafting a complete list of unfair, deceptive trade
practices. Any such list is destined to be quickly outdated or
easily circumvented.
Despite this broad grant of authority, the FTC actually
brings relatively few data security complaints, especially
compared to the total number of reported data breaches. The
Privacy Rights Clearinghouse has reported that since 2005,
there have been over 4,300 data breaches made public, with a
total of 868 million records breached. Yet the FTC has filed
only 55 total data security-related complaints, averaging
around 5 complaints a year since 2008. Instead of attempting to
resolve all of the data breaches, the FTC typically pursues
only what it considers to be the most egregious data security
practices.
The FTC has used a reasonableness standard to determine
what constitutes an unfair, deceptive data security practice.
What constitutes reasonableness is determined virtually
entirely by industry standard practices, and is contingent upon
the sensitivity and volume of data, the size and complexity of
a company, and the costs of improving security and reducing
vulnerabilities. This deference to industry keeps the FTC from
creating arbitrary and inconsistent data rules.
The FTC does not pull rules out of thin air. Rather, it
looks to the data security field and industry to determine fair
and reasonable practices. Virtually all data security
regulatory regimes which use a reasonableness approach, of
which there are many, not just the FTC, have four central
requirements in common: identification of assets and risks;
data-minimization procedures; administrative, technical and
physical safeguards; and data breach response plans. The
details of these requirements are filled in by industry
frameworks, accessible resources online, and a vast network of
privacy professionals and technologists dedicated to helping
companies of all sizes understand their data protection
obligations.
Of course there is always room for improvement with any
regulatory agency, but diminishing FTC power will probably not
ultimately make the climate easier for business. In fact, given
the vital importance of data protection in commerce, a
reduction in FTC authority would likely result in the passage
of more restrictive and possibly conflicting State laws
regarding data security, more actions by State attorneys
general, more lawsuits from private litigants, and more clashes
with the European Union over the legitimacy of U.S. privacy
law. In the long run, a weakened FTC would likely result in a
more complicated and less industry-friendly regulatory
environment.
Data protection is a complex and dynamic area for
consumers, companies, and regulators. Section 5 enables the FTC
to be adaptive and serve as a stabilizing force for consumers
and companies. Thank you very much.
Chairman Issa. Thank you.
[Prepared statement of Mr. Hartzog follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. I will now recognize myself for a round of
questioning.
Mr. Daugherty, there was an allegation by Tiversa that
there was a data breach. Have you seen ever any indication,
collateral indication, that that breach went to third parties
that resulted in any use of the identity information? Any?
Mr. Daugherty. Thank you, Chairman Issa.
As a matter of fact, no, sir, we have not.
Chairman Issa. Okay. Mr. Roesler, same thing. You put up
with years of a lawsuit. Did any of the complainants have any
demonstrated information that their identifiable information
had actually gone somewhere, or just that there was a
vulnerability?
Mr. Roesler. To my knowledge, there is none.
Chairman Issa. Now, if there was a breach, meaning it was
taken--you had what was it, 184 records that were alleged? Mr.
Daugherty, you had thousands?
Mr. Daugherty. Correct. Nine thousand.
Chairman Issa. I've heard an expression that I'd like to
see if you all agree with. If you have thousands of records,
whether it is 184 in your case or many, many thousands, if they
have actually gone out to third parties somewhere, they've, in
other words, mined them, doesn't it defy gravity that none of
them have led to any use of that information in either of your
cases?
Mr. Daugherty. Yes, Chairman Issa, I would agree with that.
Chairman Issa. Okay. So I'm not a student of statistics,
but I had to take it in college. I certainly agree.
So the allegation that you're facing is that you had a
vulnerability, not an actual breach in reality, because a
breach would demonstrate some use. What they really said was,
Mr. Roesler, you didn't protect your site, you didn't have a
good enough lock on your site; is that correct?
Mr. Roesler. I believe so, yes.
Chairman Issa. Mr. Daugherty, same thing. Your lock wasn't
good enough.
Mr. Daugherty. That's correct, sir.
Chairman Issa. Now, the American people may not understand
cybersecurity at this point, but they understand the padlock on
their front door, their garage door opener. And I just want to
put it in perspective for a moment.
Ninety percent of the garage door openers made before the
year 2000, a product that simply takes the chip and
sequentially goes through the combinations, will open every one
of those garage doors. Before 2000, the vast majority of garage
doors, simply you had to go through anywhere from 250 to a few
thousand combinations, and eventually your garage door would
open. People haven't gone back and changed their garage doors.
Unless you have a Medeco key or a number of other very high-
security keys, if you have a typical key, it can be picked by
any locksmith.
So are these people leaving a vulnerability? Maybe yes,
maybe no. But I want to put it in perspective for both of you.
The allegation, as I understand it from previous testimony
before this committee, is effectively one of your employees may
have installed a program that was sort of the equivalent of
putting a little bit of bubble gum in the door latch so that
the door didn't really lock, and there was a vulnerability. In
both cases, as far as I understand, there was no allegation
that you instructed the employee to do it, or that you did it,
or that it was done with your knowledge. And, Mr. Roesler, I
understand in your case you never found the alleged peer-to-
peer; is that correct?
Mr. Roesler. That's correct. And I don't know that the
allegations were ever about an employee. Simply that a file
that Open Door had created had gotten out.
Chairman Issa. Right. But a file that was never found
except in the hands of Tiversa.
Mr. Daugherty. Same. As a matter of fact, if you look at
the FTC's press release announcing the litigation, they never
used the word ``breach.'' That's correct, sir.
Chairman Issa. So we're not talking about a loss of data,
we're talking about the vulnerability, the same vulnerability
that every time a notebook like this or a computer notebook
walks out of a government office with personal information on
it, like it did in the case of the famous VA one where somebody
simply left their notebook, and a million veterans'
identifiable information was there, it's a vulnerability. If it
actually occurs, it occurs because of a human failure in most
cases, not because of an inherent system failure.
Mr. Daugherty, you were running a dotcom. Did you have
professional advice and counsel, and did you buy software to
protect against this type of thing?
Mr. Daugherty. We ran a medical laboratory.
Chairman Issa. But, I mean, you had an online presence.
Mr. Daugherty. We had an online presence.
Chairman Issa. Mr. Roesler, same thing. From your
testimony, you engaged professional outside people to give you
security.
Mr. Roesler. That's correct.
Chairman Issa. So you used what you would consider and
still consider to be maybe not best practices, but the best
practices you knew of and could afford, right?
Mr. Roesler. Yes.
Chairman Issa. We were told under oath by Mr. Boback twice
that, in fact, deceptive software was what they went out
looking for and found these breaches. And I just want to close
by asking just one question.
Mr. Roesler--and I keep mispronouncing it.
Mr. Roesler. It's Roesler.
Chairman Issa. Roesler. Mr. Roesler, in your case you had a
kind of a unique thing that I want to make sure you get a
chance to explain to us. A company, Tiversa, in Pittsburgh,
more or less, contacts you. Coincidentally a plaintiff's law
firm in Pittsburgh, Pennsylvania, as I understand it, forms a
class-action lawsuit and goes after you, and has the
information to contact those very people who they told you you
had this breach. So the law firm has the name of all your
clients; is that right?
Mr. Roesler. That's exactly right.
Chairman Issa. And they didn't get it from you. So in your
case you do have a breach. You know that somebody clandestinely
got your clients', your AIDS patients' information, gave it to
a law firm who then used it--and I ask unanimous consent that
the sample--we'll get it here in a second--letter that that law
firm sent out to every one of your patients--this is called
Serrano and Associates--and it says right on the bottom, this
is a solicitation to provide legal services. And is this a copy
for the ranking member? I'll give a copy to the ranking member.
You have seen that solicitation?
Mr. Roesler. Indeed.
Chairman Issa. So I just want to make sure for the record
that both sides understand. Tiversa contacts you and says
there's been a vulnerability, offers you to sell you the
services for nearly $500 an hour. You turn them down after
talking to your professionals, find no vulnerability. But then
a law firm has the very information they were talking about,
which obviously was gleaned somewhere, and probably off of your
servers or your drives. They--then it gets somehow to a law
firm, coincidentally in Pittsburgh, who then goes about
creating a plaintiff's--a class-action suit, contacts your
patients, who in no other way were contacted except by this law
firm, and proceeds to sue you for years.
Mr. Roesler. That is my perspective.
Chairman Issa. Okay. I now recognize the ranking member.
Mr. Cummings. Mr. Chairman, to indulge us before I ask my
questions, I would ask for just 1 minute to clarify a point for
the record with unanimous consent with regard to some
statements you made in your opening statement. May I?
Chairman Issa. Go ahead.
Mr. Cummings. Thank you very much.
The chairman made some points in his opening statement
about the potential immunity for a witness, and I take this
moment because, Mr. Chairman, everybody on both sides of the
aisle care tremendously about whistleblowers. There is not one
person on this, Republican or Democrat, and our record has
shown that.
You said that the Democrats have been unwilling to consider
immunity. That's not accurate. We have said consistently and
repeatedly that we are willing to consider immunity. We
participated in the proffer. We viewed the video, as well as
many documents. At this stage the committee has not identified
evidence that would substantiate or corroborate the allegations
of this witness against other individuals.
The chairman also said that we have sought out negative
information about this witness in an effort to discredit him.
That's not true. The information came to us from the CEO of
Tiversa's attorney about criminal activity. Once we found out
about that, we wanted to know more about it. I mean, that's
just logical.
Chairman Issa. I thank the ranking member, and I would say
that this is perhaps outside the scope of this hearing. I would
also note----
Mr. Cummings. But you just made these allegations against
us. It's in the scope of the hearing because you put it in
there.
Chairman Issa. You asked unanimous consent. I granted it.
The fact is that my opinion in the opening statement will
stand.
I will say for the record, since you just said it, too, the
fact is your committee members have refused--even sitting here
in the House of Representatives, even inside a building with
total security, they have refused to meet with the
whistleblower, claiming that based on the allegations of Mr.
Boback and his attorney, that they are too afraid to, men and
women. So quite frankly, you can have your opinion--you can
have your opinion, Mr. Ranking Member, I will have mine.
Mr. Cummings. Very well. I will continue my 5 minutes then.
Chairman Issa. I will start your 5 minutes over in a
moment.
Mr. Cummings. Okay.
Chairman Issa. I have invited in my opening statement, and
with indulgence of the witnesses, all Members to look at the
video proffer, and all members of this committee to have access
directly to the whistleblower for purposes of continuing the
proffer.
I made it clear in my opening statement--and I will
reiterate it because I think the ranking member's point is
good--serious allegations about the personal life of the
witness have come forward. But, again, as I said in my opening
statement, allegations do not go to the direct claims of the
whistleblower as to the facts that he said in his proffer had
occurred.
So is the whistleblower claiming he did no wrong? Just the
opposite. The whistleblower has come forward with a proffer,
because, in fact, if he makes that testimony, he will do so at
the risk of prosecution. The whistleblower has already taken
the Fifth in another venue, and, as a result, qualifies for the
question.
Now, in the Lois Lerner case, Mr. Cummings, we had a
witness who you kept saying you wanted immunity for, but she
only said she was innocent. In this case we have an
individual----
Mr. Cummings. There you go again.
Chairman Issa. This individual, this individual came
forward and said wrongdoing occurred. It has led to today's
hearing. And I simply, in my opening, asked all Members to take
the time to look at the information individually, because I do
believe that to get a full understanding and cross-dialogue--
because everything that is brought out by our whistleblower is
subject to, in fact, credibility check as to the facts
brought--but that dialogue will not be possible unless the
whistleblower is granted the limited immunity as to exactly
what, and only what, he came forward with as allegations
against Tiversa, and, as a result, the FTC and perhaps false
statements made before this committee.
It is a serious claim, I take it seriously, and I ask all
Members to individually look at it. Mr. Cummings, most Members
have never seen any of it, and that's why I was making it
available today in open hearing to look at it and make their
own decisions.
And I thank the gentleman. Please restore his time to 5
minutes.
Mr. Cummings. Thank you, Mr. Chairman.
The chairman also said we had sought out negative
information about this witness in an effort to discredit him.
That is not true. The witness has engaged in numerous criminal
activities that go to credibility, and he failed to disclose to
the committee during his proffer, he failed to disclose them.
And some of these activities were occurring at the same time
that we were speaking with the--that he was speaking with the
committee.
Generally, I believe the committee should grant immunity to
witnesses who have admitted to engaging in criminal conduct
only in rare circumstances when those witnesses provide
concrete evidence of criminal activity by others. I appreciate
the goal of rewarding whistleblowers who come forward
voluntarily to identify waste, fraud, and abuse, and we have a
record of that. But I do not believe that immunity is a proper
reward when individuals provide evidence relating only to their
own wrongdoing.
Although we remain open--and I say, I want to be clear--
although we remain open to considering immunity should
additional evidence emerge, we cannot responsibly support
immunity at this time.
Now, according to the Republican memo for today's hearing,
one of the main topics is, ``whether the FTC has the authority
to pursue data-security enforcement actions under its current
Section 5 authority.'' So let's ask our witnesses.
Mr. Stegmaier, you have written extensively on this topic.
In one article, you wrote, ``The agency is the Federal
Government's largest consumer protection agency. The Commission
routinely investigates publicly reported data-related incidents
with the threat of subsequent litigation. Since 2000, the FTC
has brought 42 data-security cases.''
Mr. Stegmaier, with respect to the hearing question today,
I take it from your writings that you agree that the FTC has
the authority to bring enforcement actions under Section 5 to
protect the data security of consumers; is that right?
Mr. Stegmaier. Mr. Cummings, thank you. That is actually a
really great question, and I appreciate the way that you have
presented it.
At the outset, let me just note that I come before the
committee today with the understanding that the committee
sought my expertise and understanding specifically about fair
notice and due process concerns.
Whether or not the agency has jurisdiction is actually,
ironically, something that Congress has given the agency
incredible deference to determine in and on its own, and it's
actually subject to a number of pending lawsuits and
litigation.
So the answer to your question, I think, is that the agency
absolutely believes that it has such jurisdiction, but that
answer to that question hasn't been definitively resolved. And,
historically, under caselaw, the agency would receive such
deference.
But my focus is more on whether or not people who are going
to be subject to that deference, whatever the ultimate outcome
may be, have fair notice about what the law requires of them.
Mr. Cummings. Mr. Hartzog, you have also written
extensively on the FTC's work on data security, so let me ask
your expert opinion. Does the FTC have the authority to bring
data-security actions under Section 5?
And one of the things that we should all be concerned about
is a chilling effect. And I just wanted you to respond to that.
Mr. Hartzog. Sure. I think that, yes, the FTC does have the
authority under Section 5 to regulate data-security practices.
If you look at the plain wording of Section 5, it is
intentionally quite broad. There are limitations, so, you know,
there are limits as to what constitutes an unfair practice and
a deceptive trade practice. But, certainly, you know, given the
heft of both the opinion, the recent opinion, in the Wyndham
decision and the FTC's practice generally in the way that we
interpret statutes, the FTC has the authority to regulate data
security.
With respect to chilling effects, I think that the FTC has
proceeded in a pretty judicious and conservative manner with
respect to the regulation of data security, and so it is not
like there has been a dramatic lurch forward. As a matter of
fact, they have been inching along through several different
Presidential administrations basically along the exact same
course with no appreciable difference. And so I think that the
body of jurisprudence is actually sound in that regard.
Mr. Cummings. Professor, can you describe why it is
important for the FTC to exercise its authority over data-
security breaches?
Mr. Hartzog. Sure. There are several reasons. One is it
gives the U.S. system of data protection legitimacy and heft.
So many, for example, international agreements, like the EU-
U.S. Safe Harbor Agreement, is contingent upon the FTC being
able to regulate data security, particularly now that there are
questions about the strength of the U.S. data-protection
program.
Also, the U.S. system of regulating privacy is done in a
patchwork manner, so there is no one great law that regulates
data security across the United States. And what that does is
it leaves a number of different gaps. And the only statutes
that really--the only avenue by which we can provide a baseline
of data protection in the United States right now is Section 5
of the FTC Act.
And so Section 5 helps harmonize a lot of data-security
practices, and it also has been consistent with a lot of other
data-security regulatory regimes.
Mr. Cummings. You heard the testimony of Mr. Daugherty and
Mr. Roesler--by the way, gentlemen, I am sorry that you have
gone through what you have gone through. I spent my life
representing people who were not properly--they were improperly
accused.
But you heard their testimony. I was just wanting to get
your reaction to that. It seems as if there is a question--and
Mr. Stegmaier talked about this a bit--as to charging folks.
The way that folks are charged, they use data that--I think,
Mr. Stegmaier, you would agree with this, based upon what you
just said--that might you consider unfair charging. Would that
be a fair statement?
Mr. Stegmaier. I am not sure I understood----
Mr. Cummings. Okay.
Mr. Stegmaier. --precisely the question, sir.
Mr. Cummings. But you understand what I am saying, right,
Mr. Hartzog?
Mr. Hartzog. So I think that the allegations that have been
brought up are that there is not enough notice given to
companies and that they are expected to follow rules that they
say they don't know what they are.
The answer that I would give to that is that the FTC uses a
reasonableness test, and a reasonableness test for regulating
data security is the most common way, if you look across
regulatory regimes, to regulate data security. So the Gramm-
Leach-Bliley Act and HIPAA and many State regimes, all of them
use a reasonableness test.
And the way that you execute a reasonableness test is you
defer to some other existing body of standards, right? And so,
in this case, it is a complete deference to industry standards.
The FTC actually doesn't create the standard at all. Rather,
they say, what is industry doing? And there is a whole body of
study, so there are whole industries and fields of study
dedicated to what makes not just cutting-edge data security but
just industry-standard data security and best practices. And
that is what the FTC says you should look to to determine what
the baseline is.
And so the FTC actually isn't unique in its regulatory
approach. There are States and other statutory schemes that
utilize very similar approaches.
Mr. Cummings. Thank you very much, Mr. Chairman.
Mr. Daugherty. Can you explain to me, then, why the HIPAA
and HHS is not coming after LabMD?
Mr. Hartzog. I am sorry?
Mr. Daugherty. Can you please explain then, if you are
talking about industry standards--we are a medical facility. We
are under HHS and HIPAA. They have not come after LabMD or
cited anything.
Mr. Hartzog. Well, I actually can't speculate as to why.
There are lots of different reasons why claims are brought or
not brought.
Chairman Issa. It is a good question, but we probably won't
have any more between witnesses----
Mr. Daugherty. Sorry.
Chairman Issa. --if you don't mind.
But I do want to clarify just two things very, very
quickly. You said a body of jurisprudence. That would imply
that there has been decisions at the district and then the
appellate court. Are there any?
Mr. Hartzog. Well, we do have a decision at the district-
court level in the Wyndham case, but, actually, jurisprudence
can come from a number of different sources. And primarily, in
the case of the FTC, it comes from the complaints that they
filed.
Chairman Issa. Okay. So the consent decrees are a body of
jurisprudence where they sue and settle, and you are calling
that a body of jurisprudence. I just wanted to make sure that
is what you were talking about.
Mr. Hartzog. Well, not the consent decrees, but rather the
complaints that indicate what the FTC considers to be an unfair
and deceptive trade practice.
Chairman Issa. Okay.
And only one more quick one for Mr. Daugherty and Mr.
Roesler.
Were you given any safe haven or guidance by the FTC as to
how you could, in fact, not fall under unfair practices at any
time from the beginning until today, those so-called standards
that Mr. Hartzog has said exist?
Mr. Daugherty. Well, sir, thank you for that question,
Chairman Issa.
No. As a matter of fact, I stated, and as further indicated
in my written testimony, quite to the contrary. In briefs and
in quotations from the FTC, they argue they don't need to
promulgate rules or inform us of standards. And even their
experts said that we should Google them.
And this is just not a way to regulate an American industry
and economy, let alone the world of medicine.
Mr. Roesler. My response would be that----
Chairman Issa. Yes, of course.
Mr. Roesler.--the communication that Open Door received
from the FTC was one simple letter; it was a warning that we
received from them. There was no other communication. And
during that time, it was simply about a file being out, and
they listed the file.
Chairman Issa. So they just didn't pursue you, nor did they
give you guidance on how to remedy.
Mr. Roesler. That is my understanding.
Chairman Issa. And did you have something else you want to
follow up on?
Mr. Cummings. Just to follow up on--a friendly follow-up on
the chairman's question.
Mr. Hartzog, you just heard what they said. You talked
about a body of jurisprudence, and here you have folks who are
saying they had no idea what was going on. Can you react to
that?
Is that a fair statement, gentlemen?
You didn't----
Mr. Hartzog. I would actually say that it's not a fair
statement, nor is the FTC unique in requiring, you know, a
standard to which there is not, you know, to the utmost
specificity, right?
So, for example, in tort law, you are expected to build
products safely, but there is not a manual that you get when
you start designing products that says, you know, here are the
130 steps that you can take to make a product safe, right? You
actually look to industry standards, which is another thing
that is relatively common. And that is the kind of evidence
that is used to determine whether you are acting reasonably or
not.
Mr. Cummings. Thank you very much, Mr. Chairman.
Chairman Issa. I thank all of you.
I will tell you, as somebody who has set industry
standards, sat as a chairman of a trade association, I
understand that safe havens are critical, industry standards,
if you live up to them, you are supposed to get a level of
immunity, at least from persecution by your government. It
doesn't seem like that exists here.
Mr. Mica?
Mr. Mica. Thank you, Mr. Chairman.
And, Mr. Daugherty, you had Lab Med?
Mr. Daugherty. LabMD, sir.
Mr. Mica. Okay, LabMD.
And you had Open Door, Mr. Roesler?
Mr. Roesler. That is correct.
Mr. Mica. Two different activities.
Now, were you first notified by FTC that there was some
breach or some problem with your handling of data, Mr.
Daugherty?
Mr. Daugherty. We----
Mr. Mica. When did FTC notify you first?
Mr. Daugherty. They sent us an 11-page letter starting the
inquiry.
Mr. Mica. Before that, no?
Mr. Daugherty. No, sir. We were just under HIPAA.
Mr. Mica. And before that, no with you.
I am just trying to look at what took place here. So you
both are conducting your business or activities, and you both
get calls from this firm, Tiversa. And that was the first
notice that you had from anyone that you had problems as far as
data security.
Is that correct, Mr. Daugherty?
Chairman Issa. And I would only ask one thing, that
whenever you answer, make sure it is verbal. The clerk is not
allowed to write down a head nod.
Mr. Mica. Yeah, nods don't count.
So, Mr. Daugherty?
Mr. Daugherty. Yes----
Mr. Mica. When you first--I want to find out when you first
found out from some outside source that there was some breach.
Mr. Daugherty. The outside source, sir, was--the first one
was Tiversa in May 2008, and then the----
Mr. Mica. And Mr. Roesler?
Mr. Roesler. For Open Door, it was also Tiversa that
notified us first.
Mr. Mica. Okay. And that firm told you that they had, I
guess, been fishing or surfing, whatever the hell they did. And
then did they offer to help remedy your situation, Mr.
Daugherty?
Mr. Daugherty. They--well, yes, sir. They would not----
Mr. Mica. What was the offer?
Mr. Daugherty. The offer was----
Mr. Mica. How much an hour?
Mr. Daugherty. $475 an hour, with a 4-hour minimum, no
guarantee.
Mr. Mica. Mr. Roesler?
Mr. Roesler. It was $475 an hour.
Mr. Mica. And, Mr. Daugherty, what did you tell them?
Mr. Daugherty. I told them I was not interested until they
gave me more information.
Mr. Mica. Okay.
And, Mr. Roesler, what did you tell them?
Mr. Roesler. I didn't respond.
Mr. Mica. You didn't respond. Okay.
So, after your initial contacts, your first contact of the
breach, then you were later notified by FTC that there was a
problem, Mr. Daugherty?
Mr. Daugherty. Well, we were called by----
Mr. Mica. It was subsequent.
Mr. Daugherty. Later in 2008, we were told by Tiversa they
were giving it to Federal Trade Commission, and then Federal
Trade Commission contacted us 14 months later.
Mr. Mica. Uh-huh.
And Mr. Roesler?
Mr. Roesler. Yes, afterwards. Uh-huh.
Mr. Mica. Yeah.
And we tend to believe that FTC was informed or got that
information from that company. Would you assume the same thing,
Mr. Daugherty?
Mr. Daugherty. Yes, sir, I would.
Mr. Mica. What would you assume, Mr. Roesler? You gave it
to them? You called them up and said, ``We are doing this, and
you ought to investigate us?''
Mr. Roesler. Excuse me?
Mr. Mica. I am just--that was a joke.
Mr. Roesler. All right. Thank you.
So I don't know. I don't know the answer to that question.
If that is how----
Mr. Mica. But somehow they got the data.
Mr. Roesler. That is correct.
Mr. Mica. Well, to me, it looks like a little bit of an
extortion game from a company trying to make a few bucks off of
you guys, fishing and then coming after you. That is just my
assumption. Now, we don't have FTC and others in here. We will
have to find out more of what took place.
Part of this is that, you know, FTC was set up for a good
and noble purpose, and that is to deal with deceptive and
unfair trade practices. And we should have the right, too, to
have whistleblowers give them information. But a lot of the
discussions also went around the standards and what is fair.
But the standards do not exist specifically, Mr. Hartzog, as
part of the testimony. That is first.
And then, secondly, you made a good point, that we don't
want to clip FTC's wings to inhibit their power to go after bad
actors. Is that correct?
Mr. Hartzog. Yes, that is correct.
Mr. Mica. But if we find out, again, that the motivation
for this was their nonparticipation in this scheme, it doesn't
seem like they were treated fairly, one, and, two, that you two
were never given notice to correct the practice. Were you given
notice to correct what they considered----
Mr. Daugherty. Oh, we were just given endless questions for
years and then a suit. No. That was all we were given.
Mr. Mica. Were you given a remedial course or----
Mr. Roesler. In our letter, it was suggested that we----
Mr. Mica. Cease and desist?
Mr. Roesler. Something like that.
Mr. Mica. Remedy your situation?
Mr. Roesler. That is right. Look into it.
Mr. Mica. Uh-huh. Because I think, again, businesses need
to be notified by the regulatory agencies if there is a
practice, and then if they don't clean their act up--you didn't
devise those software systems, it was probably something you
purchased, that had a----
Mr. Daugherty. LimeWire was never even purchased. That is
just malware that was out there----
Mr. Mica. Uh-huh.
Mr. Daugherty. --that was put in by an employee with a
total lack of authorization.
Mr. Mica. But it wasn't a purposeful thing, and when you
found out, you tried to remedy it.
Mr. Daugherty. Absolutely, sir.
Mr. Mica. Mr. Roesler?
Mr. Roesler. We never had any evidence of having----
Mr. Mica. But when you found out, did you try to remedy it,
the situation?
Mr. Roesler. We just researched to find that we had no risk
of that. That was----
Mr. Mica. Okay. All right.
I yield back.
Chairman Issa. Okay. Thank you.
Mr. Hartzog, just to make sure, was LimeWire ever gone
after by the FTC for their deceptive practices of creating the
vulnerabilities?
Mr. Hartzog. I----
Chairman Issa. You have looked through the body of
jurisprudence.
Mr. Hartzog. I do not believe so, so I----
Chairman Issa. But they never went after the people who
created the vulnerability, just people who were victims.
Mr. Hartzog. Yeah, I don't--I am not privy to
investigations. I only know about the filed complaints. But as
far as I know, there was no filed complaint against LimeWire.
Chairman Issa. Yeah. That makes sense. They were probably
without deep pockets and too slippery.
The gentleman from Massachusetts, Mr. Tierney.
Mr. Tierney. Thank you.
Mr. Hartzog, apparently there was ultimately an agreement
or a decision that the companies that are testifying here today
did not live up to industry standards or some other measure of
reasonableness. Is that fair to say?
Mr. Hartzog. Yes, that is fair.
Mr. Tierney. All right. So in that determination by the FTC
of whether or not they complied with the reasonableness on
that, is the sophistication of the company, the size of the
company, the resources the company might have for establishing
secure IT, the danger of the release of their data, are all of
those factors in that determination of reasonableness?
Mr. Hartzog. Absolutely. That is one of the reasons why a
one-size-fits-all checklist for data security will never work,
because it is far too dependent upon variables like that. And
so, of course, large companies, large tech companies--you know,
Microsoft and Amazon and all these others--are expected to have
significantly different and probably more robust data-security
practices than, say, smaller businesses. Now, of course, there
is a baseline for everyone collecting personal information, but
it varies wildly as to what is constituted in any given
circumstance.
Mr. Tierney. So is there an FTC process where, when they
become notified that a problem may exist, they notify the
individual and give them an opportunity to cure?
Mr. Hartzog. Because I am not privy to a lot of the
internal investigations within the FTC, I am unable to answer
that question.
Mr. Tierney. Mr. Stegmaier, do you have any information on
that, whether or not the FTC as a matter of course, when they
have an allegation or a concern that somebody may not be being
reasonable in securing their IT, they give that company an
opportunity to cure before they take action?
Mr. Stegmaier. I have never had an experience in 13 years
of doing this where they proffer the opportunity to cure in the
manner that I think you are suggesting.
I have had a number of nonpublic resolutions, many, many
times. But I haven't had this sort of, I think in the
chairman's words, safe-harbor situation where they say, ``We
have brought this to your attention, we see that you have taken
corrective measures, and we have determined that that, you
know, is in fact good enough.'' In fact, it is their practice,
in part of Mr. Hartzog's analysis, that the agency doesn't
typically issue what would be referred to as a closing letter
for investigations.
But in my, you know, private, personal capacity appearing
before the agency representing clients, the characterization
you described is not consistent with my experience.
Mr. Tierney. Are either Mr. Hartzog or Mr. Stegmaier
familiar with a situation where their clients were notified, as
Mr. Roesler was, that you apparently have a problem and then no
further action was taken because your client did something
about it?
Mr. Stegmaier. So it hasn't been my experience that the
agency is typically calling to the attention of individual
companies incidents or situations, but, rather, they come,
investigation in hand, with an investigatory posture, trying to
figure out what happened, rather than more a notice and
corrective posture.
But, to be clear, I am aware of numerous cases where the
agency has chosen not to continue investigating.
Mr. Tierney. Okay.
Is that similar to your information, Mr. Hartzog?
Mr. Hartzog. That's correct, based on my information.
Mr. Tierney. Thank you.
Mr. Roesler, you received a letter from the FTC notifying
you that they believed you had an issue and suggesting that you
do something about it.
Mr. Roesler. That's correct.
Mr. Tierney. All right. And what you did about it, you
said, was you went and rechecked again to see if your people
could find anything on the peer-to-peer; is that right?
Mr. Roesler. What I said was that our IT subcontractor
looked at our network to see if there was any P2P software
within our network or on any of our computer laptops, any work
stations.
Mr. Tierney. Did you at all do any research or ask your
legal counsel, your IT subcontractor, to do some research about
what the best practices in your industry were and whether or
not you were, in fact, complying with those?
Mr. Roesler. Indeed, we did.
Mr. Tierney. And what was the result of that?
Mr. Roesler. The result was that we were meeting those
standards, our network was secure, and that we were compliant.
Mr. Tierney. And did the FTC ever take any follow-up action
against you?
Mr. Roesler. None that I am aware of.
Mr. Tierney. Thank you.
Mr. Stegmaier and Mr. Hartzog, again, your help, if you
would. When a determination is made by the FTC that there is
noncompliance or that there is an unfair or deceptive practice,
are the penalties automatic, set at a certain amount once it is
found? Or is there discretion for the FTC to take into
consideration mitigating factors?
Mr. Stegmaier. So the agency doesn't actually have
statutory penalty authority. They enter into a consent decree,
which typically doesn't have a monetary penalty or a remedy.
As to the factors that they use in terms of how they decide
which cases to prosecute or which cases not to prosecute, I
would respectfully disagree with Mr. Hartzog in the sense that,
having done this for a long, long time, the precise motivations
and contours of what constitutes reasonable behavior and
reasonable information-security behavior from the perspective
of the agency that's authoritative is no more clear to me today
than it was 13 years ago.
Mr. Tierney. I am going to let you guys fight that out
offline here on that.
So if there's not a monetary penalty, what is the nature of
the action that the FTC takes ultimately?
Mr. Stegmaier. I think one way to think about it is to have
a new board member who helps supervise your privacy and data-
security process for the next 20 years, including, typically,
biennial privacy and data-security audits through an approved
third-party contractor who essentially will, you know, audit
and review your processes and report to the agency.
Additionally, they have a tool which they call--is commonly
referred to as fencing-in relief, through which, once you're
under an order, you are subject to financial penalties if you
should violate the order. And, in my experience, it's not
uncommon for companies to spend as much as a half-a-million
dollars a year or more simply to undertake to comply with the
underlying orders.
So I would respectfully disagree with Mr. Hartzog to the
extent that it takes into account the nature and size of the
underlying companies. In fact, my experience has been the
opposite, that the size of the company doesn't dictate what
level of security the agency seems to believe is required in a
number of instances.
Mr. Tierney. And I assume that----
Chairman Issa. The gentleman's time has expired.
Mr. Tierney. Can I ask unanimous consent for one further
question?
Chairman Issa. As long as it doesn't take another minute
and a half extra, go ahead.
Mr. Tierney. I'll do my best.
And the cost of this, sort of, outside entity or auditor
that you're talking about is borne by whom?
Mr. Stegmaier. Entirely by the company, sir.
Mr. Tierney. Thank you.
Chairman Issa. Thank you.
Mr. Walberg.
Mr. Walberg. Thank you, Mr. Chairman.
And thanks to the witnesses for being here.
Mr. Stegmaier, if you could just further help me to
understand, what are the FTCstandards for determining whether
or not a company's data-security practices violate Section 5?
Mr. Stegmaier. Thank you very much, sir.
A couple of things. The articulated standard is one of
reasonableness, and that is the extent of the standard.
I note that for the folks that are here today--and I think
this is important for the committee to understand--I think that
we learned from Mr. Roesler and Mr. Daugherty that there were
initially begun investigated--the investigation in 2008. It
wasn't until 2011 that the Federal Trade Commission issued a
best-practices guide identifying a number of recommendations
that it thinks are required for reasonable security.
But to answer your question I think more directly, the
troubling thing about that guide and the thing that has been
difficult for many companies is, if you asked me to identify
which, if any, of those items that they identify as best
practices are legally required, I could not tell you.
Mr. Walberg. So this is an evolving notion, as it were.
Mr. Stegmaier. Absolutely. And I think the agency itself
has taken that position repeatedly. The agency takes the
position that it needs flexibility because technology is
changing, what we think is privacy is changing, data security
is changing.
Mr. Walberg. Well, what, then, gives the FTC the authority
to take enforcement on these evolving actions, especially in
what's considered reasonable?
Mr. Stegmaier. Sure. So, as Mr. Hartzog identified, the
language of Section 5 is incredibly broad, and courts have
generally given deference under what's known as the Chevron
deference--Chevron case to agencies to determine their own
jurisdiction. So, unless that exercise of jurisdiction is
arbitrary or capricious, for the most part, absent Congress
stepping in, the agency's determination, you know, will prevail
unless or if a court disagrees.
And, as I mentioned to the chairman earlier, there are a
number of cases pending that challenge exactly this question.
Mr. Walberg. Mr. Hartzog, do you agree or disagree that the
FTC should be taking the lead in establishing new regulations
governing data-security practices?
Mr. Hartzog. Well, I think that the FTC certainly plays the
pivotal role and should play the pivotal role in establishing
data-security regulation in the United States, but I do think
that it's wise for the FTC to continue to defer to industry
standards rather than try to make up their own standards, but,
rather, follow what industry has determined is reasonable and
appropriate data security. Because I think that that kind of
deference keeps the FTC from acting in an arbitrary or
inconsistent way.
Mr. Walberg. So, in other words, kind of a shared
partnership lead?
Mr. Hartzog. That's right. So it's a co-regulatory regime,
right, where you let industry say this is what is reasonable in
our field, and then the FTC then looks to that to determine
which companies have gone beyond the boundaries of
reasonableness.
Mr. Walberg. Mr. Stegmaier, can a business owner look up
the rules for data security to make sure a business is in
compliance?
Mr. Stegmaier. So if you're subject to the Health Insurance
Portability and Accountability Act, you can. In fact, the HHS
has issued privacy and data-security regulations. The Federal
Trade Commission has not.
If you are a financial institution subject to the Gramm-
Leach-Bliley Act, there has been notice-and-comment rulemaking;
you can look up those regulations. But, again, if you're
subject to the FTC's jurisdiction----
Mr. Walberg. You can't.
Mr. Stegmaier. --you cannot.
Mr. Walberg. A pattern is emerging.
Mr. Daugherty, did you know where to look up the rules or
informal policies that governed FTC data-security practices
before you were contacted by FTC?
Mr. Daugherty. No, sir, because there were none. I mean,
we've had professionals in and out. We had Stanson's two people
in. No one said anything about them. We were fully within the
medical community.
Mr. Walberg. How easy or difficult is it to keep up with
these informal policies?
Mr. Daugherty. Well, I think it's nearly impossible, I
mean, because they don't tell you till after the fact, whereas
in HHS, in the world that we reside, in a regulatory world,
it's quite simple. But in, you know, the world of medicine,
which they're trying to get into, they're not using that
format.
Mr. Walberg. And, finally, Mr. Daugherty, in your opinion,
is it fair for the FTC to expect businesses like yours to be
able to locate and follow data-security practices?
Mr. Daugherty. Oh, we're all for following data-security
practices, absolutely. But we need to, obviously, have them
take a leadership role and not a reactionary role.
As much as they want to say how broad this needs to be,
breadth does not mean infinity, and there have to be some
boundaries. And they seem to continually argue, well, we have
broad scope, we need broad scope. But that doesn't mean they
don't have to say anything. I mean, we all have laws. That
doesn't mean we call it a crime when we see it.
So I think they need to be more reasonable in their
boundaries and their communications, especially when they
choose to get into medicine. That is really an alarming
overreach.
Mr. Walberg. Sounds reasonable. Thank you.
My time has expired.
Mr. Bentivolio. [Presiding.] The chair recognizes the
gentleman from Massachusetts, Mr. Lynch.
Mr. Lynch. Thank you, Mr. Chairman.
Now, this dispute is currently in the FTC administrative
court; is that correct?
Mr. Daugherty. Is this to me?
Mr. Lynch. Yeah, anybody.
Mr. Daugherty. Okay. Yes, sir, against LabMD, yes it's in
administrative court, sir.
Mr. Lynch. It seems to me that's a good place for it. I
don't understand how this matter--there are a lot of, you know,
administrative disputes that one side or the other feels
offended by. It just surprises me that you're before Congress,
given the small amount of work we do anyway, and now we're
engaging in this. I just--I don't think this whole dispute,
this whole hearing is appropriately before us. Let me just get
that out of the way.
Earlier, Mr. Hartzog and Mr. Stegmaier, we heard the
chairman say that--and get confirmation from two of the
witnesses that there is no breach unless someone uses the
information that's been put out there. In other words, you can
have a door that's unlocked, I guess is the analogy that was
used, and that even though information was not kept secure,
there's no breach until somebody actually uses that information
that's been put out there.
Is that the state of the law?
Mr. Stegmaier. So, whether or not a security breach exists
is actually a term of art. As the members of the committee may
be aware, I think at least 47 States have breach notification
laws using differing standards or requirements. So I think we'd
have to think about, sort of, a particular----
Mr. Lynch. Well, let me ask you, do any of those States say
that the information has to be used before a breach is
declared?
Mr. Stegmaier. They tend to use the operative phrases,
acquired or accessed without authorization.
Mr. Lynch. Okay. So just putting the information out on the
Internet, if nobody is using it, there's no breach?
Mr. Stegmaier. It's an active matter of dispute as to
whether the mere accessibility of information constitutes a
security breach, and a lot of really smart people would
disagree very vigorously.
Mr. Lynch. Yeah. So you can put stuff out on the Internet,
secure information on the Internet, and that wouldn't be a
breach, Mr. Stegmaier.
Mr. Stegmaier. That's not what I am saying at all. What I'm
saying is----
Mr. Lynch. Okay.
Mr. Stegmaier. --smart people would disagree, and they
frequently and regularly do.
But I think an important consideration is, under HIPAA, for
example, whether you adhere to the security rule--in other
words, whether your systems are, in fact, secure--is different
than whether or not you've had a breach. So under HIPAA----
Mr. Lynch. Well, I'm just asking you here whether it's
required in order to be guilty of a security breach, whether
someone has to use the information. That's what I'm asking you.
Mr. Hartzog, do you want to take a shot at this?
Mr. Hartzog. Sure. The mere fact of a breach itself,
actually, isn't a violation of any particular law, right? So
there are a couple of points: One is the Section 5 defining an
unfair trade practice as one that either causes harm or is
likely to cause harm. You actually don't have to have any kind
of breach or misuse in the first place.
Mr. Lynch. Yeah.
Mr. Hartzog. The second point is, the only harm that can
come isn't necessarily one of, like, say, user ID theft, right,
so mere exposure can constitute it.
And then the third thing to remember is that the wrongful
actions here aren't that a breach occurred, right? A breach is
really perhaps just a symptom of the problem, which is a
failure to have good data-security practices. So regardless of
whether the breach happened or whether it didn't happen,
whether information was available or whether it wasn't
available, all of that only really goes towards showing whether
there were good, reasonable data-security practices or not. And
that's really what we're looking for.
Mr. Lynch. Right. That's the preventative aspect of this.
Mr. Hartzog. Right.
Mr. Lynch. If we had to wait till your Social Security was
used by someone, you know, then----
Mr. Hartzog. Correct.
Mr. Lynch. --we would have to sit on our hands until
somebody was abused, you know, somebody's information was
acquired. And----
Mr. Hartzog. Which is very difficult to show. And it's
important to remember that data security is a probabilities
game, right? So----
Mr. Lynch. Right.
Mr. Hartzog. --what you want to--there's no such thing as
perfect data----
Mr. Lynch. Let me just jump to this quick. Mr. Roesler,
your clinic serves patients that may have HIV or AIDS; is that
right?
Mr. Roesler. That's correct.
Mr. Lynch. Did the master list file have personal
information about clients of the Open Door Clinic?
Mr. Roesler. It did.
Mr. Lynch. And about how many Open Door clients were listed
in the master list file? Do you know?
Mr. Roesler. About 150.
Mr. Lynch. And the FTC wrote you that the clinic file
master list was available to users on this peer-to-peer file-
sharing network, right?
Mr. Roesler. They did.
Mr. Lynch. So the information was out there. So are you
saying that the FTC was wrong to contact you on that? Is that
part of your complaint?
Mr. Roesler. Not at all. No.
Mr. Lynch. Okay. Where did the--the FTC has not filed an
enforcement action against you for that, right?
Mr. Roesler. That's correct.
Mr. Lynch. So wherein lies the overreach on the part of the
FTC?
Mr. Roesler. I am not aware of overreach.
Mr. Lynch. Okay.
I'll yield back. Thank you.
Mr. Bentivolio. The chair recognizes the gentleman from
Tennessee, Mr. Duncan.
Mr. Duncan. Well, thank you, Mr. Chairman.
And I appreciate Chairman Issa calling this hearing because
what I've heard thus far is very disturbing to me. I was
presiding over the House until a few minutes ago, and so I
didn't--I'm sorry, I didn't get to hear the testimony.
But if I understand this correctly, Mr. Daugherty, this
Tiversa firm contacted you or your company and told you of
possible problems and asked you to hire them at a rate of $475
an hour, and then when you declined to do so, they turned you
into the FTC.
Mr. Daugherty. That's correct. That was all in 2008.
Mr. Duncan. And then the FTC started pursuing you, taking
action against you.
Mr. Daugherty. That's correct.
Mr. Duncan. And I think I just was told that you're close
to being out of business, or----
Mr. Daugherty. The laboratory operations closed in January
of this year because we've been completely sideswiped by this.
Mr. Duncan. And Mr.--is it ``Roesler'' or ``Roesler''?
Mr. Roesler. It's ``Roesler.''
Mr. Duncan. ``Roesler.'' Mr. Roesler, your story is very
similar, is that correct, except you're still in business?
Mr. Roesler. I don't know that my story is similar. It's
got its differences. Yes, we are still in business.
Mr. Duncan. But you were contacted by Tiversa----
Mr. Roesler. That's correct.
Mr. Duncan. --and for $475 an hour they would take care of
your problems?
Mr. Roesler. That's also correct.
Mr. Duncan. And then when you declined, they contacted the
FTC.
Mr. Roesler. That I'm not aware.
Mr. Duncan. Well, according to the staff briefing we have,
the FTC--this Tiversa company told on or reported or turned
almost 100 companies into the FTC.
And, Mr. Hartzog, don't you think that, in light of what's
come out here today, that the FTC should check on something
like this, if another private company turns in a company, to
see what conflict of interest is present? Because there
certainly was a conflict of interest in these cases we're
hearing about.
Mr. Hartzog. It's difficult for me to speculate on that
without knowing the exact details. But it's my understanding
that the FTC actually gets information about what constitutes,
you know, a potentially unfair or deceptive trade practice from
lots of different sources, including public complaints in
general, many of which might be valid and many of which might
actually be invalid. And----
Mr. Duncan. Well, I know they get them from many sources,
but when there's an obvious seemingly almost criminal conflict
of interest involved, it looks like the FTC would at least
check that out. Because that could easily be checked out on the
front end of things.
Mr. Hartzog. Well, certainly, the FTC should make sure that
any allegation that's turned into them is actually valid. And
so I think that, of course, it's incumbent upon them to make
sure that the facts that are alleged to them are actually true.
Mr. Duncan. Mr. Stegmaier, you're a law professor. Do you
think anyone should be prosecuted criminally on things like
this, what you've heard here today?
Mr. Stegmaier. If the facts as alleged turn out to be true,
no, I would not think that prosecution should necessarily be
appropriate. But I think if I'm understanding your question
more correctly, do I think it's appropriate for this committee
and Congress to review the agency's behavior, I think it's
incumbent on Congress to do so.
Mr. Duncan. What do you think should be done in addition to
this committee looking into it?
Mr. Stegmaier. So I don't profess to be an expert on all of
the remedies or different, you know, mechanisms. But one of the
things that I think we've seen and I think is, you know,
critically relevant is to create an environment where companies
can understand what's actually expected of them as a matter of
law so that then when and if the agency should come to
investigate them there's much less of an element of surprise.
And that's really sort of the crux, right? The Constitution
protects us from being prosecuted when we couldn't possibly
have known what the law is.
And I think Mr. Daugherty could testify or would testify
about his experience in that regard, and I think he has
testified to the effect that he understood that he was subject
to HHS's jurisdiction. And being subject to the FTC's
jurisdiction and then what that meant in terms of what's
actually required is as opaque today as it was in 2008 for him.
Mr. Duncan. Well, the problem that many of us see now is
that the Federal Government is prosecuting people for
unintentional violations of the law. And that's not supposed to
be criminal, but a zealous prosecutor can make an innocent,
unintentional violation of the law seem to be criminal, and
that's a pretty dangerous thing.
The government should be in the business of trying to help
companies stay in business, not with the goal of trying to run
people out of business, unless they have definite proof of
intentional efforts to defraud people.
Thank you very much, Mr. Chairman.
Mr. Bentivolio. The chair recognizes the gentleman from
Virginia, Mr. Connolly.
Mr. Connolly. Thank you, Mr. Chairman.
And welcome to our panel, especially my constituent, Mr.
Stegmaier, who's obviously cogent, astute, perspicacious, very
compelling testimony. And we're not surprised, coming from the
11th Congressional District of Virginia.
Mr. Stegmaier. Thank you, sir.
Mr. Connolly. Mr. Stegmaier, I wanted to clarify something
you testified to just now. What is the status of Mr.
Daugherty's case before the FTC?
Mr. Stegmaier. So I haven't been following the precise
contours of the case other than the existence of the
administrative procedure is highly, highly unusual. I'm not
aware of any other case that's actually used that procedure.
Mr. Connolly. Mr. Daugherty, what is the status of your
case?
Mr. Daugherty. The case is on pause until the immunity
decision and proffer is worked out with this committee. And
then the judge will make a decision from that point.
Mr. Connolly. Okay. So it's still in adjudication. Pending.
Mr. Daugherty. Pending.
Mr. Connolly. But there's been no verdict delivered or----
Mr. Daugherty. No. This is correct.
Mr. Connolly. Well, I will say I share some of--more than
some of the misgiving of my colleague from Massachusetts, Mr.
Lynch, about the appropriateness of this committee even the
perception of intervening in the midst of, you know, a
regulatory adjudication, for fear that, you know, we start to
set a precedent. So anybody, you know, who doesn't like a
procedure can just come here and we'll have a hearing and judge
it for ourselves. I just think that's a dangerous precedent if
that, indeed, is what's going on.
Mr. Stegmaier, the title of this hearing is ``FTC Section 5
Authority: Prosecutor, Judge, and Jury.'' Do you view the FTC
as playing a role as prosecutor, judge, and jury?
Mr. Stegmaier. Absolutely. I think the structure of the
administrative state, Section 5 being very broadly worded, with
the agency getting deference to its own determinations about
its jurisdiction, as well as its interpretations of the law
being plausible, absolutely create a situation where it is
difficult, if not impossible, to create due process remedies or
ways for review that most regular people would think our system
of justice entitles them to.
And with respect, Mr. Connolly, to your comments about this
particular proceeding, one of the things that strikes me is
that, with respect to the fair notice doctrine and due process
generally, if not here, where else? And I think that really
begs the question. You know, in other words, Mr. Daugherty, I
am not sure has any other place that he could go unless and
until this proceeding is resolved.
So, you know, again, maybe I'm a bit of, you know, sort of
a sentimentalist, but I think the due process concerns here are
so significant that I would be, you know, troubled to wonder
where else one might go for redress.
Mr. Connolly. That sounds good, Mr. Stegmaier, but we
cannot be substituting ourselves for regulatory agencies in the
midst of their administrative procedures. The precedent that
sets is very dangerous, in my opinion.
And, by the way, if there were thousands of them, there's
no way you could raise the expectation that, no, no, this is
where you come for redress if you don't like the process.
Though, I am not disagreeing with you about the fact that there
may be way too much authority, frankly, vested in this process.
And that's a legislative issue, but not an adjudication.
Mr. Hartzog, would you respond to what Mr. Stegmaier said?
Didn't he make a pretty good point there?
Mr. Hartzog. Sure. No, so I would actually disagree. I
mean, I agree in the sense that, you know, this kind of title
of ``judge, jury, and executioner'' is--the FTC is not unique
among administrative agencies in that it has been given
enforcement power and the power to kind of dictate rules.
That's actually kind of administrative law generally, right?
So, to the extent that the FTC has the power to enforce the law
and create rules through case-by-case adjudication, the FTC
seems to be hardly unique in that respect.
With respect to, kind of, fair notice, due process
concerns----
Mr. Connolly. Well, can I just interrupt you there? Mr.
Daugherty has a blog in which he refers to the FTC as ``lying,
cheating, breaking every rule in the book.'' ``All professional
tyrants and bullies have plenty of tricks up their sleeves.
This nest,'' presumably the FTC, ``is no exception.''
So Mr. Daugherty----
Chairman Issa. [Presiding.] Would the gentleman yield?
Mr. Connolly. Of course.
Chairman Issa. I think many Members on your side of the
aisle have said the same about me on the dais. These
allegations are not unique, are they?
Mr. Connolly. Yeah, but I don't know if we all have blogs.
But, I mean, putting a charitable interpretation on what
clearly is a source of anger and frustration for Mr. Daugherty
is a sense of: I am not being treated fairly. This process is
far beyond just a routine administrative process. It is one
that, you know, is all-encompassing and all-powerful and
capricious. My word, not his.
So is this just like any other administrative process? Is
there something unique or different about this one? I'm not
referring to the particular case; I'm talking about the
process. Because you just said, well, it's hardly unique. But
if I read this blog and only rely on it for witness to the FTC
process, I might conclude it most certainly is different and
unique, or at least I hope it would be, if this is accurate.
Mr. Hartzog. Well, I can't comment as to the factual
specifics. My----
Mr. Connolly. I'm not asking you to.
Mr. Hartzog. Right, right. So without knowing the internal
deliberations of what happened with respect to the FTC
investigation with this particular case, I will say if you look
at the complaint that was filed in this case, it is very
consistent with all of the other FTC data-security complaints.
The FTC has been regulating data security since the late 1990s,
and they've done so in a very conservative and incremental
manner. The language that they employ is very consistent across
every single complaint. The language that they use in their
consent orders is very consistent.
And so if you look at the complaint that was filed in this
case, it does, indeed, look very similar to lots of other
complaints filed by the FTC. And so, in that regard, this is,
you know, just another, kind of, incremental iteration on the
FTC's data-security regulations.
Mr. Connolly. And just a final point, if I may, Mr.
Chairman.
Do you agree with Mr. Stegmaier that, if not here, where,
that this is a place to come for redress if you feel you're not
getting it in the administrative law review--I mean, the
administrative judicial process?
Mr. Hartzog. Well, I would just call note to the fact that
everyone that is subjected to an FTC complaint has the right to
judicial review. And so, you know, that seems to be the
structure that was put in place precisely to put a check on
administrative agencies.
Chairman Issa. Would the gentleman yield?
Mr. Connolly. Of course.
Chairman Issa. Just for a short colloquy. I think you made
an assertion that perhaps this hearing and our what you called
``intervening'' with the FTC was inappropriate. I just want to
go through a couple of things very quickly for our benefit.
Have you had a chance to look at any of the proffer
material brought to the committee voluntarily by a
whistleblower?
Mr. Connolly. I'm not sure what the chairman is referring
to. I've looked at a lot of material.
Chairman Issa. No, no. There was a proffer brought. The
committee staff has reviewed some of it. There was a
whistleblower who came to us, unrelated. We did not initiate
it, but rather a whistleblower came to us. And that, in
combination--and perhaps your staff can arrange--at the
beginning, I asked everyone to look at the proffer. It goes
more than an hour.
But, additionally, the reason that this committee feels
that, notwithstanding an ongoing--many-year ongoing FTC
activity, that, in fact, because Mr. Boback testified before
this committee twice while he was, in fact, turning people into
the FTC for eventual prosecution, and because a whistleblower
came to us, and because that whistleblower took the Fifth at
the--asserted his Fifth Amendment rights at that proceeding, my
understanding is the administrative law judge has for the time
being held up, with no prejudice whatsoever, his proceeding as
we continue to try to go forward.
The judge is able to go forward with the case at any time,
of course, but both this chairman believes that we should hear
the testimony of the whistleblower here and I think the FTC
would like to hear the testimony of that individual because,
since he was a prior employee of Tiversa, he is, in fact,
likely to be a fact witness as to whether or not there is
credible evidence against Mr. Daugherty's company, which, by
the way, doesn't go to the FTC's authority that we're
discussing here today. It really goes to the question of, is
the FTC accurate in one or more of its pleadings?
And for the gentleman's edification, it is our opinion
that, at a minimum, if the assertions that have been made are
true, the FTC has been misled and this committee has been
misled on multiple occasions. The Secret Service, NCIS, the
White House, through the assertion made--and I don't know if
the gentleman was here when it was made, but the assertion that
Marine One's cockpit upgrade was compromised when it was in
Iran may not have been true. All of those things caused this
committee to think that we need to act now and to look into it.
But I appreciate the gentleman's rightful statement that
it's not for us to second-guess the FTC. Their administrative
law judge has to make their own decision. We also, though,
believe that we have an independent obligation based on the
things I outlined, and I would hope the gentleman would agree.
Mr. Connolly. Mr. Chairman, it might surprise you to hear
that, in some measure, I do agree. However, I guess I'm raising
the question, not for a solution here, about, what are the
right boundaries for us, and when do we properly intervene
because of our oversight function and duty?
I was asked before this hearing, you know, do we have a
role to play in oversight of FTC, and my answer was absolutely.
And if there's, you know, something to be reformed or something
certainly to be looked at, that is absolutely a proper function
of this committee. And the idea that it's never proper is to be
rejected.
However, there are boundaries. And when there's a specific
case in front of a judge, I am concerned that it not even be
construed as a perception that we are attempting to tilt the
judgment in a particular way or to make ourselves the place of
redress when people have a grievance, even though that
grievance may very well be legitimate.
Our role is not to hear the case all over again. It is to
try to, you know, ameliorate the grievance if there are
legitimate aspects to it that can be addressed legislatively.
That's what I was raising.
Chairman Issa. And I think the gentleman and I would agree
that we have to be very careful, both yesterday with the IRS
and today with the FTC. But I do believe, when somebody has
testified before this committee multiple times, the assertions
may be incorrect, and, as a result, a series of suits already
completed by the Federal Trade Commission with consent decrees
might, in fact, have been flawed.
And, tangentially, Mr. Roesler, obviously, we are concerned
that a pattern of activity, business practices, you may have
been a victim of and suffered--you and your insurance company
suffered distraction and cost for years. So we are concerned
with it.
And that's why I was so appreciative of your being here
today. This was a tough one for you to do. It's tough for you
to tear yourself away and to take time out. But, hopefully,
maybe a little bit like some hearings we've had over the years,
where people don't understand them at the beginning of it, if,
in fact, they come to some of the assertions being true, then
at the end of it all people will say, yes, it was worthwhile.
If, Mr. Connolly, if, at the end of it all, whistleblower
statements are wrong, assertions are wrong, and all of what we
have been told is not true, and if, for example, that
Pittsburgh event, the law firm was just a coincidence, if, in
fact, both of these individuals had real breaches, then, in
fact, if all those things be true, then, in fact, we went down
a look-see that didn't end up. But today I believe very
strongly and I think at least two of our witnesses feel
strongly that there's at least a credible case to look into it.
And I might close--and I thank the gentleman for so much
yielding. I remember when Pat Tillman's family was in front of
this committee. I remember us looking at various events that
were very controversial, assertions by grieving family members.
This committee has taken the breadth of investigations by both
sides' chairmen, and we have explored them. We explored
steroids in baseball. We've done a number of things. The
ranking member and I have continued to work on trying to clean
up the NFL's problem with human growth hormones. Those are not
within the mainstream.
So I do appreciate the gentleman. And I want to be very
careful. I would ask, again, all Members to look at the
proffer, to meet with the whistleblower. Even if he is never to
be granted the opportunity to testify, the proffer itself might
give you the reason for why we are going forward to try to find
the facts through other means and why this hearing is here
today.
Mr. Cummings. Will the gentleman yield?
Chairman Issa. Of course.
Mr. Cummings. First of all, Mr. Chairman, you know, I was
questioning as I was listening to Mr. Connolly whether this is,
in fact, intervention. I'm not sure that it is, to be frank
with you. But I'm hoping that, at the end of the day, that the
FTC hears this. Clearly, there are some things that need to be
resolved here.
And, you know, when I hear the stories of Mr. Daugherty,
Mr. Roesler, I think it concerns all of us if you have been
treated unfairly, because we try to fight against that kind of
thing.
But, again, I think--and I'm glad you said what you said
about being careful. Because it's interesting, in my office,
Mr. Connolly, I tell my staff that if somebody walks in there
and there's any kind of pending anything, judicial, quasi-
judicial, I'm not touching it, I'm just not going to touch it,
because I don't want to interfere.
Mr. Connolly. Right.
Mr. Cummings. And I think there's probably a problem with
it anyway, ethically.
But, hopefully, this will lead to something where there's
some clarification, Mr. Chairman, so that we don't have these
kind of situations, or, if nothing else, at least some clarity
comes to the people who are in the industry as to what is
expected of them, what's fair, what's reasonable.
Mr. Cummings. And if we can come to that--and, again, as I
said a little bit earlier, Mr. Chairman, we have not said
absolutely against immunity for a whistleblower. We just want
to make sure that we dot our i's, cross our t's.
And so, thank you very much.
Chairman Issa. I thank the ranking member, and I thank Mr.
Connolly.
We now go to the very patient quasi-expert on HIPAA, Dr.
Gosar.
Mr. Gosar. Well, thank you, Chairman.
I'm a dentist before I came to Congress, so I'm very aware
of HIPAA and OSHA, and it's very different from what I'm
understanding here, Mr. Daugherty, right? I mean, we have
classes, we have rules, regs. They're pretty astute and pretty
well-defined, right?
Mr. Daugherty. Yes, Congressman. As a matter of fact, we
enjoy daily mailing offers for educational seminars that anyone
could have at any day.
Mr. Gosar. And so, like, a typical small business, you
update, you try to keep up with trends, making sure that you're
up to par in protecting databases, as well, true?
Mr. Daugherty. Correct. We always had an IT staff of at
least 3 people, even when we were only, like, 15 employees. And
we also had an outside company help.
And, as a matter of fact, we upgraded to--we found in the
small-business community and in the medical community that's
under 100 or 200 employees, there were no security products out
there. So when the FTC approached us, when we were trying to
get an answer of what to do and we couldn't get an answer, we
went out to the industry, and they didn't have products for us.
They only were with 500-employee companies and up. So we had to
find a company that would actually customize something for us
that was built for someone bigger that would actually work with
us, and we could only find two vendors to do it.
Mr. Gosar. So, I want to get back to this fair notice. It
seems like if what I heard from Mr. Hartzog in regards to
looking across the industry for fair and applicable
application, they should've taken some of that into
consideration.
Mr. Daugherty. Well, I would agree with that, sir, yes.
Mr. Gosar. Yeah.
Mr. Hartzog, are you real familiar with why the FTC is even
in business today? Do you understand the history from 1978 to
1980? In fact, my Democratic colleagues almost--actually shut
them down during 1980.
Mr. Hartzog. I----
Mr. Gosar. And underneath, in regards to--the FTC only
survived in its agreement to limit its discretion by issuing
its now-revered unfairness policy statement, true?
Mr. Hartzog. That's correct.
Mr. Gosar. So there's even more onus--you bypassed it, but
there's even more onus on the FTC to be fair and applicable
across these applications. Would you agree?
Mr. Hartzog. Yes. They are----
Mr. Gosar. Well, I mean, so the statute and the mission is
very specific to the FTC, right? So the application across all
agency boards are not exactly what you said.
Mr. Hartzog. Well, with respect to whether something
constitutes an unfair trade practice. So it actually isn't even
limited to deception, but the policy codification was to an
unfair trade practice.
Mr. Gosar. Well, my whole point is the FTC is further
scrutinized by its jurisdiction in regards to that. So they
were disciplined by Congress, okay?
Would you agree with that, Mr. Stegmaier?
Mr. Stegmaier. I think the agency has more of a track
record, historically, and speaking purely historically, of
potentially running afoul and having congressional oversight.
And, for example, their rulemaking authority is highly
constrained coming out of some of the same things I believe
you're talking about.
Mr. Gosar. Yeah. So let me--I guess my question is, if
we're coercing settlements, what good is the rule of law? How
are we overseeing the FTC in a proper adjudication if they're
already being scrutinized a little differently because of their
past history?
Mr. Stegmaier. I think it's a really good question, and I
think it's one we need to explore further.
Certainly, having represented companies that felt they were
being coerced, I very much sympathize with the tone and tenor
of your statement. And, in the same breath, I would just say
that my experience with the folks actually working at the
agency has been of a really bright, hardworking, dedicated
group of people that believe in what they're trying to do. And
I think one of the things that can be happening here is a bit
of disliking the messenger versus the message.
And part of that is simply because we, as a society,
haven't resolved what privacy and data security mean, but we
have a law enforcement agency that's out there prosecuting
companies with what it thinks it means, you know, over more
than a decade now. And that's really, I think, what brings us
here, is a tough spot independent of anything that Mr.
Daugherty or the other information before the committee or the
proffer, none of which I'm specifically familiar with.
Mr. Gosar. And it seems to me that we haven't had oversight
or reauthorization of the FTC, and maybe we need a mission. I
mean, just because you're bright and you're affable in your
job, it doesn't make you right in your application of the law,
does it, Mr. Stegmaier?
Mr. Stegmaier. So I made a note to myself earlier: Just
because you do something doesn't mean you have the authority to
do it. And so I would agree that a measure of oversight and
review is appropriate, given, as the agency acknowledges, that
technology is moving very rapidly, data is moving very rapidly,
and, clearly, the agency has a very important role to play, but
that is one that is, you know, limited and subject to
congressional review.
Mr. Gosar. And so, would you still agree that the review of
you're innocent until proven guilty?
Mr. Stegmaier. I would agree that you are absolutely
innocent until proven guilty. I think that's the entire reason
why I'm here today.
And I think, more importantly, it's really a shame if
you're prosecuted and you couldn't possibly have known what the
legal requirement was for which you are being prosecuted. And
that's what the fair notice doctrine is about in the articles
I've written.
Mr. Gosar. Yeah.
Mr. Hartzog, would you agree with that?
Mr. Hartzog. I agree with the general statement, but I
would also say that the case-by-case way of establishing law is
actually a part of----
Mr. Gosar. I mean, you didn't give a very good, I mean,
notice about applicability across the board here. You tried to
cite as an expert witness, and you tried to cite, which you
really couldn't. And shouldn't that be more based upon
predicated caselaw so we should see, instead of coerced
settlements, we see more applicability going towards the
courts?
Mr. Hartzog. If I might, actually----
Chairman Issa. The gentleman's time has expired, but you
may answer.
Mr. Hartzog. Thank you.
If you look at the complaints, actually, we actually see
substantial overlap of the FTC complaints with the HIPAA
security rule and Gramm-Leach-Bliley. And so, actually, it's
actually a fairly nuanced standard. If you look at the
complaints which, established in a case-by-case manner, really
outline what an unfair or deceptive trade practice is.
Mr. Gosar. Thank you.
Chairman Issa. Thank you.
We now go to the gentlelady from Illinois, Ms. Duckworth.
Ms. Duckworth. Thank you, Mr. Chairman.
Thank you, gentlemen, for being here today.
I just want to establish some clarification. And, Mr.
Roesler, I know you do tremendous work in support of our
citizens who are suffering from AIDS and do everything that you
can through your organization to support your clients.
I just want to, sort of, go through the timeline of your
particular instance. You were contacted by Tiversa saying that
they had these files that they had found on peer-to-peer
networks and that for a certain amount of money they could help
you with it. Subsequent to that, you then went to your IT
providers and did a thorough search and determined that nothing
in your networks had been breached. Is that correct?
Mr. Roesler. That is correct.
Ms. Duckworth. And, at a later point in time, you received
a letter from the FTC saying that there was this file in the
Internet, and it was a different file name from the file that
Tiversa had informed you was out there. Is that correct?
Mr. Roesler. That's also correct.
Ms. Duckworth. Great.
Prior to this time, did you not suffer a break-in to your
facilities, where a laptop was physically stolen from your
facility?
Mr. Roesler. That's correct. In 2007, Open Door was the
victim of a theft of one of our laptops in our Aurora clinic
space.
Ms. Duckworth. Correct. And you did report that crime to
the police?
Mr. Roesler. That was reported, yes.
Ms. Duckworth. Yes.
So when you got the notice from FTC with a different file
and in going back and reviewing, is it true that you have
determined that these files that were on the Internet were not
a result of any type of a security breach to your network but
probably came from that laptop that was stolen?
Mr. Roesler. That is an assumption that we do have, that
the laptop that was stolen had these as well as other documents
on that computer.
Ms. Duckworth. And so the FTC has not pursued--has not
contacted you other than that first letter to say they found
these files on the Internet, this is a warning, you need to
deal with it. Is that correct?
Mr. Roesler. That is correct. Thank you.
Ms. Duckworth. Okay.
Do you have any evidence that the FTC turned over
information of any of those files to any law firm that then
initiated the class action lawsuit against you?
Mr. Roesler. No evidence at all.
Ms. Duckworth. No evidence at all.
So what I'm trying to get to here is the fact that there
are two different things going on. There are the practices,
which I think appear to be very egregious, on the part of
Tiversa, which I want to get to the bottom of, and then the
fact that you were very much a victim of an actual theft to a
facility that probably did have a lock on your front door,
quite literally, and then the FTC finding a different file on
the Internet from the one Tiversa contacted you with and said,
hey, this file is out there, take a look at it. You dealt with
it.
The only thing that I'm somewhat concerned with in terms of
your actions is that you did not notify your clients for over a
year whose names were on that stolen laptop. Is that correct?
Mr. Roesler. That is correct.
Ms. Duckworth. But that's a matter for State law; that's
not under the jurisdiction of this committee here.
But you've settled the lawsuit with this law firm, wherever
they got the information from, not from the FTC but from
somewhere else. Your clients--many of whom are back with you
and are happy with the treatment that they're getting?
Mr. Roesler. That's correct. We are back to doing business
as usual.
Ms. Duckworth. Which you love, which is taking care of your
clients.
Mr. Roesler. Very much. Thank you.
Ms. Duckworth. Thank you.
Mr. Hartzog, could you give me your opinion on, was it
appropriate for the FTC to contact Mr. Roesler to say that,
hey, we found a file on the Internet that contains your
clients' names?
Mr. Hartzog. Sure, in the sense that the FTC has, you know,
a broad ability to look into lots of different data breaches to
determine whether there was reasonable data security or not.
Chairman Issa. Would the gentlelady yield just for a point
of information?
Ms. Duckworth. Yes, I'll yield.
Chairman Issa. The committee can provide you with the
produced written data that shows that Tiversa provided that
information to the FTC. So the source in both cases was Tiversa
directly in contact and then indirectly when the FTC gained
from Tiversa that same information that Open Door failed to, if
you will, pay for protecting.
Ms. Duckworth. Thank you, Mr. Chairman. But I do think the
FTC did contact Mr. Roesler with a different file name.
Which is how I believe you were able to come to the
conclusion or the assumption, a working hypothesis, as it were,
that it likely came from this laptop and not from a breach of
your network.
Mr. Roesler. Okay, no, that's not exactly correct.
Ms. Duckworth. Okay.
Mr. Roesler. So during the litigation and during discovery,
the law firm was able to produce quite a few documents that had
been downloaded from a peer-to-peer network. It was when we
started looking through the piles of documents that we were
able to ascertain what the likelihood is of which employee
might have been producing most of those documents. And from
there, we were able to then figure a timeline that, well, this
employee doesn't currently have these documents on their
current laptop; however, come to think of it, 2 years ago,
their laptop had been stolen out of our clinic. And that's when
we started moving backwards in that thought process.
Ms. Duckworth. Okay. Thank you.
I'm out of time, Mr. Chairman.
Chairman Issa. Thank you. If the gentlelady would just
allow me to follow up on your line?
Mr. Roesler, do you believe that Tiversa provided you with
all the information and all the files that they had found?
Mr. Roesler. Could you repeat that question?
Chairman Issa. In other words, when they approached you and
said, we found this vulnerability, do you believe at that time
they provided you with a sample of what they had found or all
of it so that you could figure out the source?
Mr. Roesler. Thank you, Chairman. That's a very good
question.
They produced one document, what I believe to be--it is my
opinion, but that they had more than the one that they
described to us that they had at the time.
Chairman Issa. And I'll go to the ranking member in just a
second.
The reason I want to do that is Ms. Duckworth's two
different documents. Since our data that's been found in
discovery shows that Tiversa did turn over to the FTC the
documents, or that we have a list with your name and so on on
it, it appears as though what FTC brought you, which was a
different document, was also from the same source of Tiversa.
And, Ms. Duckworth, the reason--and I appreciate that
you're talking in terms of looking at Tiversa and so on--is, as
far as we can tell, the only taker of this personal
identifiable information that we know for sure reached into his
systems on his network and pulled out files was Tiversa, who
reached in, pulled them out, and turned them over to the FTC.
That's the part that we know, is that at least one company
found the vulnerability, took the information, gave it at a
minimum to the FTC. And there is some question by the committee
as to how the law firm got that same list and produced a class
action, a law firm in the same city.
And that's, I think, what the gentlelady is really looking
at, is this doesn't look good. And the effects on Open Door
were devastating.
Ms. Duckworth. Well, I would agree with the chairman that
the effects on Open Door was devastating, but I don't agree
that they reached into their network. Open Door has determined
that there was no breach of their network. And, in fact, the
data breach came from a stolen laptop. So if Tiversa got this
information, they got it from someone else who uploaded the
information from a stolen laptop, 2 years prior, to the
Internet.
It was not a breach of their network. They did a thorough
search of their network. And, in fact, Tiversa is getting this
information that someone else, presumably the thief who broke
into their facilities and stole their laptop or someone that
got that information off the laptop, uploaded. It's two
different mechanisms----
Chairman Issa. And I share with the gentlelady very much
versions of that possibility. That laptop that was stolen
could've had LimeWire added to it. It could've been put up on
the thieves' Internet site, and Tiversa could have found it out
on the Internet. The interesting thing was that Tiversa did not
go to the laptop or to some other posting; they actually went
to this company and said, we found the vulnerability on your
site.
And that's what is so perplexing, is they didn't say, we
found this information in the Internet. They went to Open Door
and said, we found your vulnerability and we offer you services
for your vulnerability. Now, my understanding is Tiversa also
will talk about helping cleanse lost data, clean up what's been
out there on the Internet. There's a lot of services people
talk about.
But it is confusing that, in fact, this data, we know for
sure, got into Tiversa's hands. And in our discovery, we do not
yet know, did they really get it off of your Web site at Open
Door? Did they get it off the stolen laptop?
One thing we're convinced about is that they may very well
have never gotten it, seen it somewhere in the Internet, except
on a vulnerability from a peer-to-peer. And, in fact, it may
never have been made available so as to harm the 180-plus AIDS
patients that in some measure felt offended and served a
lawsuit.
Ms. Duckworth. I would have to disagree with one portion of
that, Mr. Chairman. I share your concern with Tiversa's very
predatory practices, and I think we should look more into it
and I would love to have them here. But I think, in this case,
Tiversa said they found this data on a peer-to-peer network,
not on Open Door's network. They found it on a peer-to-peer
network. That's what they told Open Door, ``We found it on a
peer-to-peer network.''
Open Door then went in and looked at their peer-to-peer
network and saw and confirmed that it had not been breached and
that there was no vulnerability in their peer-to-peer network.
Just because Tiversa found it on a peer-to-peer network does
not mean that that peer-to-peer network belonged to Open Door.
Someone else uploaded it from, likelihood, that stolen laptop
to a different network.
So I just want to make sure that Tiversa is--they could
possibly be trolling the Internet for this data on various
peer-to-peer networks, not necessarily Open Secret's, found it,
and then tried to get them to purchase services. So it's two
different things. And I just want to make sure that this is--
the things that Open Door has suffered has been because of
Tiversa and Tiversa's actions with the law firm.
And, in fact, as far as the FTC is concerned, they sent
them a note saying, there's this form out there--there's this
file out there, you need to take a look at it. And they've not
prosecuted, they've done nothing else. Really, they've been the
victims of a class action lawsuit that was initiated by Tiversa
after they found a document on a separate peer-to-peer network
that was not the one that was Open Secret's--I mean, Open
Door's.
Chairman Issa. You may very well be right. And I think
you're getting a nod from Open Door.
But I think the gentlelady has made the exact point that I
hope we can all come together on, which is we have a
whistleblower who wants to give us detailed information
directly related to each of these events with actual recorded
hard disk data and only asked that his involvement and his
testimony as to how he was involved in this at Tiversa not lead
to his prosecution. And that is all that, in fact, when you see
the proffer, if you will please see it, video proffer, you're
going to see, is a demonstration specifically of that. And it
does give us a fact witness, however flawed in any other way, a
fact witness who will make specific allegations as to
particular companies and where their data was or wasn't;
additionally, and for me as a former ranking member and member
of this committee, is also prepared to testify about evidence
that was presented to this committee under oath. And that's why
we have sought to have this witness.
Today's hearing deals with what we know and what happened
to these individuals and with some of the pitfalls of, does the
FTC, for example, in the case of Open Door, did they get second
corroboration or did they send that letter in your case, and a
lawsuit in your case, based on a single source that may or may
not have been accurate?
And, to a certain extent, I know we're all getting mired in
Section 5 authority. This is more than Section 5 authority.
It's about whether an agency, even if it has the authority,
what are the safeguards before they file a lawsuit? What are
the safeguards to make sure that the allegations are
independently corroborated? Because cybersecurity is, in fact,
as the gentlelady knows, it's not a hard science where you can
be sure. And if somebody says this happened, making sure it
happened is important.
So this is a broad subject. Cybersecurity is a core element
of our oversight, not just here but throughout government. And
it's one of the reasons I thought bringing up the whole
question of how do we move cybersecurity positively--because,
Mr. Hartzog, I think you would agree, and, Mr. Stegmaier, I
think you would agree, that to the extent the FTC has
authority, it's in order to protect against unfair practices,
that's their basic--but, in fact, to move us into greater
security and reliability of people's information when it's held
by third parties. And that goes to the core of cybersecurity in
and out of government.
So my view was this hearing, separate from the other
discussion that I hope to have with the whistleblower, this
hearing was worthwhile not because there's an ongoing
investigation or case, Mr. Daugherty, and not because of what
you've suffered alone, but because you're helping America
understand this is complex, we have to make sure that
allegations are correct, and we have to make sure that if
there's a bad actor basically selling services in an unethical
way that we hold them accountable.
And that's why I'm so interested in your line of
questioning and I support it and I appreciate it.
Ms. Duckworth. Thank you, Mr. Chairman.
Again, I don't think the FTC filed a lawsuit against Mr.
Roesler, just warned him that the file was out there. But I
agree with you that I would like to know more about this
process, so it would be great if we could have the FTC here in
testimony.
Chairman Issa. And we do intend to. What we're asking is
that they answer our questions as to some of this corroboration
and so on. We expect to ask both Tiversa and the FTC.
One of the challenges--and I hope the ranking member will
chime in on this, too. Mr. Connolly's statement about an
ongoing lawsuit means that we have to think about how and when
we bring the FTC in so that we not put them here specifically
talking about a lawsuit that is ongoing. So I want to be a
little careful on that. We are working with the IG. And the
FTC's IG is available to come in and brief your office, because
she has a separate investigation that we're respecting, her
ongoing investigation.
Mr. Cummings?
Mr. Cummings. Thank you.
Mr. Chairman, I want to just go back to something you just
said.
And I want to direct this to you, Mr. Hartzog. When the
chairman--and I think when you boil a lot of this down, this
issue of independent corroboration and trying to be fair--and I
think that's what the chairman is saying. He's not--I think
he's saying that, you know, there may be appropriate times, but
trying to have a sense of fairness with it all. Because these
gentlemen, I think, would say that they feel that they have
been treated unfairly.
So can you talk about, I mean, how that would work and how
other agencies deal with that? Do you understand what I'm
saying?
Mr. Hartzog. Sure. Sure. So it's difficult for me to
speculate on the way that other agencies deal with that. But I
will say that it's important to remember that when the FTC gets
information about a potential breach or a vulnerability, that's
just the very beginning of the inquiry, right? So the FTC
doesn't police data breaches; the FTC polices unreasonable
data-security practices.
Now, a breach can be evidence of a data-security practice,
but that's just the starting point, right? So if you look at
the complaints, the complaints actually have kind of a litany
of data-security failures, so failure to have a training
program and failure to implement administrative and technical
and physical safeguards. And all of these things are things
that are incumbent upon the FTC to actually prove if they
allege them in the complaint.
And so I think that we want to be careful not to assume
that just because the FTC has been notified of a breach, that
that immediately means that the company that suffered the
breach is liable, right? So the FTC is--it's on the FTC to fill
that out, right, to say, well, what actually were the--were
there unreasonable data-security practices that allowed this
breach to happen? Or was this a breach that was going to happen
regardless of whether there were reasonable data-security
practices?
And that, to me, is really where the FTC, you know, starts
doing its real investigative work, in that, you know, the
notification of a breach is just kind of the first tip that
leads to an investigation.
Chairman Issa. Thank you.
Mr. Clay?
Mr. Clay. Thank you, Mr. Chairman, and thank you for
conducting this hearing.
Some critics of the FTC's approach to data protection have
argued that the FTC has not provided adequate notice of the
guidelines a company must follow to avoid an enforcement
action. For example, in Federal litigation in New Jersey,
Wyndham Hotels argued, ``If the FTC can regulate data security
at all, it must do so through published rules that give
regulated parties fair notice of what the law requires.''
Professor Hartzog, do you agree that published rules are
required to give organizations notice of the data-security
standards that are required?
Mr. Hartzog. I don't think that that's necessarily
accurate. I think that administrative agencies like the FTC
actually have the choice of publishing rules or proceeding in a
case-by-case basis and establishing the contours of the law in
that way.
And, in this instance, when you have a complex and ever-
evolving problem like data security, which is really more of a
process than a set of rules, then the FTC has chosen, and I
think probably wisely, to proceed in a case-by-case basis in
order to incrementally establish rules and be adaptive to the
ever-changing needs of consumers to have their data protected.
Mr. Clay. Well, how can a company know when it's going to
run afoul of the data-security requirements if they don't have
notice of the rules?
Mr. Hartzog. I would actually argue that they do have
notice of what's required. So there are several different
things that you can look to. When you have a reasonableness
approach, the FTC isn't the only agency, the only regulatory
scheme that uses a reasonableness approach. So States do, and
there are other statutes that take advantage of it.
And you can look to basic things, right? So even in the
statement that the FTC issued on its 50th data-security
complaint let it know that there are really five basic things
that you have to do. You know, you have to identify your assets
and risks; you have to minimize data; you have to implement
safeguards; and you have to have a breach response plan. And
those are the basic components.
And the way that you then fill that in is you look to lots
of different variables, like the size of the company and the
sensitivity of the data and the amount of data that you're
collecting and the resources that you have available, which of
course vary wildly according to company.
And so it actually, I think, would be a mistake to try to
put those into rules because they inevitably would be either
overinclusive or overprotective or underinclusive depending
upon the context. And so, really, the only way forward, in my
mind, is to proceed upon a reasonableness basis here.
Mr. Clay. Okay.
Other critics of the FTC Section 5 enforcement authority
have argued that the FTC should establish bright-line data-
security standards in advance of any enforcement measures
delineating exactly what companies must do to comply with this
data-security obligation.
Professor Hartzog, in your recent article on the FTC and
data protection, you address this point, writing, ``Many
critics want a checklist of data-security practices that will
provide a safe harbor in all contexts. Yet data security
changes too quickly and is far too dependent upon context to be
reduced to a one-size-fits-all checklist.''
Professor, can you elaborate briefly on what you mean here?
How is data security changing in ways that make formal
rulemaking impractical?
Mr. Hartzog. Sure. So I've spoken with a lot of data-
security professionals in doing my research, and they almost
uniformly tell me that you can either have a one-size-fits-all
checklist that lists the 17 things that you're supposed to do
or you can have good data security, but you can't have both.
And the reason why that is is that data security changes so
much, and it wouldn't make much sense to say that small
businesses have to follow the same data-security protocols that
Target and Amazon have to follow. And so it actually is very
dependent upon all these variables.
And to the extent that we've heard testimony today saying
that, you know, oh, well, we have guidance from HIPAA and we
have guidance from Gramm-Leach-Bliley, I would ask everyone
actually to look at the complaints filed by the FTC. They're
very similar to the requirements in HIPAA and Gramm-Leach-
Bliley. And so, to the extent that everyone is kind of fine
with the way that those work, I think you can see similar kinds
of requirements in the complaints filed by the FTC.
Mr. Clay. And you also wrote that flexibility to adapt to
new situations, the FTC can wait until a consensus around
standards develops and then codify them as this happens.
Mr. Hartzog. That's correct. So one of the problems with
formal rulemaking is that if you make it too technologically
specific, then by the time the rule actually gets passed, it's
become outdated and you've got to start the whole process all
over again, and it becomes this never-ending series of trying
to update standards that have become outdated.
We've actually seen this in other areas of the law where
we've tried to list out technological specifications, and we
now get routinely frustrated, you know, that they're outdated
because it changes so quickly.
Mr. Clay. Thank you for your responses.
Mr. Chairman, my time has expired.
Chairman Issa. Thank you, Mr. Clay.
Well, we're going to come to a close, which is probably
blessed for all of you. But I have just a final set of
questions, and I'm going to go to each of you.
Mr. Hartzog, I hear everything you're saying, but if I'm to
believe what you're saying, the complaints and the consent
decrees are supposed to be my guidance as to what I have to do.
I have to find within the complaints a company and a set of
information that's similar to mine to figure out what I should
or shouldn't do.
But even then, the consent decree says, we're going to keep
an eye on you for 20 years. So, 2 years later, 3 years later,
what they're doing behind closed doors in their oversight of
that one company, I don't have visibility on that.
So how am I supposed to know what the law is?
Mr. Hartzog. So I would actually say, instead of looking
kind of to the consent decree, you look to the complaints. And
the complaints actually point to industry standards, right? And
there are various, actually, standards you could look to. So
you could look to----
Chairman Issa. But none of those standards are safe havens;
is that right?
Mr. Hartzog. Well, no, not explicit safe havens, but I
think the understanding is----
Chairman Issa. But wait a second. If I go 34 miles an hour
in a 35-mile-an-hour zone, I'm not going to get a speeding
ticket. Is that right?
Mr. Hartzog. I'm really glad you brought that up. So Mr.
Stegmaier brought up the whole speeding-limit thing, as far as
how that's adequate notice. I would also add that if you look
at speeding rules, in inclement rules the speeding rules
actually change; they say drive reasonably under the
circumstances. And yet we don't have a problem with that
speeding law, which is, of course, based on a reasonableness
standard.
Chairman Issa. That happens to be an interesting law,
because it only gets enforced when you have an accident, and
then they will sue you. They will claim that you were driving
too fast for conditions.
I appreciate the fact that you noted, then, that when the
``fit hits the shan,'' when things go bad--I worked on that for
a long time; I want you to appreciate that--then they will
write you a ticket, when even when you drove the speed limit
something happened. But there has to be a bad occurrence for
that to be enforced. So I think we're all agreeing it's a good
example.
But cybersecurity is a real question. I don't know
everything about LabMD. I don't know everything about Open
Door. But I will tell you that people right now, whether they
have a server in a closet and they're buying the latest
software from Microsoft and other companies or they're up on
Amazon or somebody else's virtual network, they don't know what
the standard is.
I know one thing. Target and the U.S. Government at
HealthCare.gov spent millions of dollars on security, hired
countless experts in and out of house, and they were obviously
data failures. So it's an inexact science.
The Federal Trade Commission has a mandate to protect us as
consumers from, effectively, willful or reckless behavior.
LimeWire participated in reckless behavior in the switches, how
they had them turned down, what the default was, perhaps even
on the peer-to-peer. But, certainly, because they made you most
vulnerable, unless you knew a lot about the software and
installation, they created a vulnerability which, quite
frankly, was intentional.
And in a hearing before this committee, we pretty much got
that, that they were--they thought it was great to open wide,
when, in fact, they were implying it was small. To me, that's
what the Federal Trade Commission was supposed to go after.
They just weren't, apparently, an easy enough target.
So as we look at, not Section 5 authority--because I
believe that Section 5 authority intended on deceptive and
unfair practices in the Internet world, in the cyber world,
being an authority; I think they did. But I think they wanted
us to go after LimeWire, after people who claimed things.
And, quite frankly, I think maybe they want to go after a
company like Tiversa, who goes around and trolls all over the
Internet, using expertise that some might say was similar to
the CIA--who, by the way, paid Tiversa at one point. And they
go out and they find all these vulnerabilities, and then they
turn them into business practices. And, in fact, every
indication is they not only found the vulnerabilities but they
stole information off those products. They stole them after the
CEO of that company testified that these people were victims.
Mr. Boback testified before this committee that people whose
employees loaded LimeWire were victims, that, in fact, the
person loading LimeWire was a victim because he or she didn't
understand that they were creating the vulnerability.
So the very person who said you're a victim of this peer-
to-peer software before this committee then used that
vulnerability to pull data, to steal data. And to the extent
they stole data only so they could inform the company and show
them that it happened, I might say that it wasn't wrong. But to
the extent that it was $475 an hour, that becomes a little more
questionable. To the extent that they then go to the FTC if you
don't say yes, as though they have a civic obligation.
Our discovery is not finished, but at this point it appears
as though if you paid Tiversa, you never would've gotten that
letter from the FTC. Mr. Daugherty, if you'd paid Tiversa, you
never would've had these years of agony. And for just a few
hundred thousand dollars, you probably would still have a going
concern instead of litigation ongoing.
Now, that doesn't go to the merit of the letter, it doesn't
go to the merit of the suit. It goes to the whole question of
the practice. We haven't passed a law that says, if you go out
and surf the Internet, look for vulnerabilities and take things
off of people's private sites, including HIPAA-related
material, that, in fact, you're a criminal. Maybe we should.
And that's within the jurisdiction of Energy and Commerce and
other committees, and we take it seriously. And it's one of the
reasons that this hearing is important.
Now, I have a closing very self-serving question, mostly
for, if you will, my two company victims. Things have been said
here and allegations made and questions about Tiversa as a
company. I don't normally investigate companies. It's not the
practice of this committee.
But given--and I'm going to leave Mr. Daugherty, because
you're in a lawsuit. I'm just going to leave you out of it for
a moment.
But, Mr. Roesler, your case is completely finished; is that
correct?
Mr. Roesler. It is.
Chairman Issa. And so you're done, you have no financial
interest in anything that we look into; isn't that correct?
Mr. Roesler. That's correct.
Chairman Issa. So do you believe it's reasonable for this
committee to find out what Tiversa took off of your Web site or
your site or some other site, where they got that information
that they approached you with an offer to sell you services?
Mr. Roesler. I believe it's worth the while if there's a
pattern, that I am not the only victim, then it's worth the
while.
Chairman Issa. If we thought you were the only one, we
wouldn't be here.
Do you believe it's important for us to verify the
relationship between Tiversa and the various companies--many of
whom we have lists of, so we know you're not the only one--that
they turned over to the FTC based on one question? The ones
that they offered services to that bought the services where
they never turned over to the FTC, but ones who declined were
often turned over to the FTC. Is that a question you think we
should find out the answer to?
Mr. Roesler. I believe that would be a very good question.
Chairman Issa. And, lastly, the law firm that sued you in a
class action, do you believe it's fair for us to find out
whether there was a direct connection between these two
Pittsburgh-based companies and data taken from somewhere yet
unknown, provided to the law firm, and the law firm then going
out and reaching out to your patients and clients? Do you
believe we should ask those questions as part of a broader
investigation to find out whether, in fact, that was
coincidence or, in fact, an attack on your company because you
didn't buy their services?
Mr. Roesler. Mr. Chairman, one of the reasons why I'm glad
to be here today is the hope that possibly that question could
be answered.
Chairman Issa. Well, I'm going to recognize Mr. Cummings.
These are some of the areas in which I believe that
somebody should investigate. For now, the somebody is us. Our
hope is that the FTC IG, who has some authority but not as much
as we do, oddly enough, to get information from nongovernment
entities, and perhaps the Justice Department and others will
look into it.
But until we find somebody else, at least for the
foreseeable future, my intent is to continue asking those
questions. We will invite Tiversa and others in. As I said at
the opening, I would hope to hear--that all the Members would
hear from the whistleblower, not because his accusations are
alone of anything other than the basis under which we began
this, but because when you get one set of allegations and you
go out to corroborate them and you have those as a first
statement, then when you find the second corroboration,
normally it allows you to show that it is true. I want to get
to the truth. I know Mr. Cummings does.
So for all of you, Section 5 authority--it's not our job to
second-guess what Congress gave them. They gave them the
authority. Section 5 authority, it is for us to ask, are they
acting in a way that allows unfair actors to be held
accountable and others to know how to meet their obligation?
You have our commitment, we intend to continue and do it.
As to unfair practices practiced in the cyber world and as
to people's vulnerabilities and how they correct it, this is an
ongoing part of this investigation. The questions I asked you,
I said they were self-serving. It's the intent of this
committee to continue for as long as it takes to feel that all
parties are satisfied that we asked all the right questions and
got as many answers as we could.
Mr. Cummings?
Mr. Cummings. Thank you very much, Mr. Chairman.
When I--first of all, I want to thank the witnesses for
being here. You know, sometimes I think witnesses wonder
whether they have an impact. And I can tell you that all of you
were excellent. And I really appreciate what you said, and I
think the Members listened to you very carefully.
When I first read the title of the hearing, I was very
concerned with the question of whether FTC has the authority to
pursue data-security enforcement actions under its current
Section 5 authority. And I think, based upon what the chairman
just said, I think we all agree that they do. And I agree with
him, the question is how they go about doing that.
And I think that there are moments that present themselves
in our lives where we have to stop for a moment and at least
take a look at what we're doing and how we're doing it.
Mr. Roesler, Mr. Daugherty, as I said before, if you've
been treated unfairly--you know, and both of you are dealing--
your businesses dealt with health issues, right? Health. And
health is a big, big deal for me, personally, and I'm sure it's
a big deal for most of us. But I want us to be very careful.
You know, government does have a role to play. It really
does. When people's information is out there, their lives can
be turned upside down. I've had people come to me as a
Congressman, talk about their identity being stolen and taking
years and years to get it back. We have to have some folks
making sure that we protect as best we can against that.
And I think that there's always a balance. You know,
there's got to be a balance so that we don't just run over
people like you, Mr. Roesler, and you, Mr. Daugherty, but, at
the same time, make sure that folks who are aiming to do these
kinds of things know that we're not going to stand for it and
that somebody's going to be looking and somebody's going to
bring them to justice.
So that's where, you know--that's--you know, if you listen
to everything that has been said here today, I think that's
what it pretty much boils down to. How do we strike that
balance?
And so I thank you, Mr. Chairman. I think it was a good
hearing. I look forward to hearing from the FTC. And you're
right, trying to hear from the FTC is going to be kind of
tricky, because it seems as if--I mean, if you could limit the
questions to their general procedures without getting into the
case, I think that might be helpful, but it's going to be
tricky. But I think we do need to hear from them as to how they
go about this.
But, again, this is a critical moment. And I think we need
to try to take advantage of it so that, if something needs to
be corrected, that we correct it. I think anybody wants to have
some idea of what they're being accused of. I mean, was there
ways to get the information out in a better way? You know, this
is what you need to look out for. It's just like when you're
riding down the road and it says, you know, 25 miles an hour,
radar enforced by photos. You know, I mean, at some point, it's
nice to have a little notice. And all of us know after we've
gotten a ticket or two that we slow down. And we know those
areas by heart; we just know them.
And so, again, I thank you all for your testimony. I
really, really appreciate it.
And thank you.
Chairman Issa. Thank you.
I'll leave the record open for 7 days, not only for Members
to put in opening statements and extraneous material, but for
the witnesses to provide any additional information they deem
appropriate as a result of the questions here.
Chairman Issa. I want to thank you for your testimony. I
want to thank you for making this a worthwhile hearing.
And we stand adjourned.
[Whereupon, at 12:24 p.m., the committee was adjourned.]