b"<html>\n<title> - THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR, JUDGE, AND JURY</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR, \n                            JUDGE, AND JURY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 24, 2014\n\n                               __________\n\n                           Serial No. 113-142\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                      \n                                  ______\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n90-892 PDF                     WASHINGTON : 2014 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n       \n       \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of \nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, \nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois\nDOC HASTINGS, Washington             ROBIN L. KELLY, Illinois\nCYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois\nROB WOODALL, Georgia                 PETER WELCH, Vermont\nTHOMAS MASSIE, Kentucky              TONY CARDENAS, California\nDOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada\nMARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico\nKERRY L. BENTIVOLIO, Michigan        Vacancy\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n                 \n                 \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on July 24, 2014....................................     1\n\n                               WITNESSES\n\nMr. Michael Daugherty, Chief Executive Officer, LabMD, Inc.\n    Oral Statement...............................................     7\n    Written Statement............................................    10\nMr. David Roesler, Executive Director, Open Door\n    Oral Statement...............................................    84\n    Written Statement............................................    86\nMr. Gerald Stegmaier, Partner, Goodwin Procter\n    Oral Statement...............................................    88\n    Written Statement............................................    90\nMr. Woodrow Hartzog, Associate Professor, Samford University\n    Oral Statement...............................................   122\n    Written Statement............................................   124\n\n \n THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR, \n                            JUDGE, AND JURY\n\n                              ----------                              \n\n\n                        Thursday, July 24, 2014\n\n                  House of Representatives,\n      Committee on Oversight and Government Reform,\n                                           Washington, D.C.\n    The committee met, pursuant to call, at 9:37 a.m., in Room \n2154, Rayburn House Office Building, Hon. Darrell E. Issa \n[chairman of the committee] presiding.\n    Present: Representatives Issa, Mica, Turner, Duncan, \nJordan, Chaffetz, Walberg, Lankford, Gosar, Massie, Collins, \nMeadows, Bentivolio, DeSantis, Cummings, Maloney, Norton, \nTierney, Clay, Lynch, Connolly, Duckworth, Kelly and Lujan \nGrisham.\n    Staff Present: Jen Barblan, Senior Counsel; Molly Boyl, \nDeputy General Counsel and Parliamentarian; Ashley H. Callen, \nDeputy Chief Counsel for Investigations; Sharon Casey, Senior \nAssistant Clerk; Steve Castor, General Counsel; John Cuaderes, \nDeputy Staff Director; Adam P. Fromm, Director of Member \nServices and Committee Operations; Linda Good, Chief Clerk; \nTyler Grimm, Senior Professional Staff Member; Christopher \nHixon, Chief Counsel for Oversight; Mark D. Marin, Deputy Staff \nDirector for Oversight; Ashok M. Pinto, Chief Counsel, \nInvestigations; Andrew Shult, Deputy Digital Director; Rebecca \nWatkins, Communications Director; Jeff Wease, Chief Information \nOfficer; Sang H. Yi, Professional Staff Member; Meghan Berroya, \nMinority Deputy Chief Counsel; Courtney Cochran, Minority Press \nSecretary; Jennifer Hoffman, Minority Communications Director; \nJulia Krieger, Minority New Media Press Secretary; Lucinda \nLessley, Minority Policy Director; Juan McCullum, Minority \nClerk; Dave Rapallo, Minority Staff Director; and Brandon \nReavis, Minority Counsel/Policy Advisor.\n    Chairman Issa. The committee will come to order. Without \nobjection, the chair is authorized to declare a recess of the \ncommittee at any time. Today's hearing, ``The Federal Trade \nCommission and Its Section 5 Authority: Prosecutor, Judge, and \nJury.''\n    The Oversight Committee mission statement is that we exist \nto secure two fundamental principles. First, Americans have a \nright to know that the money Washington takes from them is well \nspent. And second, Americans deserve an efficient, effective \ngovernment that works for them. Our duty on the Oversight and \nGovernment Reform Committee is to protect these rights. Our \nsolemn responsibility is to hold government accountable to \ntaxpayers, because taxpayers have a right to know what they get \nfrom their government. It is our job to work tirelessly, in \npartnership with citizen watchdogs, to deliver the facts to the \nAmerican people and bring genuine reform to the Federal \nbureaucracy.\n    With that, I would recognize the ranking member for his \nopening statement.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Today's hearing will cover several new issues for this \ncommittee. First, the Republican briefing memo says that the \ncommittee will examine, ``whether the FTC has the authority to \npursue data security enforcement actions under its current \nSection 5 authority.'' In Section 5 of the FTC Act, Congress \ngave the FTC authority to protect American consumers, that is \nour constituents, and ensure that their personal, medical, \nfinancial, and other information is protected from unauthorized \ndisclosure. The FTC has been using this authority to ensure \nthat companies who receive this type of consumer information \ntake appropriate steps to safeguard it. In fact, a Federal \njudge recently upheld this authority and rejected an attempt \nto, ``carve out a data security exception.''\n    Yesterday, Senator Rockefeller, the chairman of the Senate \nCommerce Committee and an expert on this issue, sent a letter \nto the chairman emphasizing this point. He wrote, ``Another \napparent purpose of your hearing is to express skepticism about \nthe FTC's long-standing and well-established legal authority \nunder Section 5 of the FTC Act. This skepticism is unfounded, \nand your public position was recently rejected by a Federal \njudge in the FTC data security case against Wyndham \nCorporation.''\n    He goes on to say, ``Over the past 13 years, the Commission \nhas initiated dozens of administrative adjudicatory proceedings \nin cases in Federal court challenging practices that \ncompromised security of consumers' data and that resulted in \nimproper disclosures of personal information collected from \nconsumers.''\n    According to the Republican memo, today the committee will \nalso examine, ``recent FTC actions related to data security \npractices.'' One of the witnesses testifying today is Michael \nDaugherty, the CEO of a company called LabMD. The FTC has \nbrought an enforcement action against LabMD, and Mr. Daugherty \nadmits that more than 900 files on his billing manager's \ncomputer were accessible for public sharing and downloading, \nwhich is a major security breach.\n    Mr. Daugherty has written a book entitled ``The Devil \nInside the Beltway.'' In it, he refers to the FTC as, \n``terrorists,'' He also accuses the FTC of engaging in, \n``psychological warfare'' and ``torture,'' and of \n``administering government chemotherapy.'' Of course he has a \nright to his opinion, but this committee should base its \noversight work on facts rather than the extreme rhetoric of a \ndefendant in an ongoing enforcement action.\n    As part of our investigation, we have also received \ncompeting allegations about Tiversa, a data security firm that \nprovided information to the FTC about LabMD's security breach. \nObviously, we all agree that the FTC should rely only on \nevidence it believes to be legitimate. If allegations are \nultimately verified that Tiversa provided intentionally \nfalsified data, that data clearly should not be used in any \nenforcement action. But to date, we have obtained no evidence \nto corroborate these allegations. So they remain just that, \nunconfirmed allegations.\n    Unfortunately, on June 17th, the chairman sent a letter to \nthe FTC inspector general alleging coordination and \ncollaboration between the FTC and Tiversa, and suggesting that, \n``the FTC aided a company whose business practices allegedly \ninvolved disseminating false data about the nature of data \nsecurity breaches.'' The chairman wrote that, ``the FTC appears \nto have acted on information provided by Tiversa without \nverifying it in any meaningful way.'' He also requested that \nthe inspector general examine the actions of several specific \nFTC employees.\n    I do not know how the chairman had reached these \nconclusions since the committee has not yet spoken to a single \nFTC employee. The committee just requested documents from the \nFTC less than a week ago, and the committee has obtained no \nevidence to support claims that the FTC officials directed \nTiversa employees to fabricate information. To the contrary, \nevery single current and former Tiversa employee interviewed by \nthe committee staff has uniformly denied receiving any requests \nfrom FTC employees relating to fabricating information.\n    In response to the chairman's request for an investigation, \nthe inspector general has now informed the committee that one \nof the employees named in his letter in fact was, ``brought in \nto assist with the LabMD case after Tiversa was no longer \ninvolved, and she has not been working on the case for the past \nyear.'' As I close, so it appears that some of the chairman's \ninformation was incorrect.\n    I am sure we will hear a lot of allegations today from \nparties in this ongoing litigation. Our job is not to take \nsides, but rather to serve as the neutral overseers and base \nour conclusions on the facts and the evidence.\n    The consequences of having personal information compromised \ncan be devastating. As the new Republican majority leader Kevin \nMcCarthy has said, ``Nothing can turn a life upside down more \nquickly than identity theft.'' I agree with him. That is why I \nwrote to Chairman Issa in January proposing the committee \nexamine the massive data security breach at Target, which may \nhave compromised the personal information of more than 100 \nmillion American consumers. Instead of holding hearings like \ntoday's, which seeks to cast doubt on whether the FTC even has \nthe authority to protect our constituents, the consumers, the \nAmerican consumers, I hope the committee will turn to \nconstructive efforts to improve corporate data security \nstandards across the board. And I thank you, Mr. Chairman.\n    Chairman Issa. I thank the ranking member.\n    Chairman Issa. Today's hearing concerns the Federal Trade \nCommission and information this committee has uncovered that \nraises some important questions. As long as I have been \nchairman, and as long as I am chairman, this committee will \nfocus, as its name implies, Government Oversight and Reform \nCommittee. It is not for us to look first to the private \nsector. It is not for us to issue subpoenas and target private \nsector for their beliefs, for their practices, or for the \nfailures that they certainly are paying a high price for, as \nTarget is and should.\n    During my tenure, healthcare.gov was launched. Anyone of \nordinary skill could have gone into the Web site, changed a few \nstatements, a few of the letters in the top of the screen, \nwhile looking at their record, and seen somebody else's record \nat the launch. On a billion-dollar Web design, it was \nvulnerable to ordinary hacking and accidents at the time it was \nlaunched.\n    The FTC did not sue President Obama or any of the chief \ninformation officers responsible for this failure. They did not \nsue the Secretary. They did not even sue the companies who \ndelivered this shoddy work. Instead these were systematically, \nwhen discovered, corrected at taxpayers' expense. That was the \nright thing to do. When mistakes are made, when vulnerabilities \nare recognized, it's the responsibility of the entity to do its \nbest to fix them.\n    If the Federal Trade Commission was overseeing companies \nwhose vulnerabilities are exposed, demanding that they fix it \nor face the consequences, absolutely we would say they were \ndoing their job. If the Federal Trade Commission had even \npublished a best practices minimum requirement for data \nsecurity, we would be able to say that the law was clear, and \nthat somebody failed to live up to those stated guidelines. But \nnone of these exist. The Federal Trade Commission cannot tell \nyou what is right; they only will come in and demand a consent \ndecree if, in fact, you, through fault or no fault of your own, \nbecome a victim of hacking or a recognition of a vulnerability.\n    The FTC is using its regulatory authority not to help \nprotect consumers, but, in fact, to get simple consent decrees \nusing the unlimited power it has to not only sue at government \nexpense, but to force you before administrative law judges \nthat, in fact, are part of the executive branch. Millions of \ndollars will be spent attempting to defend yourself against the \nFederal Trade Commission even if you are right. And what if \nyou're wrong? What if you're wrong? What if something happened? \nWhat is your choice?\n    Several years ago, under Chairman Waxman, I watched a \ndemonstration of a vulnerability created by a third-party \nsoftware that people were using to share music. I'm a techie. I \nwas impressed. I saw that this software was downloaded by \nhundreds of thousands of people, put onto computers they owned \nor didn't own, and it created a vulnerability. It was \ndeceptive--at least according to testimony, it was deceptive in \nhow it did it. And our own people loaded the software and \nagreed that when you loaded it, the default would make the hard \ndrive of the computer it was loaded on vulnerable in every one \nof its directories, when, in fact, you were really only \nattempting to make your music directory available for sharing.\n    In both public and private systems around the country, this \nsoftware was downloaded and created what people thought was a \npeer-to-peer music sharing, and, in fact, created a \nvulnerability in which people could look at what was on your \nhard drive.\n    We were aghast. We thanked our witnesses for making us \naware of it, and we committed ourselves to stop the deceptive \npractice of this software company, something over which the FTC \nhad authority and should have acted.\n    But, in fact, what we are finding is that what we were told \nwas only a part of the story. When information does--the \nquestion today is how is the FTC using that regulatory \nauthority, and are they doing their job? Are they targeting the \nculprit or the victim? What information does the agency \nconsider to be a reliable basis to embark?\n    Mr. Lynch. Mr. Chairman, could I ask you why the clock is \nnot running on any of this?\n    Chairman Issa. We didn't stop the ranking member from going \nas long as he wanted, well over the time. That's the practice \nof the committee. I thank you.\n    Mr. Lynch. That's a good answer. Thank you.\n    Chairman Issa. What information does the agency consider to \nbe a reliable basis to embark on often erroneous inquisitions, \nin the chairman's opinion, into the activities of American \ncompanies?\n    The committee held two hearings in the past, as I \nmentioned, one in 2007 and another in 2009, about the potential \nfor individuals using peer-to-peer file-sharing programs to \ninadvertently share sensitive or otherwise confidential \ninformation. The key witness in both of these hearings was Mr. \nRobert Boback, the CEO of a cyber intelligence firm, Tiversa, \nIncorporated. That CEO outlined numerous data breaches that \ndeeply troubled members of the committee.\n    Mr. Boback specifically spoke about an Open Door Clinic, a \nnonprofit AIDS clinic in Chicago's suburbs in 2009. He said, \n``These are AIDS victims, 184 patients, who are now victims of \nidentity theft. The clinic released their information and has \nnot addressed it.'' But the Open Door Clinic has told us they \nhave no information of any of their patients having had their \nidentities stolen. We do not know why Mr. Boback made the claim \nto this committee previously, and we will hear that today.\n    Earlier this year this committee became aware, on a \nbipartisan basis, of serious accusations that Tiversa engaged \nin a business model that was not focused on protecting \nconsumers alone, but obtaining what we would say effectively is \na new form of protection payments from businesses. As is often \nthe case with protection payment demands, many businesses that \ndid not pay up faced serious consequences.\n    Here's how it worked. Tiversa would contact a company or \norganization and tell them that they had engaged in a practice \nthat left customers' data vulnerable. Tiversa would offer to \nsell the company or organization remediation services. Many \ncompanies took their services and paid, at least for a while. \nOthers refused and found themselves turned over to the Federal \nTrade Commission.\n    The cost and concerns created by an FTC investigation can \nbe immense, particularly to a small business that in many cases \nwere the ones that Tiversa focused on. But this isn't just \nabout allegations of unethical corporate behavior. The \ncommittee has asked the Federal Trade Commission to provide us \nwith evidence that it independently verified information \nprovided by Tiversa about businesses before pursuing action. As \nthe ranking member said, it's been a short time, but having \nengaged in suits, received consent decrees, and litigated for \nyears, we expected that the Federal Trade Commission would be \nable to give us at least a few examples of independent \nconfirmation immediately. We are still waiting for the FTC to \nshow us such evidence. We look forward to it. And as I will say \nagain, we look forward to hearing from the FTC in the future \ndirectly.\n    It's one thing for a company like Tiversa to report all of \nits concerns about consumer data breaches to appropriate \nauthorities. It's quite another when enforcement authorities \nare selectively used, through a special relationship, to punish \nfirms who refuse to pay for those services.\n    The committee has reason to believe that information \nprovided by Tiversa on which the FTC relied was inaccurate. Two \nof our witnesses this morning were approached by Tiversa and \nthe FTC regarding data breaches. Tiversa provided information \nthat alleged data breaches in these organizations to--about \nthese breaches in these organizations to the FTC only after \nthey refused to sign up for Tiversa's services.\n    Mr. Daugherty, the CEO of LabMD, according to my opening \nstatement, has been to hell and back. I don't think he's gotten \nback yet. In fact, his fight with the FTC has gone on for \nyears. The Commission wanted him to acquiesce to a consent \ndecree admitting that he did not take proper precautions to \navoid data breaches.\n    Given that Mr. Daugherty did not believe the allegations \nagainst him were true or fair, he fought back, and he did so at \ngreat personal expense. His specialized cancer-screening \ncompany is now effectively nonexistent.\n    I will let Mr. Roesler explain his experience with Tiversa \nand the tribulations he experienced thereafter, but I \nespecially want to thank him for being here today. Mr. Roesler \nruns, as previously mentioned, a nonprofit AIDS clinic near \nChicago, Illinois, and has taken time away from his important \nwork and agreed to join us this morning because of how \nimportant he believes it is to tell his story.\n    I also want to thank Mr. Stegmaier for appearing this \nmorning. He will be providing invaluable testimony about the \nFTC's actions as they relate to going after companies that are \nalleged to have unfair, deceptive trade practices.\n    Today's hearing is an opportunity to hear from alleged \nvictims of these arrangements made between Tiversa and the \nFederal Trade Commission. Neither the FTC nor Tiversa are here \ntoday, but I do expect to have both of them here at a future \ndate to respond to the concerns and allegations that I expect \nwe will hear today.\n    Today's hearing is the result of a whistleblower who at \ngreat personal expense came to this committee. This committee \nis grateful to all the brave individuals who come forward to \nprovide information as whistleblowers. It is only through \nwhistleblowers that we see an exposure of wrongdoing by the \ngovernment as well as private companies. Whistleblowers are not \nalways without responsibility. Whistleblowers may, in fact, \nknow what they know because for a time they participated in the \nwrongdoing. Nevertheless, whistleblowers are invaluable. When \nsomeone's conscience, whether they were involved or not, brings \nthem forward, they should never be the target of this \ncommittee.\n    This whistleblower gave us a proffer, seeking immunity only \nfor what he was to testify to that he had done on behalf of \nTiversa. He detailed for this committee information that was \ninvaluable to our ongoing--to our investigation, which is only \nongoing because of his coming forward.\n    At a point in the future, I expect this committee will need \nto schedule a vote on granting immunity for this whistleblower. \nTo date, we have not been able to convince the minority to \nconsider immunity for this whistleblower. Instead, at every \nturn the minority has chosen to seek accusations against the \nwhistleblower; against his personal wrongdoing, his personal \nmisconduct, his personal life. But, in fact, to our knowledge, \nno evidence has come forward that would in any way dispute the \naccuracy of the detailed story that he told.\n    For those Members here on both sides of the aisle, if you \nhave not already seen his video proffer of how he participated \nin the activity, I ask you to schedule time, Members only, to \nsee this proffer, because as we consider immunity, it is \nimportant that you understand the nature and detail of the \nevidence and accusations brought by this whistleblower.\n    I make no credible statement as to a whistleblower's \nauthenticity. What I can say in this case is without the \nwhistleblower, we would not be having this hearing today. And \nif the whistleblower is guilty of a crime, the crime had to be \ncommitted by others that he is accusing. There can be no crime \nif, in fact, he is not telling the truth. And if he is telling \nthe truth, he participated in a deception that affected both \nthe Federal Trade Commission and the United States Congress.\n    I would ask all Members, please, take time out of your busy \nschedule to view the proffer. It is detailed, it takes nearly \nan hour, but it will lead, I believe, to the kind of \nrecognition that you cannot see here today in an open hearing.\n    Chairman Issa. It is now my honor to welcome our witnesses. \nMr. Michael Daugherty is the chief executive officer of LabMD. \nMr. David Roesler is executive director of Open Door Clinic in \nIllinois. Mr. Gregory Stegmaier is a partner at Goodwin Procter \nin D.C., in Washington, D.C. And Mr. Woodrow N. Hartzog is an \nassociate professor at the Cumberland School of Law at Samford \nUniversity.\n    Gentlemen, pursuant to the committee rules, would you \nplease rise to take the oath and raise your right hand?\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    Please be seated.\n    Let the record indicate that all witnesses answered in the \naffirmative.\n    For our first two witnesses in particular, you are here to \ntell your story. I know testimony is new to you. We have a 5-\nminute rule. Your entire opening statements as prepared will be \nplaced in the record. But I understand that you may go over \nslightly. We are not going to hold you exactly to 5 minutes, \nbut to the greatest extent possible, try to stay within the 5 \nminutes, which will help us ask you more questions in follow-up \ndialogue.\n    Mr. Daugherty.\n\n                       WITNESS STATEMENTS\n\n                 STATEMENT OF MICHAEL DAUGHERTY\n\n    Mr. Daugherty. Thank you.\n    Good morning, Chairman Issa, Ranking Member Cummings, and \nmembers of the committee. My name is Michael Daugherty, and I \nam the president and CEO of LabMD, a cancer-detection \nlaboratory based in Atlanta, Georgia. We were a private company \nthat I founded in 1996, a small medical facility that at its \npeak employed approximately 40 medical professionals who \ntouched nearly 1 million lives. Thank you for the opportunity \nto speak to you as a small businessman and medical professional \nabout my experience and opinion at the hands of the Federal \nTrade Commission.\n    What happened to my company, its employees, physicians, and \ntheir patients is what springs from the FTC's unsupervised \nplaybook, and that playbook relies upon coercive and \nextortionist strategies to make large and small companies alike \nquickly succumb to FTC demands.\n    In May 2008, our nightmare began with a call that could \nhappen to any American. It was from Robert Boback, the CEO of \nTiversa. And in the words of former FTC Commissioner Rosch, \nTiversa is more than an ordinary witness, informant, or \nwhistleblower. It is a commercial entity that has a financial \ninterest in intentionally exposing and capturing sensitive \nfiles on computer networks.\n    Mr. Boback told LabMD that Tiversa had found LabMD patient \ndata on the Internet, but refused to tell us more unless we \npaid and retained them. Everyone in medicine knows you cannot \ngo out intentionally looking for vulnerable medical files so \nyou can take them, read them, keep them, distribute them. This \nis probably a crime, but it's definitely vigilante behavior, \nand it's outrageous.\n    In January of 2010, Alain Sheer, an attorney with the FTC, \ncontacted LabMD with an 11-page, single-spaced letter opening a \nnonpublic inquiry. We responded by sending in nearly 10,000 \npages of documents, and we invited the FTC to come to Atlanta \nto see our facility, to tell us what to do differently, to tell \nus what their standards were. The FTC declined. We quickly \ndiscovered that until told otherwise by the courts or Congress, \nthe FTC presumes to have jurisdiction to investigate any \ncompany or person.\n    When we asked the FTC where they were going with this, they \nwould obscurely mention consent decrees, and we learned that \nFTC consent decrees actually are this: You sign up for 20 years \nof audits, you enter the FTC ``hall of shame'' via craftily \nworded press releases and half-truth congressional testimony. \nThe fact that you have not been found any wrongdoing stays \nburied deep in the fine print. And the threat of being tied up \nfor years in court and drained financially is their gun to the \nhead to extract false confessions.\n    In August 2010, I had to find out what was going on here, \nbecause something felt odd and wrong. And I learned that \nHomeland Security gave $24 million to Dartmouth to partially \nfund their data hemorrhage study. And Dartmouth stated that it \ngot the LabMD file by using Tiversa's unique and powerful \ntechnology.\n    Tiversa put out a press release in May 2009 I found, which \nin part stated, Tiversa--this is their words--``Tiversa today \nannounced the findings of new research that revealed 13 million \nbreached files emanating from over 4 million sources. Tiversa's \npatent-pending technology monitors over 450 million users, \nissuing 1.5 billion searches per day. Over a 2-week period, \nDartmouth College researchers and Tiversa searched file-sharing \nnetworks and discovered a treasure trove, a spreadsheet from an \nAIDS clinic with 232 client names; a 1,718-page document from a \nmedical testing laboratory. And requiring no software or \nhardware, Tiversa detects, locates, and identifies exposed \nfiles in real time.''\n    What does Tiversa want you to think ``exposed'' means? Out \nof 13 million files found by Tiversa, how odd is it that the 2 \nmentioned in their press release are sitting at this table \ntoday?\n    I was stunned that nobody was asking who this private \ncompany was who was stockpiling other people's sensitive \ninformation. What gave them the right to assume ownership?\n    September 2013 to April 2014, the FTC pursued litigation \nagainst LabMD via their optional administrative process rather \nthan in Federal court. FTC Commissioner Wright said this \nprocess provides the FTC with institutional and procedural \nadvantages. This is lawyerspeak for the FTC stacks the deck way \nin favor via rules Congress allows them to make. They admit \nhearsay that would never fly in Federal court, which is why we \naren't in Federal court. Federal courts won't intervene because \nCongress says they can't.\n    When asked about the FTC data security standards, Alain \nSheer said, ``There is nothing out there for a company to look \nat. There is no rulemaking. No rules have been issued.'' Yet \neven without any standards, they show others what happens if \nyou push back. They subpoenaed approximately 40 different \nindividuals from my company, long-gone LabMD employees that \nleft the company up to 7 years before, current staff, managers, \noutside physicians, vendors. These witnesses were forced to \nretain counsel and were intimidated and scared. Here is the \nmessage to all that are watching from the FTC: This is FTC \njustice, and this is going to happen to you if you don't play \nalong.\n    And then the penny dropped. During the trial, a former \nTiversa employee who was to testify regarding Tiversa's \nacquisition of LabMD data and subsequent submission of the data \nto the FTC invoked his Fifth Amendment right against self-\nincrimination.\n    All Americans should be outraged by the FTC's unchecked \nability to pursue a claim that is not based on any legal \nstandard; outraged that the FTC's administrative proceedings do \nnot afford the same guarantees of due process that our Federal \ncourts provide; and outraged with the FTC's use of, and \nreliance upon, information from a private for-profit entity. If \nthis has happened to LabMD, a small medical facility, a cancer-\ndetection center, this can happen to anyone.\n    This does nothing to help Americans adapt to the constantly \nchanging cybersecurity landscape. We are not mind readers; we \nare law-abiding citizens. I call on the FTC to stop attacking \nvictims of crimes. And I thank the committee for its time and \nattention to this matter.\n    Chairman Issa. Thank you.\n    \n    [Prepared statement of Mr. Daugherty follows:]\n    \n    [GRAPHIC] [TIFF OMITTED] \n    \n    Chairman Issa. Mr. Roesler.\n    I'm sorry, you're finished, right?\n    Mr. Daugherty. Oh, yeah.\n    Chairman Issa. Thank you.\n    Mr. Roesler.\n\n                   STATEMENT OF DAVID ROESLER\n\n    Mr. Roesler. Good morning, committee members. My name is \nDavid Roesler. I am and have been the executive director of \nOpen Door Clinic in Elgin, Illinois, the far western suburbs of \nChicago, for the past 15 years. I am appearing today in \nresponse to an invitation to testify on behalf of Open Door \nregarding its involvement with the FTC and a company called \nTiversa.\n    Between September of 2008 and March of 2013, Open Door was \ninvolved in a class-action lawsuit due to a file that was found \non the Internet that contained names, some with Social Security \nnumbers, some with addresses, some with birth dates.\n    Open Door is a small, not-for-profit AIDS organization. \nCurrently we have about 30 employees. We had about 15 during \nthis time. We provide medical care, support services for our \nclients.\n    In July of 2008, a company called Tiversa contacted Open \nDoor and said that they had had access to a confidential \ndocument obtained from a P2P network on the Internet. \nCommunications with Tiversa included a contract for services. \nThe suggested fees for the contract were $475 an hour. We \ncontacted our IT service provider, who researched our network; \nfound no evidence of any P2P networks at that time.\n    In September of 2009, Tiversa contacted Open Door again to \nreport that documents were still available on the P2P software. \nOpen Door's IT provider once again reviewed its network to \nconfirm that there was no evidence of any P2P software at that \ntime.\n    Two months after that, in November of 2009, clients began \ncalling their case managers at the clinic, reporting that they \nwere receiving phone calls from a law firm asking them to join \na class-action lawsuit because their information had been \nreleased by Open Door. At Open Door's November board meeting, \nshortly after the clients started calling, one of the board \nmembers is a client. He brought in a letter that he got in the \nmail, also from this out-of-State law firm, telling them that \nthey had their information out on the Internet, and would they \njoin a class-action lawsuit.\n    Then in January of 2010, we received a letter from the FTC. \nThe letter indicated that they had found a file on a peer-to-\npeer network, and it had a different title than the document \nthat had been reported found by Tiversa.\n    Also in January that same month, in 2010, Open Door was \nsuccessful at getting a law firm to provide us some pro bono \nwork to help us understand what our compliance and \nresponsibilities were. Open Door and its IT provider once again \nreviewed our network, all of our workstations to confirm that \nthere was no P2P software at that time.\n    In February, a month later, February of 2010, a class-\naction lawsuit was filed in Kane County against Open Door. \nSensational newspaper headlines; numerous media outlets began \nshowing up at our door. And 3 years later Open Door's \nsettlement agreement was approved by the court, dismissing the \nclass action. Open Door and its insurers agreed to these \nmotions.\n    Open Door denied, and continues to deny, any legal \nresponsibility for the disclosure. Had the case been tried, we \nwould have expected to prevail, but because of the \nuncertainties, the expense of litigation, Open Door and its \ninsurers agreed to terminate this litigation under these terms.\n    Thank you for letting me tell my story.\n    \n    Chairman Issa. Thank you.\n    [Prepared statement of Mr. Roesler follows:]\n    \n    [GRAPHIC] [TIFF OMITTED] \n    \n    Chairman Issa. Mr. Stegmaier.\n\n                STATEMENT OF GERARD M. STEGMAIER\n\n    Mr. Stegmaier. Mr. Chairman Issa, Ranking Member Cummings, \nmembers of the subcommittee, my name is Gerry Stegmaier, and \nI'm pleased to be here today to discuss the Federal Trade \nCommission's data security enforcement activities under Section \n5 of the FTC Act. The views I express are my own, not of our \nclients or of our firm.\n    I'm a partner at Goodwin Procter LLP, and an adjunct \nprofessor at George Mason University School of Law, where I've \ntaught privacy, consumer protection, and constitutional law \ncourses for the last 13 years. I regularly appear before the \nFederal Trade Commission, State attorneys general, and assist \nbusinesses with all aspects of their privacy and information \ngovernance concerns. I appreciate the opportunity to appear \nbefore you today.\n    In 2013, there were 63,437 reported security incidents, and \n1,367 confirmed data breaches. That is not a number reporting \nthe number of accessible information, which is one of the \nthings that Mike spoke about. According to Verizon's 2014 data \nbreach investigation report, 44 million data records across the \nglobe have been exposed.\n    Companies are aware of the need for data security, and have \ntaken steps to be more secure. Data security is important to \nconsumers, the economy, and business, but equally important is \nthe basic constitutional principle that people have a right to \nknow what the law expects of them before we prosecute them.\n    I think a simple analogy helps illustrate this in practice. \nWhen we want people to regulate how fast they drive their cars, \nwe post speed limit signs. If you violate that posted limit, \nand the sign has been there for more than 60 days, you will \nlikely receive a citation. The law calls this fair notice, and \nthe Constitution protects us from government overreach with it. \nIt is the shield that protects us from the deference that \nagencies receive.\n    While this analogy may not be a good one, it's important to \nnote that it represents the feelings of many organizations that \nconfront FTC enforcement actions relating to data security.\n    The agency has offered no formal rulemakings or \nadjudications related to data security, and the FTC appears to \nregulate data security primarily through complaints and consent \norders, as we've heard. Neither the complaints nor the consent \norders are binding, reliable precedent. They are \nnonprecedential. Some might call this stop-and-frisk black box \njustice.\n    FTC complaints and consent orders are inconsistent and \noften lack critical information. For example, it is often \nunclear whether implementing some or all of the measures in a \ngiven order would result in fair data security, or even serve \nto avoid future enforcement actions had the underlying company \nadmitted them in the first instance or practiced them.\n    The FTC's often repeated position is that security \nstandards can't be enforced in an industry-specific, case-by-\ncase manner without more guidance provides little comfort to \nthose appearing before the agency. Because the FTC decides on \nan individual and postinfraction basis whether a company is \nnoncompliant, the risk of enforcement actions is unimaginable \nand unpredictable, as we have heard. The penalties that may \nresult from noncompliance are potentially ruinous. Combined \nwith ambiguity of the law, unnecessary compliance risks for \nregulated entities has created a situation ripe for overreach, \nunfairness, and an uneven application of the law.\n    The FTC's existing enforcement and guidance practices also \npose serious due process concerns relating to fair notice of \nthe law's requirements. Current enforcement environment \nconsists of aggressive enforcement against the victims of \nthird-party criminal hacking who operate in a realm without \nclear and unmistakable data security law. Improved \nauthoritative--and I emphasize authoritative-- interpretations \nof Section 5 by the agency and the courts are crucial to \nimprove compliance and provide entities with sufficient \ninformation to understand how to respond.\n    Let me be clear. The FTC has the means to more clearly \ndefine the law and provide useful, reliable guidance. The \nexisting tools are there. Sadly, there's plenty of room for \nimprovement with the use of these existing tools, and \nimprovements are essential to clarify the underlying \nuncertainty, which we have heard about, and, more importantly, \nto address the constitutional issue of fair notice and due \nprocess.\n    The current reasonableness test, absent additional \nflexible, principles-based authoritative guidelines or court-\nresolved litigation, will do little or nothing to clarify the \ndata security obligations of companies. Using the standards \nreasonable and appropriate without articulating such factors as \nthe nature of business, the kind of information collected, or \nany other factors that may come into play may not ensure that \nfair notice occurs.\n    In essence, we tell our clients do what you say and say \nwhat you do. We need to hear from the agency what they're doing \nand what they're saying so that the people who are subject to \nprosecution can understand how to respond and how to behave in \nthe first instance.\n    The FTC itself has not consistently defined what sensitive \ninformation is, and without clarification, the agency's \nenforcement will continue to be perceived as arbitrary, and we \nwill lack an understanding of reasonableness.\n    I thank you for your time and attention. I'm pleased to \nanswer any questions you might have.\n    Chairman Issa. Thank you.\n    [Prepared statement of Mr. Stegmaier follows:]\n    \n    [GRAPHIC] [TIFF OMITTED] \n    \n    Chairman Issa. Mr. Hartzog.\n\n                  STATEMENT OF WOODROW HARTZOG\n\n    Mr. Hartzog. Chairman Issa, Ranking Member Cummings, and \nmembers of the committee, thank you very much for inviting me \nto provide testimony today. My name is Woodrow Hartzog, and I'm \nan associate professor at Samford University's Cumberland \nSchool of Law and affiliate scholar at the Center for Internet \nand Society at Stanford Law School. I am testifying today in my \npersonal academic capacity, and not on behalf of any entity.\n    For the past 2 years, my coauthor, Daniel Solove, and I \nhave researched the Federal Trade Commission's regulation of \nprivacy and data security breaches, which I will collectively \ncall data protection. We have analyzed all 170-plus FTC data \nprotection complaints to find trends and understand what the \nFTC's data protection jurisprudence actually tells us. I would \nlike to make two main points regarding what I've learned about \nthe FTC's regulation in this area.\n    First, the FTC's regulation of privacy and data security \nunder Section 5 has served a vital role in the U.S. system of \ndata protection. The FTC's involvement has given a heavily \nself-regulatory system of data protection necessary legitimacy \nand heft. The FTC also fills significant gaps left by the \npatchwork of statutes, torts, and contracts that make up the \nU.S. data protection scheme.\n    The FTC's regulation of data protection also helps foster \nconsumers' trust in companies. It is very difficult for \nconsumers to determine whether a company has reasonable data \nsecurity practices or not. The FTC's regulation of data \nprotection helps give consumers confidence that their personal \ninformation will be safe and properly used.\n    The second point that I would like to make is that the \noverwhelming pattern that is apparent from the FTC's data \nprotection jurisprudence is that the agency has acted \njudiciously and consistently in outlining the contours of \nimpermissible data protection practices. Section 5 of the \nFederal Trade Commission Act generally prohibits unfair or \ndeceptive trade practices. This is an intentionally broad grant \nof authority. Congress explicitly recognized the impossibility \nof drafting a complete list of unfair, deceptive trade \npractices. Any such list is destined to be quickly outdated or \neasily circumvented.\n    Despite this broad grant of authority, the FTC actually \nbrings relatively few data security complaints, especially \ncompared to the total number of reported data breaches. The \nPrivacy Rights Clearinghouse has reported that since 2005, \nthere have been over 4,300 data breaches made public, with a \ntotal of 868 million records breached. Yet the FTC has filed \nonly 55 total data security-related complaints, averaging \naround 5 complaints a year since 2008. Instead of attempting to \nresolve all of the data breaches, the FTC typically pursues \nonly what it considers to be the most egregious data security \npractices.\n    The FTC has used a reasonableness standard to determine \nwhat constitutes an unfair, deceptive data security practice. \nWhat constitutes reasonableness is determined virtually \nentirely by industry standard practices, and is contingent upon \nthe sensitivity and volume of data, the size and complexity of \na company, and the costs of improving security and reducing \nvulnerabilities. This deference to industry keeps the FTC from \ncreating arbitrary and inconsistent data rules.\n    The FTC does not pull rules out of thin air. Rather, it \nlooks to the data security field and industry to determine fair \nand reasonable practices. Virtually all data security \nregulatory regimes which use a reasonableness approach, of \nwhich there are many, not just the FTC, have four central \nrequirements in common: identification of assets and risks; \ndata-minimization procedures; administrative, technical and \nphysical safeguards; and data breach response plans. The \ndetails of these requirements are filled in by industry \nframeworks, accessible resources online, and a vast network of \nprivacy professionals and technologists dedicated to helping \ncompanies of all sizes understand their data protection \nobligations.\n    Of course there is always room for improvement with any \nregulatory agency, but diminishing FTC power will probably not \nultimately make the climate easier for business. In fact, given \nthe vital importance of data protection in commerce, a \nreduction in FTC authority would likely result in the passage \nof more restrictive and possibly conflicting State laws \nregarding data security, more actions by State attorneys \ngeneral, more lawsuits from private litigants, and more clashes \nwith the European Union over the legitimacy of U.S. privacy \nlaw. In the long run, a weakened FTC would likely result in a \nmore complicated and less industry-friendly regulatory \nenvironment.\n    Data protection is a complex and dynamic area for \nconsumers, companies, and regulators. Section 5 enables the FTC \nto be adaptive and serve as a stabilizing force for consumers \nand companies. Thank you very much.\n    Chairman Issa. Thank you.\n    [Prepared statement of Mr. Hartzog follows:]\n    \n    [GRAPHIC] [TIFF OMITTED] \n    \n    Chairman Issa. I will now recognize myself for a round of \nquestioning.\n    Mr. Daugherty, there was an allegation by Tiversa that \nthere was a data breach. Have you seen ever any indication, \ncollateral indication, that that breach went to third parties \nthat resulted in any use of the identity information? Any?\n    Mr. Daugherty. Thank you, Chairman Issa.\n    As a matter of fact, no, sir, we have not.\n    Chairman Issa. Okay. Mr. Roesler, same thing. You put up \nwith years of a lawsuit. Did any of the complainants have any \ndemonstrated information that their identifiable information \nhad actually gone somewhere, or just that there was a \nvulnerability?\n    Mr. Roesler. To my knowledge, there is none.\n    Chairman Issa. Now, if there was a breach, meaning it was \ntaken--you had what was it, 184 records that were alleged? Mr. \nDaugherty, you had thousands?\n    Mr. Daugherty. Correct. Nine thousand.\n    Chairman Issa. I've heard an expression that I'd like to \nsee if you all agree with. If you have thousands of records, \nwhether it is 184 in your case or many, many thousands, if they \nhave actually gone out to third parties somewhere, they've, in \nother words, mined them, doesn't it defy gravity that none of \nthem have led to any use of that information in either of your \ncases?\n    Mr. Daugherty. Yes, Chairman Issa, I would agree with that.\n    Chairman Issa. Okay. So I'm not a student of statistics, \nbut I had to take it in college. I certainly agree.\n    So the allegation that you're facing is that you had a \nvulnerability, not an actual breach in reality, because a \nbreach would demonstrate some use. What they really said was, \nMr. Roesler, you didn't protect your site, you didn't have a \ngood enough lock on your site; is that correct?\n    Mr. Roesler. I believe so, yes.\n    Chairman Issa. Mr. Daugherty, same thing. Your lock wasn't \ngood enough.\n    Mr. Daugherty. That's correct, sir.\n    Chairman Issa. Now, the American people may not understand \ncybersecurity at this point, but they understand the padlock on \ntheir front door, their garage door opener. And I just want to \nput it in perspective for a moment.\n    Ninety percent of the garage door openers made before the \nyear 2000, a product that simply takes the chip and \nsequentially goes through the combinations, will open every one \nof those garage doors. Before 2000, the vast majority of garage \ndoors, simply you had to go through anywhere from 250 to a few \nthousand combinations, and eventually your garage door would \nopen. People haven't gone back and changed their garage doors. \nUnless you have a Medeco key or a number of other very high-\nsecurity keys, if you have a typical key, it can be picked by \nany locksmith.\n    So are these people leaving a vulnerability? Maybe yes, \nmaybe no. But I want to put it in perspective for both of you.\n    The allegation, as I understand it from previous testimony \nbefore this committee, is effectively one of your employees may \nhave installed a program that was sort of the equivalent of \nputting a little bit of bubble gum in the door latch so that \nthe door didn't really lock, and there was a vulnerability. In \nboth cases, as far as I understand, there was no allegation \nthat you instructed the employee to do it, or that you did it, \nor that it was done with your knowledge. And, Mr. Roesler, I \nunderstand in your case you never found the alleged peer-to-\npeer; is that correct?\n    Mr. Roesler. That's correct. And I don't know that the \nallegations were ever about an employee. Simply that a file \nthat Open Door had created had gotten out.\n    Chairman Issa. Right. But a file that was never found \nexcept in the hands of Tiversa.\n    Mr. Daugherty. Same. As a matter of fact, if you look at \nthe FTC's press release announcing the litigation, they never \nused the word ``breach.'' That's correct, sir.\n    Chairman Issa. So we're not talking about a loss of data, \nwe're talking about the vulnerability, the same vulnerability \nthat every time a notebook like this or a computer notebook \nwalks out of a government office with personal information on \nit, like it did in the case of the famous VA one where somebody \nsimply left their notebook, and a million veterans' \nidentifiable information was there, it's a vulnerability. If it \nactually occurs, it occurs because of a human failure in most \ncases, not because of an inherent system failure.\n    Mr. Daugherty, you were running a dotcom. Did you have \nprofessional advice and counsel, and did you buy software to \nprotect against this type of thing?\n    Mr. Daugherty. We ran a medical laboratory.\n    Chairman Issa. But, I mean, you had an online presence.\n    Mr. Daugherty. We had an online presence.\n    Chairman Issa. Mr. Roesler, same thing. From your \ntestimony, you engaged professional outside people to give you \nsecurity.\n    Mr. Roesler. That's correct.\n    Chairman Issa. So you used what you would consider and \nstill consider to be maybe not best practices, but the best \npractices you knew of and could afford, right?\n    Mr. Roesler. Yes.\n    Chairman Issa. We were told under oath by Mr. Boback twice \nthat, in fact, deceptive software was what they went out \nlooking for and found these breaches. And I just want to close \nby asking just one question.\n    Mr. Roesler--and I keep mispronouncing it.\n    Mr. Roesler. It's Roesler.\n    Chairman Issa. Roesler. Mr. Roesler, in your case you had a \nkind of a unique thing that I want to make sure you get a \nchance to explain to us. A company, Tiversa, in Pittsburgh, \nmore or less, contacts you. Coincidentally a plaintiff's law \nfirm in Pittsburgh, Pennsylvania, as I understand it, forms a \nclass-action lawsuit and goes after you, and has the \ninformation to contact those very people who they told you you \nhad this breach. So the law firm has the name of all your \nclients; is that right?\n    Mr. Roesler. That's exactly right.\n    Chairman Issa. And they didn't get it from you. So in your \ncase you do have a breach. You know that somebody clandestinely \ngot your clients', your AIDS patients' information, gave it to \na law firm who then used it--and I ask unanimous consent that \nthe sample--we'll get it here in a second--letter that that law \nfirm sent out to every one of your patients--this is called \nSerrano and Associates--and it says right on the bottom, this \nis a solicitation to provide legal services. And is this a copy \nfor the ranking member? I'll give a copy to the ranking member. \nYou have seen that solicitation?\n    Mr. Roesler. Indeed.\n    Chairman Issa. So I just want to make sure for the record \nthat both sides understand. Tiversa contacts you and says \nthere's been a vulnerability, offers you to sell you the \nservices for nearly $500 an hour. You turn them down after \ntalking to your professionals, find no vulnerability. But then \na law firm has the very information they were talking about, \nwhich obviously was gleaned somewhere, and probably off of your \nservers or your drives. They--then it gets somehow to a law \nfirm, coincidentally in Pittsburgh, who then goes about \ncreating a plaintiff's--a class-action suit, contacts your \npatients, who in no other way were contacted except by this law \nfirm, and proceeds to sue you for years.\n    Mr. Roesler. That is my perspective.\n    Chairman Issa. Okay. I now recognize the ranking member.\n    Mr. Cummings. Mr. Chairman, to indulge us before I ask my \nquestions, I would ask for just 1 minute to clarify a point for \nthe record with unanimous consent with regard to some \nstatements you made in your opening statement. May I?\n    Chairman Issa. Go ahead.\n    Mr. Cummings. Thank you very much.\n    The chairman made some points in his opening statement \nabout the potential immunity for a witness, and I take this \nmoment because, Mr. Chairman, everybody on both sides of the \naisle care tremendously about whistleblowers. There is not one \nperson on this, Republican or Democrat, and our record has \nshown that.\n    You said that the Democrats have been unwilling to consider \nimmunity. That's not accurate. We have said consistently and \nrepeatedly that we are willing to consider immunity. We \nparticipated in the proffer. We viewed the video, as well as \nmany documents. At this stage the committee has not identified \nevidence that would substantiate or corroborate the allegations \nof this witness against other individuals.\n    The chairman also said that we have sought out negative \ninformation about this witness in an effort to discredit him. \nThat's not true. The information came to us from the CEO of \nTiversa's attorney about criminal activity. Once we found out \nabout that, we wanted to know more about it. I mean, that's \njust logical.\n    Chairman Issa. I thank the ranking member, and I would say \nthat this is perhaps outside the scope of this hearing. I would \nalso note----\n    Mr. Cummings. But you just made these allegations against \nus. It's in the scope of the hearing because you put it in \nthere.\n    Chairman Issa. You asked unanimous consent. I granted it. \nThe fact is that my opinion in the opening statement will \nstand.\n    I will say for the record, since you just said it, too, the \nfact is your committee members have refused--even sitting here \nin the House of Representatives, even inside a building with \ntotal security, they have refused to meet with the \nwhistleblower, claiming that based on the allegations of Mr. \nBoback and his attorney, that they are too afraid to, men and \nwomen. So quite frankly, you can have your opinion--you can \nhave your opinion, Mr. Ranking Member, I will have mine.\n    Mr. Cummings. Very well. I will continue my 5 minutes then.\n    Chairman Issa. I will start your 5 minutes over in a \nmoment.\n    Mr. Cummings. Okay.\n    Chairman Issa. I have invited in my opening statement, and \nwith indulgence of the witnesses, all Members to look at the \nvideo proffer, and all members of this committee to have access \ndirectly to the whistleblower for purposes of continuing the \nproffer.\n    I made it clear in my opening statement--and I will \nreiterate it because I think the ranking member's point is \ngood--serious allegations about the personal life of the \nwitness have come forward. But, again, as I said in my opening \nstatement, allegations do not go to the direct claims of the \nwhistleblower as to the facts that he said in his proffer had \noccurred.\n    So is the whistleblower claiming he did no wrong? Just the \nopposite. The whistleblower has come forward with a proffer, \nbecause, in fact, if he makes that testimony, he will do so at \nthe risk of prosecution. The whistleblower has already taken \nthe Fifth in another venue, and, as a result, qualifies for the \nquestion.\n    Now, in the Lois Lerner case, Mr. Cummings, we had a \nwitness who you kept saying you wanted immunity for, but she \nonly said she was innocent. In this case we have an \nindividual----\n    Mr. Cummings. There you go again.\n    Chairman Issa. This individual, this individual came \nforward and said wrongdoing occurred. It has led to today's \nhearing. And I simply, in my opening, asked all Members to take \nthe time to look at the information individually, because I do \nbelieve that to get a full understanding and cross-dialogue--\nbecause everything that is brought out by our whistleblower is \nsubject to, in fact, credibility check as to the facts \nbrought--but that dialogue will not be possible unless the \nwhistleblower is granted the limited immunity as to exactly \nwhat, and only what, he came forward with as allegations \nagainst Tiversa, and, as a result, the FTC and perhaps false \nstatements made before this committee.\n    It is a serious claim, I take it seriously, and I ask all \nMembers to individually look at it. Mr. Cummings, most Members \nhave never seen any of it, and that's why I was making it \navailable today in open hearing to look at it and make their \nown decisions.\n    And I thank the gentleman. Please restore his time to 5 \nminutes.\n    Mr. Cummings. Thank you, Mr. Chairman.\n    The chairman also said we had sought out negative \ninformation about this witness in an effort to discredit him. \nThat is not true. The witness has engaged in numerous criminal \nactivities that go to credibility, and he failed to disclose to \nthe committee during his proffer, he failed to disclose them. \nAnd some of these activities were occurring at the same time \nthat we were speaking with the--that he was speaking with the \ncommittee.\n    Generally, I believe the committee should grant immunity to \nwitnesses who have admitted to engaging in criminal conduct \nonly in rare circumstances when those witnesses provide \nconcrete evidence of criminal activity by others. I appreciate \nthe goal of rewarding whistleblowers who come forward \nvoluntarily to identify waste, fraud, and abuse, and we have a \nrecord of that. But I do not believe that immunity is a proper \nreward when individuals provide evidence relating only to their \nown wrongdoing.\n    Although we remain open--and I say, I want to be clear--\nalthough we remain open to considering immunity should \nadditional evidence emerge, we cannot responsibly support \nimmunity at this time.\n    Now, according to the Republican memo for today's hearing, \none of the main topics is, ``whether the FTC has the authority \nto pursue data-security enforcement actions under its current \nSection 5 authority.'' So let's ask our witnesses.\n    Mr. Stegmaier, you have written extensively on this topic. \nIn one article, you wrote, ``The agency is the Federal \nGovernment's largest consumer protection agency. The Commission \nroutinely investigates publicly reported data-related incidents \nwith the threat of subsequent litigation. Since 2000, the FTC \nhas brought 42 data-security cases.''\n    Mr. Stegmaier, with respect to the hearing question today, \nI take it from your writings that you agree that the FTC has \nthe authority to bring enforcement actions under Section 5 to \nprotect the data security of consumers; is that right?\n    Mr. Stegmaier. Mr. Cummings, thank you. That is actually a \nreally great question, and I appreciate the way that you have \npresented it.\n    At the outset, let me just note that I come before the \ncommittee today with the understanding that the committee \nsought my expertise and understanding specifically about fair \nnotice and due process concerns.\n    Whether or not the agency has jurisdiction is actually, \nironically, something that Congress has given the agency \nincredible deference to determine in and on its own, and it's \nactually subject to a number of pending lawsuits and \nlitigation.\n    So the answer to your question, I think, is that the agency \nabsolutely believes that it has such jurisdiction, but that \nanswer to that question hasn't been definitively resolved. And, \nhistorically, under caselaw, the agency would receive such \ndeference.\n    But my focus is more on whether or not people who are going \nto be subject to that deference, whatever the ultimate outcome \nmay be, have fair notice about what the law requires of them.\n    Mr. Cummings. Mr. Hartzog, you have also written \nextensively on the FTC's work on data security, so let me ask \nyour expert opinion. Does the FTC have the authority to bring \ndata-security actions under Section 5?\n    And one of the things that we should all be concerned about \nis a chilling effect. And I just wanted you to respond to that.\n    Mr. Hartzog. Sure. I think that, yes, the FTC does have the \nauthority under Section 5 to regulate data-security practices. \nIf you look at the plain wording of Section 5, it is \nintentionally quite broad. There are limitations, so, you know, \nthere are limits as to what constitutes an unfair practice and \na deceptive trade practice. But, certainly, you know, given the \nheft of both the opinion, the recent opinion, in the Wyndham \ndecision and the FTC's practice generally in the way that we \ninterpret statutes, the FTC has the authority to regulate data \nsecurity.\n    With respect to chilling effects, I think that the FTC has \nproceeded in a pretty judicious and conservative manner with \nrespect to the regulation of data security, and so it is not \nlike there has been a dramatic lurch forward. As a matter of \nfact, they have been inching along through several different \nPresidential administrations basically along the exact same \ncourse with no appreciable difference. And so I think that the \nbody of jurisprudence is actually sound in that regard.\n    Mr. Cummings. Professor, can you describe why it is \nimportant for the FTC to exercise its authority over data-\nsecurity breaches?\n    Mr. Hartzog. Sure. There are several reasons. One is it \ngives the U.S. system of data protection legitimacy and heft. \nSo many, for example, international agreements, like the EU-\nU.S. Safe Harbor Agreement, is contingent upon the FTC being \nable to regulate data security, particularly now that there are \nquestions about the strength of the U.S. data-protection \nprogram.\n    Also, the U.S. system of regulating privacy is done in a \npatchwork manner, so there is no one great law that regulates \ndata security across the United States. And what that does is \nit leaves a number of different gaps. And the only statutes \nthat really--the only avenue by which we can provide a baseline \nof data protection in the United States right now is Section 5 \nof the FTC Act.\n    And so Section 5 helps harmonize a lot of data-security \npractices, and it also has been consistent with a lot of other \ndata-security regulatory regimes.\n    Mr. Cummings. You heard the testimony of Mr. Daugherty and \nMr. Roesler--by the way, gentlemen, I am sorry that you have \ngone through what you have gone through. I spent my life \nrepresenting people who were not properly--they were improperly \naccused.\n    But you heard their testimony. I was just wanting to get \nyour reaction to that. It seems as if there is a question--and \nMr. Stegmaier talked about this a bit--as to charging folks. \nThe way that folks are charged, they use data that--I think, \nMr. Stegmaier, you would agree with this, based upon what you \njust said--that might you consider unfair charging. Would that \nbe a fair statement?\n    Mr. Stegmaier. I am not sure I understood----\n    Mr. Cummings. Okay.\n    Mr. Stegmaier. --precisely the question, sir.\n    Mr. Cummings. But you understand what I am saying, right, \nMr. Hartzog?\n    Mr. Hartzog. So I think that the allegations that have been \nbrought up are that there is not enough notice given to \ncompanies and that they are expected to follow rules that they \nsay they don't know what they are.\n    The answer that I would give to that is that the FTC uses a \nreasonableness test, and a reasonableness test for regulating \ndata security is the most common way, if you look across \nregulatory regimes, to regulate data security. So the Gramm-\nLeach-Bliley Act and HIPAA and many State regimes, all of them \nuse a reasonableness test.\n    And the way that you execute a reasonableness test is you \ndefer to some other existing body of standards, right? And so, \nin this case, it is a complete deference to industry standards. \nThe FTC actually doesn't create the standard at all. Rather, \nthey say, what is industry doing? And there is a whole body of \nstudy, so there are whole industries and fields of study \ndedicated to what makes not just cutting-edge data security but \njust industry-standard data security and best practices. And \nthat is what the FTC says you should look to to determine what \nthe baseline is.\n    And so the FTC actually isn't unique in its regulatory \napproach. There are States and other statutory schemes that \nutilize very similar approaches.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Mr. Daugherty. Can you explain to me, then, why the HIPAA \nand HHS is not coming after LabMD?\n    Mr. Hartzog. I am sorry?\n    Mr. Daugherty. Can you please explain then, if you are \ntalking about industry standards--we are a medical facility. We \nare under HHS and HIPAA. They have not come after LabMD or \ncited anything.\n    Mr. Hartzog. Well, I actually can't speculate as to why. \nThere are lots of different reasons why claims are brought or \nnot brought.\n    Chairman Issa. It is a good question, but we probably won't \nhave any more between witnesses----\n    Mr. Daugherty. Sorry.\n    Chairman Issa. --if you don't mind.\n    But I do want to clarify just two things very, very \nquickly. You said a body of jurisprudence. That would imply \nthat there has been decisions at the district and then the \nappellate court. Are there any?\n    Mr. Hartzog. Well, we do have a decision at the district-\ncourt level in the Wyndham case, but, actually, jurisprudence \ncan come from a number of different sources. And primarily, in \nthe case of the FTC, it comes from the complaints that they \nfiled.\n    Chairman Issa. Okay. So the consent decrees are a body of \njurisprudence where they sue and settle, and you are calling \nthat a body of jurisprudence. I just wanted to make sure that \nis what you were talking about.\n    Mr. Hartzog. Well, not the consent decrees, but rather the \ncomplaints that indicate what the FTC considers to be an unfair \nand deceptive trade practice.\n    Chairman Issa. Okay.\n    And only one more quick one for Mr. Daugherty and Mr. \nRoesler.\n    Were you given any safe haven or guidance by the FTC as to \nhow you could, in fact, not fall under unfair practices at any \ntime from the beginning until today, those so-called standards \nthat Mr. Hartzog has said exist?\n    Mr. Daugherty. Well, sir, thank you for that question, \nChairman Issa.\n    No. As a matter of fact, I stated, and as further indicated \nin my written testimony, quite to the contrary. In briefs and \nin quotations from the FTC, they argue they don't need to \npromulgate rules or inform us of standards. And even their \nexperts said that we should Google them.\n    And this is just not a way to regulate an American industry \nand economy, let alone the world of medicine.\n    Mr. Roesler. My response would be that----\n    Chairman Issa. Yes, of course.\n    Mr. Roesler.--the communication that Open Door received \nfrom the FTC was one simple letter; it was a warning that we \nreceived from them. There was no other communication. And \nduring that time, it was simply about a file being out, and \nthey listed the file.\n    Chairman Issa. So they just didn't pursue you, nor did they \ngive you guidance on how to remedy.\n    Mr. Roesler. That is my understanding.\n    Chairman Issa. And did you have something else you want to \nfollow up on?\n    Mr. Cummings. Just to follow up on--a friendly follow-up on \nthe chairman's question.\n    Mr. Hartzog, you just heard what they said. You talked \nabout a body of jurisprudence, and here you have folks who are \nsaying they had no idea what was going on. Can you react to \nthat?\n    Is that a fair statement, gentlemen?\n    You didn't----\n    Mr. Hartzog. I would actually say that it's not a fair \nstatement, nor is the FTC unique in requiring, you know, a \nstandard to which there is not, you know, to the utmost \nspecificity, right?\n    So, for example, in tort law, you are expected to build \nproducts safely, but there is not a manual that you get when \nyou start designing products that says, you know, here are the \n130 steps that you can take to make a product safe, right? You \nactually look to industry standards, which is another thing \nthat is relatively common. And that is the kind of evidence \nthat is used to determine whether you are acting reasonably or \nnot.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Chairman Issa. I thank all of you.\n    I will tell you, as somebody who has set industry \nstandards, sat as a chairman of a trade association, I \nunderstand that safe havens are critical, industry standards, \nif you live up to them, you are supposed to get a level of \nimmunity, at least from persecution by your government. It \ndoesn't seem like that exists here.\n    Mr. Mica?\n    Mr. Mica. Thank you, Mr. Chairman.\n    And, Mr. Daugherty, you had Lab Med?\n    Mr. Daugherty. LabMD, sir.\n    Mr. Mica. Okay, LabMD.\n    And you had Open Door, Mr. Roesler?\n    Mr. Roesler. That is correct.\n    Mr. Mica. Two different activities.\n    Now, were you first notified by FTC that there was some \nbreach or some problem with your handling of data, Mr. \nDaugherty?\n    Mr. Daugherty. We----\n    Mr. Mica. When did FTC notify you first?\n    Mr. Daugherty. They sent us an 11-page letter starting the \ninquiry.\n    Mr. Mica. Before that, no?\n    Mr. Daugherty. No, sir. We were just under HIPAA.\n    Mr. Mica. And before that, no with you.\n    I am just trying to look at what took place here. So you \nboth are conducting your business or activities, and you both \nget calls from this firm, Tiversa. And that was the first \nnotice that you had from anyone that you had problems as far as \ndata security.\n    Is that correct, Mr. Daugherty?\n    Chairman Issa. And I would only ask one thing, that \nwhenever you answer, make sure it is verbal. The clerk is not \nallowed to write down a head nod.\n    Mr. Mica. Yeah, nods don't count.\n    So, Mr. Daugherty?\n    Mr. Daugherty. Yes----\n    Mr. Mica. When you first--I want to find out when you first \nfound out from some outside source that there was some breach.\n    Mr. Daugherty. The outside source, sir, was--the first one \nwas Tiversa in May 2008, and then the----\n    Mr. Mica. And Mr. Roesler?\n    Mr. Roesler. For Open Door, it was also Tiversa that \nnotified us first.\n    Mr. Mica. Okay. And that firm told you that they had, I \nguess, been fishing or surfing, whatever the hell they did. And \nthen did they offer to help remedy your situation, Mr. \nDaugherty?\n    Mr. Daugherty. They--well, yes, sir. They would not----\n    Mr. Mica. What was the offer?\n    Mr. Daugherty. The offer was----\n    Mr. Mica. How much an hour?\n    Mr. Daugherty. $475 an hour, with a 4-hour minimum, no \nguarantee.\n    Mr. Mica. Mr. Roesler?\n    Mr. Roesler. It was $475 an hour.\n    Mr. Mica. And, Mr. Daugherty, what did you tell them?\n    Mr. Daugherty. I told them I was not interested until they \ngave me more information.\n    Mr. Mica. Okay.\n    And, Mr. Roesler, what did you tell them?\n    Mr. Roesler. I didn't respond.\n    Mr. Mica. You didn't respond. Okay.\n    So, after your initial contacts, your first contact of the \nbreach, then you were later notified by FTC that there was a \nproblem, Mr. Daugherty?\n    Mr. Daugherty. Well, we were called by----\n    Mr. Mica. It was subsequent.\n    Mr. Daugherty. Later in 2008, we were told by Tiversa they \nwere giving it to Federal Trade Commission, and then Federal \nTrade Commission contacted us 14 months later.\n    Mr. Mica. Uh-huh.\n    And Mr. Roesler?\n    Mr. Roesler. Yes, afterwards. Uh-huh.\n    Mr. Mica. Yeah.\n    And we tend to believe that FTC was informed or got that \ninformation from that company. Would you assume the same thing, \nMr. Daugherty?\n    Mr. Daugherty. Yes, sir, I would.\n    Mr. Mica. What would you assume, Mr. Roesler? You gave it \nto them? You called them up and said, ``We are doing this, and \nyou ought to investigate us?''\n    Mr. Roesler. Excuse me?\n    Mr. Mica. I am just--that was a joke.\n    Mr. Roesler. All right. Thank you.\n    So I don't know. I don't know the answer to that question. \nIf that is how----\n    Mr. Mica. But somehow they got the data.\n    Mr. Roesler. That is correct.\n    Mr. Mica. Well, to me, it looks like a little bit of an \nextortion game from a company trying to make a few bucks off of \nyou guys, fishing and then coming after you. That is just my \nassumption. Now, we don't have FTC and others in here. We will \nhave to find out more of what took place.\n    Part of this is that, you know, FTC was set up for a good \nand noble purpose, and that is to deal with deceptive and \nunfair trade practices. And we should have the right, too, to \nhave whistleblowers give them information. But a lot of the \ndiscussions also went around the standards and what is fair. \nBut the standards do not exist specifically, Mr. Hartzog, as \npart of the testimony. That is first.\n    And then, secondly, you made a good point, that we don't \nwant to clip FTC's wings to inhibit their power to go after bad \nactors. Is that correct?\n    Mr. Hartzog. Yes, that is correct.\n    Mr. Mica. But if we find out, again, that the motivation \nfor this was their nonparticipation in this scheme, it doesn't \nseem like they were treated fairly, one, and, two, that you two \nwere never given notice to correct the practice. Were you given \nnotice to correct what they considered----\n    Mr. Daugherty. Oh, we were just given endless questions for \nyears and then a suit. No. That was all we were given.\n    Mr. Mica. Were you given a remedial course or----\n    Mr. Roesler. In our letter, it was suggested that we----\n    Mr. Mica. Cease and desist?\n    Mr. Roesler. Something like that.\n    Mr. Mica. Remedy your situation?\n    Mr. Roesler. That is right. Look into it.\n    Mr. Mica. Uh-huh. Because I think, again, businesses need \nto be notified by the regulatory agencies if there is a \npractice, and then if they don't clean their act up--you didn't \ndevise those software systems, it was probably something you \npurchased, that had a----\n    Mr. Daugherty. LimeWire was never even purchased. That is \njust malware that was out there----\n    Mr. Mica. Uh-huh.\n    Mr. Daugherty. --that was put in by an employee with a \ntotal lack of authorization.\n    Mr. Mica. But it wasn't a purposeful thing, and when you \nfound out, you tried to remedy it.\n    Mr. Daugherty. Absolutely, sir.\n    Mr. Mica. Mr. Roesler?\n    Mr. Roesler. We never had any evidence of having----\n    Mr. Mica. But when you found out, did you try to remedy it, \nthe situation?\n    Mr. Roesler. We just researched to find that we had no risk \nof that. That was----\n    Mr. Mica. Okay. All right.\n    I yield back.\n    Chairman Issa. Okay. Thank you.\n    Mr. Hartzog, just to make sure, was LimeWire ever gone \nafter by the FTC for their deceptive practices of creating the \nvulnerabilities?\n    Mr. Hartzog. I----\n    Chairman Issa. You have looked through the body of \njurisprudence.\n    Mr. Hartzog. I do not believe so, so I----\n    Chairman Issa. But they never went after the people who \ncreated the vulnerability, just people who were victims.\n    Mr. Hartzog. Yeah, I don't--I am not privy to \ninvestigations. I only know about the filed complaints. But as \nfar as I know, there was no filed complaint against LimeWire.\n    Chairman Issa. Yeah. That makes sense. They were probably \nwithout deep pockets and too slippery.\n    The gentleman from Massachusetts, Mr. Tierney.\n    Mr. Tierney. Thank you.\n    Mr. Hartzog, apparently there was ultimately an agreement \nor a decision that the companies that are testifying here today \ndid not live up to industry standards or some other measure of \nreasonableness. Is that fair to say?\n    Mr. Hartzog. Yes, that is fair.\n    Mr. Tierney. All right. So in that determination by the FTC \nof whether or not they complied with the reasonableness on \nthat, is the sophistication of the company, the size of the \ncompany, the resources the company might have for establishing \nsecure IT, the danger of the release of their data, are all of \nthose factors in that determination of reasonableness?\n    Mr. Hartzog. Absolutely. That is one of the reasons why a \none-size-fits-all checklist for data security will never work, \nbecause it is far too dependent upon variables like that. And \nso, of course, large companies, large tech companies--you know, \nMicrosoft and Amazon and all these others--are expected to have \nsignificantly different and probably more robust data-security \npractices than, say, smaller businesses. Now, of course, there \nis a baseline for everyone collecting personal information, but \nit varies wildly as to what is constituted in any given \ncircumstance.\n    Mr. Tierney. So is there an FTC process where, when they \nbecome notified that a problem may exist, they notify the \nindividual and give them an opportunity to cure?\n    Mr. Hartzog. Because I am not privy to a lot of the \ninternal investigations within the FTC, I am unable to answer \nthat question.\n    Mr. Tierney. Mr. Stegmaier, do you have any information on \nthat, whether or not the FTC as a matter of course, when they \nhave an allegation or a concern that somebody may not be being \nreasonable in securing their IT, they give that company an \nopportunity to cure before they take action?\n    Mr. Stegmaier. I have never had an experience in 13 years \nof doing this where they proffer the opportunity to cure in the \nmanner that I think you are suggesting.\n    I have had a number of nonpublic resolutions, many, many \ntimes. But I haven't had this sort of, I think in the \nchairman's words, safe-harbor situation where they say, ``We \nhave brought this to your attention, we see that you have taken \ncorrective measures, and we have determined that that, you \nknow, is in fact good enough.'' In fact, it is their practice, \nin part of Mr. Hartzog's analysis, that the agency doesn't \ntypically issue what would be referred to as a closing letter \nfor investigations.\n    But in my, you know, private, personal capacity appearing \nbefore the agency representing clients, the characterization \nyou described is not consistent with my experience.\n    Mr. Tierney. Are either Mr. Hartzog or Mr. Stegmaier \nfamiliar with a situation where their clients were notified, as \nMr. Roesler was, that you apparently have a problem and then no \nfurther action was taken because your client did something \nabout it?\n    Mr. Stegmaier. So it hasn't been my experience that the \nagency is typically calling to the attention of individual \ncompanies incidents or situations, but, rather, they come, \ninvestigation in hand, with an investigatory posture, trying to \nfigure out what happened, rather than more a notice and \ncorrective posture.\n    But, to be clear, I am aware of numerous cases where the \nagency has chosen not to continue investigating.\n    Mr. Tierney. Okay.\n    Is that similar to your information, Mr. Hartzog?\n    Mr. Hartzog. That's correct, based on my information.\n    Mr. Tierney. Thank you.\n    Mr. Roesler, you received a letter from the FTC notifying \nyou that they believed you had an issue and suggesting that you \ndo something about it.\n    Mr. Roesler. That's correct.\n    Mr. Tierney. All right. And what you did about it, you \nsaid, was you went and rechecked again to see if your people \ncould find anything on the peer-to-peer; is that right?\n    Mr. Roesler. What I said was that our IT subcontractor \nlooked at our network to see if there was any P2P software \nwithin our network or on any of our computer laptops, any work \nstations.\n    Mr. Tierney. Did you at all do any research or ask your \nlegal counsel, your IT subcontractor, to do some research about \nwhat the best practices in your industry were and whether or \nnot you were, in fact, complying with those?\n    Mr. Roesler. Indeed, we did.\n    Mr. Tierney. And what was the result of that?\n    Mr. Roesler. The result was that we were meeting those \nstandards, our network was secure, and that we were compliant.\n    Mr. Tierney. And did the FTC ever take any follow-up action \nagainst you?\n    Mr. Roesler. None that I am aware of.\n    Mr. Tierney. Thank you.\n    Mr. Stegmaier and Mr. Hartzog, again, your help, if you \nwould. When a determination is made by the FTC that there is \nnoncompliance or that there is an unfair or deceptive practice, \nare the penalties automatic, set at a certain amount once it is \nfound? Or is there discretion for the FTC to take into \nconsideration mitigating factors?\n    Mr. Stegmaier. So the agency doesn't actually have \nstatutory penalty authority. They enter into a consent decree, \nwhich typically doesn't have a monetary penalty or a remedy.\n    As to the factors that they use in terms of how they decide \nwhich cases to prosecute or which cases not to prosecute, I \nwould respectfully disagree with Mr. Hartzog in the sense that, \nhaving done this for a long, long time, the precise motivations \nand contours of what constitutes reasonable behavior and \nreasonable information-security behavior from the perspective \nof the agency that's authoritative is no more clear to me today \nthan it was 13 years ago.\n    Mr. Tierney. I am going to let you guys fight that out \noffline here on that.\n    So if there's not a monetary penalty, what is the nature of \nthe action that the FTC takes ultimately?\n    Mr. Stegmaier. I think one way to think about it is to have \na new board member who helps supervise your privacy and data-\nsecurity process for the next 20 years, including, typically, \nbiennial privacy and data-security audits through an approved \nthird-party contractor who essentially will, you know, audit \nand review your processes and report to the agency.\n    Additionally, they have a tool which they call--is commonly \nreferred to as fencing-in relief, through which, once you're \nunder an order, you are subject to financial penalties if you \nshould violate the order. And, in my experience, it's not \nuncommon for companies to spend as much as a half-a-million \ndollars a year or more simply to undertake to comply with the \nunderlying orders.\n    So I would respectfully disagree with Mr. Hartzog to the \nextent that it takes into account the nature and size of the \nunderlying companies. In fact, my experience has been the \nopposite, that the size of the company doesn't dictate what \nlevel of security the agency seems to believe is required in a \nnumber of instances.\n    Mr. Tierney. And I assume that----\n    Chairman Issa. The gentleman's time has expired.\n    Mr. Tierney. Can I ask unanimous consent for one further \nquestion?\n    Chairman Issa. As long as it doesn't take another minute \nand a half extra, go ahead.\n    Mr. Tierney. I'll do my best.\n    And the cost of this, sort of, outside entity or auditor \nthat you're talking about is borne by whom?\n    Mr. Stegmaier. Entirely by the company, sir.\n    Mr. Tierney. Thank you.\n    Chairman Issa. Thank you.\n    Mr. Walberg.\n    Mr. Walberg. Thank you, Mr. Chairman.\n    And thanks to the witnesses for being here.\n    Mr. Stegmaier, if you could just further help me to \nunderstand, what are the FTCstandards for determining whether \nor not a company's data-security practices violate Section 5?\n    Mr. Stegmaier. Thank you very much, sir.\n    A couple of things. The articulated standard is one of \nreasonableness, and that is the extent of the standard.\n    I note that for the folks that are here today--and I think \nthis is important for the committee to understand--I think that \nwe learned from Mr. Roesler and Mr. Daugherty that there were \ninitially begun investigated--the investigation in 2008. It \nwasn't until 2011 that the Federal Trade Commission issued a \nbest-practices guide identifying a number of recommendations \nthat it thinks are required for reasonable security.\n    But to answer your question I think more directly, the \ntroubling thing about that guide and the thing that has been \ndifficult for many companies is, if you asked me to identify \nwhich, if any, of those items that they identify as best \npractices are legally required, I could not tell you.\n    Mr. Walberg. So this is an evolving notion, as it were.\n    Mr. Stegmaier. Absolutely. And I think the agency itself \nhas taken that position repeatedly. The agency takes the \nposition that it needs flexibility because technology is \nchanging, what we think is privacy is changing, data security \nis changing.\n    Mr. Walberg. Well, what, then, gives the FTC the authority \nto take enforcement on these evolving actions, especially in \nwhat's considered reasonable?\n    Mr. Stegmaier. Sure. So, as Mr. Hartzog identified, the \nlanguage of Section 5 is incredibly broad, and courts have \ngenerally given deference under what's known as the Chevron \ndeference--Chevron case to agencies to determine their own \njurisdiction. So, unless that exercise of jurisdiction is \narbitrary or capricious, for the most part, absent Congress \nstepping in, the agency's determination, you know, will prevail \nunless or if a court disagrees.\n    And, as I mentioned to the chairman earlier, there are a \nnumber of cases pending that challenge exactly this question.\n    Mr. Walberg. Mr. Hartzog, do you agree or disagree that the \nFTC should be taking the lead in establishing new regulations \ngoverning data-security practices?\n    Mr. Hartzog. Well, I think that the FTC certainly plays the \npivotal role and should play the pivotal role in establishing \ndata-security regulation in the United States, but I do think \nthat it's wise for the FTC to continue to defer to industry \nstandards rather than try to make up their own standards, but, \nrather, follow what industry has determined is reasonable and \nappropriate data security. Because I think that that kind of \ndeference keeps the FTC from acting in an arbitrary or \ninconsistent way.\n    Mr. Walberg. So, in other words, kind of a shared \npartnership lead?\n    Mr. Hartzog. That's right. So it's a co-regulatory regime, \nright, where you let industry say this is what is reasonable in \nour field, and then the FTC then looks to that to determine \nwhich companies have gone beyond the boundaries of \nreasonableness.\n    Mr. Walberg. Mr. Stegmaier, can a business owner look up \nthe rules for data security to make sure a business is in \ncompliance?\n    Mr. Stegmaier. So if you're subject to the Health Insurance \nPortability and Accountability Act, you can. In fact, the HHS \nhas issued privacy and data-security regulations. The Federal \nTrade Commission has not.\n    If you are a financial institution subject to the Gramm-\nLeach-Bliley Act, there has been notice-and-comment rulemaking; \nyou can look up those regulations. But, again, if you're \nsubject to the FTC's jurisdiction----\n    Mr. Walberg. You can't.\n    Mr. Stegmaier. --you cannot.\n    Mr. Walberg. A pattern is emerging.\n    Mr. Daugherty, did you know where to look up the rules or \ninformal policies that governed FTC data-security practices \nbefore you were contacted by FTC?\n    Mr. Daugherty. No, sir, because there were none. I mean, \nwe've had professionals in and out. We had Stanson's two people \nin. No one said anything about them. We were fully within the \nmedical community.\n    Mr. Walberg. How easy or difficult is it to keep up with \nthese informal policies?\n    Mr. Daugherty. Well, I think it's nearly impossible, I \nmean, because they don't tell you till after the fact, whereas \nin HHS, in the world that we reside, in a regulatory world, \nit's quite simple. But in, you know, the world of medicine, \nwhich they're trying to get into, they're not using that \nformat.\n    Mr. Walberg. And, finally, Mr. Daugherty, in your opinion, \nis it fair for the FTC to expect businesses like yours to be \nable to locate and follow data-security practices?\n    Mr. Daugherty. Oh, we're all for following data-security \npractices, absolutely. But we need to, obviously, have them \ntake a leadership role and not a reactionary role.\n    As much as they want to say how broad this needs to be, \nbreadth does not mean infinity, and there have to be some \nboundaries. And they seem to continually argue, well, we have \nbroad scope, we need broad scope. But that doesn't mean they \ndon't have to say anything. I mean, we all have laws. That \ndoesn't mean we call it a crime when we see it.\n    So I think they need to be more reasonable in their \nboundaries and their communications, especially when they \nchoose to get into medicine. That is really an alarming \noverreach.\n    Mr. Walberg. Sounds reasonable. Thank you.\n    My time has expired.\n    Mr. Bentivolio. [Presiding.] The chair recognizes the \ngentleman from Massachusetts, Mr. Lynch.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    Now, this dispute is currently in the FTC administrative \ncourt; is that correct?\n    Mr. Daugherty. Is this to me?\n    Mr. Lynch. Yeah, anybody.\n    Mr. Daugherty. Okay. Yes, sir, against LabMD, yes it's in \nadministrative court, sir.\n    Mr. Lynch. It seems to me that's a good place for it. I \ndon't understand how this matter--there are a lot of, you know, \nadministrative disputes that one side or the other feels \noffended by. It just surprises me that you're before Congress, \ngiven the small amount of work we do anyway, and now we're \nengaging in this. I just--I don't think this whole dispute, \nthis whole hearing is appropriately before us. Let me just get \nthat out of the way.\n    Earlier, Mr. Hartzog and Mr. Stegmaier, we heard the \nchairman say that--and get confirmation from two of the \nwitnesses that there is no breach unless someone uses the \ninformation that's been put out there. In other words, you can \nhave a door that's unlocked, I guess is the analogy that was \nused, and that even though information was not kept secure, \nthere's no breach until somebody actually uses that information \nthat's been put out there.\n    Is that the state of the law?\n    Mr. Stegmaier. So, whether or not a security breach exists \nis actually a term of art. As the members of the committee may \nbe aware, I think at least 47 States have breach notification \nlaws using differing standards or requirements. So I think we'd \nhave to think about, sort of, a particular----\n    Mr. Lynch. Well, let me ask you, do any of those States say \nthat the information has to be used before a breach is \ndeclared?\n    Mr. Stegmaier. They tend to use the operative phrases, \nacquired or accessed without authorization.\n    Mr. Lynch. Okay. So just putting the information out on the \nInternet, if nobody is using it, there's no breach?\n    Mr. Stegmaier. It's an active matter of dispute as to \nwhether the mere accessibility of information constitutes a \nsecurity breach, and a lot of really smart people would \ndisagree very vigorously.\n    Mr. Lynch. Yeah. So you can put stuff out on the Internet, \nsecure information on the Internet, and that wouldn't be a \nbreach, Mr. Stegmaier.\n    Mr. Stegmaier. That's not what I am saying at all. What I'm \nsaying is----\n    Mr. Lynch. Okay.\n    Mr. Stegmaier. --smart people would disagree, and they \nfrequently and regularly do.\n    But I think an important consideration is, under HIPAA, for \nexample, whether you adhere to the security rule--in other \nwords, whether your systems are, in fact, secure--is different \nthan whether or not you've had a breach. So under HIPAA----\n    Mr. Lynch. Well, I'm just asking you here whether it's \nrequired in order to be guilty of a security breach, whether \nsomeone has to use the information. That's what I'm asking you.\n    Mr. Hartzog, do you want to take a shot at this?\n    Mr. Hartzog. Sure. The mere fact of a breach itself, \nactually, isn't a violation of any particular law, right? So \nthere are a couple of points: One is the Section 5 defining an \nunfair trade practice as one that either causes harm or is \nlikely to cause harm. You actually don't have to have any kind \nof breach or misuse in the first place.\n    Mr. Lynch. Yeah.\n    Mr. Hartzog. The second point is, the only harm that can \ncome isn't necessarily one of, like, say, user ID theft, right, \nso mere exposure can constitute it.\n    And then the third thing to remember is that the wrongful \nactions here aren't that a breach occurred, right? A breach is \nreally perhaps just a symptom of the problem, which is a \nfailure to have good data-security practices. So regardless of \nwhether the breach happened or whether it didn't happen, \nwhether information was available or whether it wasn't \navailable, all of that only really goes towards showing whether \nthere were good, reasonable data-security practices or not. And \nthat's really what we're looking for.\n    Mr. Lynch. Right. That's the preventative aspect of this.\n    Mr. Hartzog. Right.\n    Mr. Lynch. If we had to wait till your Social Security was \nused by someone, you know, then----\n    Mr. Hartzog. Correct.\n    Mr. Lynch. --we would have to sit on our hands until \nsomebody was abused, you know, somebody's information was \nacquired. And----\n    Mr. Hartzog. Which is very difficult to show. And it's \nimportant to remember that data security is a probabilities \ngame, right? So----\n    Mr. Lynch. Right.\n    Mr. Hartzog. --what you want to--there's no such thing as \nperfect data----\n    Mr. Lynch. Let me just jump to this quick. Mr. Roesler, \nyour clinic serves patients that may have HIV or AIDS; is that \nright?\n    Mr. Roesler. That's correct.\n    Mr. Lynch. Did the master list file have personal \ninformation about clients of the Open Door Clinic?\n    Mr. Roesler. It did.\n    Mr. Lynch. And about how many Open Door clients were listed \nin the master list file? Do you know?\n    Mr. Roesler. About 150.\n    Mr. Lynch. And the FTC wrote you that the clinic file \nmaster list was available to users on this peer-to-peer file-\nsharing network, right?\n    Mr. Roesler. They did.\n    Mr. Lynch. So the information was out there. So are you \nsaying that the FTC was wrong to contact you on that? Is that \npart of your complaint?\n    Mr. Roesler. Not at all. No.\n    Mr. Lynch. Okay. Where did the--the FTC has not filed an \nenforcement action against you for that, right?\n    Mr. Roesler. That's correct.\n    Mr. Lynch. So wherein lies the overreach on the part of the \nFTC?\n    Mr. Roesler. I am not aware of overreach.\n    Mr. Lynch. Okay.\n    I'll yield back. Thank you.\n    Mr. Bentivolio. The chair recognizes the gentleman from \nTennessee, Mr. Duncan.\n    Mr. Duncan. Well, thank you, Mr. Chairman.\n    And I appreciate Chairman Issa calling this hearing because \nwhat I've heard thus far is very disturbing to me. I was \npresiding over the House until a few minutes ago, and so I \ndidn't--I'm sorry, I didn't get to hear the testimony.\n    But if I understand this correctly, Mr. Daugherty, this \nTiversa firm contacted you or your company and told you of \npossible problems and asked you to hire them at a rate of $475 \nan hour, and then when you declined to do so, they turned you \ninto the FTC.\n    Mr. Daugherty. That's correct. That was all in 2008.\n    Mr. Duncan. And then the FTC started pursuing you, taking \naction against you.\n    Mr. Daugherty. That's correct.\n    Mr. Duncan. And I think I just was told that you're close \nto being out of business, or----\n    Mr. Daugherty. The laboratory operations closed in January \nof this year because we've been completely sideswiped by this.\n    Mr. Duncan. And Mr.--is it ``Roesler'' or ``Roesler''?\n    Mr. Roesler. It's ``Roesler.''\n    Mr. Duncan. ``Roesler.'' Mr. Roesler, your story is very \nsimilar, is that correct, except you're still in business?\n    Mr. Roesler. I don't know that my story is similar. It's \ngot its differences. Yes, we are still in business.\n    Mr. Duncan. But you were contacted by Tiversa----\n    Mr. Roesler. That's correct.\n    Mr. Duncan. --and for $475 an hour they would take care of \nyour problems?\n    Mr. Roesler. That's also correct.\n    Mr. Duncan. And then when you declined, they contacted the \nFTC.\n    Mr. Roesler. That I'm not aware.\n    Mr. Duncan. Well, according to the staff briefing we have, \nthe FTC--this Tiversa company told on or reported or turned \nalmost 100 companies into the FTC.\n    And, Mr. Hartzog, don't you think that, in light of what's \ncome out here today, that the FTC should check on something \nlike this, if another private company turns in a company, to \nsee what conflict of interest is present? Because there \ncertainly was a conflict of interest in these cases we're \nhearing about.\n    Mr. Hartzog. It's difficult for me to speculate on that \nwithout knowing the exact details. But it's my understanding \nthat the FTC actually gets information about what constitutes, \nyou know, a potentially unfair or deceptive trade practice from \nlots of different sources, including public complaints in \ngeneral, many of which might be valid and many of which might \nactually be invalid. And----\n    Mr. Duncan. Well, I know they get them from many sources, \nbut when there's an obvious seemingly almost criminal conflict \nof interest involved, it looks like the FTC would at least \ncheck that out. Because that could easily be checked out on the \nfront end of things.\n    Mr. Hartzog. Well, certainly, the FTC should make sure that \nany allegation that's turned into them is actually valid. And \nso I think that, of course, it's incumbent upon them to make \nsure that the facts that are alleged to them are actually true.\n    Mr. Duncan. Mr. Stegmaier, you're a law professor. Do you \nthink anyone should be prosecuted criminally on things like \nthis, what you've heard here today?\n    Mr. Stegmaier. If the facts as alleged turn out to be true, \nno, I would not think that prosecution should necessarily be \nappropriate. But I think if I'm understanding your question \nmore correctly, do I think it's appropriate for this committee \nand Congress to review the agency's behavior, I think it's \nincumbent on Congress to do so.\n    Mr. Duncan. What do you think should be done in addition to \nthis committee looking into it?\n    Mr. Stegmaier. So I don't profess to be an expert on all of \nthe remedies or different, you know, mechanisms. But one of the \nthings that I think we've seen and I think is, you know, \ncritically relevant is to create an environment where companies \ncan understand what's actually expected of them as a matter of \nlaw so that then when and if the agency should come to \ninvestigate them there's much less of an element of surprise. \nAnd that's really sort of the crux, right? The Constitution \nprotects us from being prosecuted when we couldn't possibly \nhave known what the law is.\n    And I think Mr. Daugherty could testify or would testify \nabout his experience in that regard, and I think he has \ntestified to the effect that he understood that he was subject \nto HHS's jurisdiction. And being subject to the FTC's \njurisdiction and then what that meant in terms of what's \nactually required is as opaque today as it was in 2008 for him.\n    Mr. Duncan. Well, the problem that many of us see now is \nthat the Federal Government is prosecuting people for \nunintentional violations of the law. And that's not supposed to \nbe criminal, but a zealous prosecutor can make an innocent, \nunintentional violation of the law seem to be criminal, and \nthat's a pretty dangerous thing.\n    The government should be in the business of trying to help \ncompanies stay in business, not with the goal of trying to run \npeople out of business, unless they have definite proof of \nintentional efforts to defraud people.\n    Thank you very much, Mr. Chairman.\n    Mr. Bentivolio. The chair recognizes the gentleman from \nVirginia, Mr. Connolly.\n    Mr. Connolly. Thank you, Mr. Chairman.\n    And welcome to our panel, especially my constituent, Mr. \nStegmaier, who's obviously cogent, astute, perspicacious, very \ncompelling testimony. And we're not surprised, coming from the \n11th Congressional District of Virginia.\n    Mr. Stegmaier. Thank you, sir.\n    Mr. Connolly. Mr. Stegmaier, I wanted to clarify something \nyou testified to just now. What is the status of Mr. \nDaugherty's case before the FTC?\n    Mr. Stegmaier. So I haven't been following the precise \ncontours of the case other than the existence of the \nadministrative procedure is highly, highly unusual. I'm not \naware of any other case that's actually used that procedure.\n    Mr. Connolly. Mr. Daugherty, what is the status of your \ncase?\n    Mr. Daugherty. The case is on pause until the immunity \ndecision and proffer is worked out with this committee. And \nthen the judge will make a decision from that point.\n    Mr. Connolly. Okay. So it's still in adjudication. Pending.\n    Mr. Daugherty. Pending.\n    Mr. Connolly. But there's been no verdict delivered or----\n    Mr. Daugherty. No. This is correct.\n    Mr. Connolly. Well, I will say I share some of--more than \nsome of the misgiving of my colleague from Massachusetts, Mr. \nLynch, about the appropriateness of this committee even the \nperception of intervening in the midst of, you know, a \nregulatory adjudication, for fear that, you know, we start to \nset a precedent. So anybody, you know, who doesn't like a \nprocedure can just come here and we'll have a hearing and judge \nit for ourselves. I just think that's a dangerous precedent if \nthat, indeed, is what's going on.\n    Mr. Stegmaier, the title of this hearing is ``FTC Section 5 \nAuthority: Prosecutor, Judge, and Jury.'' Do you view the FTC \nas playing a role as prosecutor, judge, and jury?\n    Mr. Stegmaier. Absolutely. I think the structure of the \nadministrative state, Section 5 being very broadly worded, with \nthe agency getting deference to its own determinations about \nits jurisdiction, as well as its interpretations of the law \nbeing plausible, absolutely create a situation where it is \ndifficult, if not impossible, to create due process remedies or \nways for review that most regular people would think our system \nof justice entitles them to.\n    And with respect, Mr. Connolly, to your comments about this \nparticular proceeding, one of the things that strikes me is \nthat, with respect to the fair notice doctrine and due process \ngenerally, if not here, where else? And I think that really \nbegs the question. You know, in other words, Mr. Daugherty, I \nam not sure has any other place that he could go unless and \nuntil this proceeding is resolved.\n    So, you know, again, maybe I'm a bit of, you know, sort of \na sentimentalist, but I think the due process concerns here are \nso significant that I would be, you know, troubled to wonder \nwhere else one might go for redress.\n    Mr. Connolly. That sounds good, Mr. Stegmaier, but we \ncannot be substituting ourselves for regulatory agencies in the \nmidst of their administrative procedures. The precedent that \nsets is very dangerous, in my opinion.\n    And, by the way, if there were thousands of them, there's \nno way you could raise the expectation that, no, no, this is \nwhere you come for redress if you don't like the process. \nThough, I am not disagreeing with you about the fact that there \nmay be way too much authority, frankly, vested in this process. \nAnd that's a legislative issue, but not an adjudication.\n    Mr. Hartzog, would you respond to what Mr. Stegmaier said? \nDidn't he make a pretty good point there?\n    Mr. Hartzog. Sure. No, so I would actually disagree. I \nmean, I agree in the sense that, you know, this kind of title \nof ``judge, jury, and executioner'' is--the FTC is not unique \namong administrative agencies in that it has been given \nenforcement power and the power to kind of dictate rules. \nThat's actually kind of administrative law generally, right? \nSo, to the extent that the FTC has the power to enforce the law \nand create rules through case-by-case adjudication, the FTC \nseems to be hardly unique in that respect.\n    With respect to, kind of, fair notice, due process \nconcerns----\n    Mr. Connolly. Well, can I just interrupt you there? Mr. \nDaugherty has a blog in which he refers to the FTC as ``lying, \ncheating, breaking every rule in the book.'' ``All professional \ntyrants and bullies have plenty of tricks up their sleeves. \nThis nest,'' presumably the FTC, ``is no exception.''\n    So Mr. Daugherty----\n    Chairman Issa. [Presiding.] Would the gentleman yield?\n    Mr. Connolly. Of course.\n    Chairman Issa. I think many Members on your side of the \naisle have said the same about me on the dais. These \nallegations are not unique, are they?\n    Mr. Connolly. Yeah, but I don't know if we all have blogs.\n    But, I mean, putting a charitable interpretation on what \nclearly is a source of anger and frustration for Mr. Daugherty \nis a sense of: I am not being treated fairly. This process is \nfar beyond just a routine administrative process. It is one \nthat, you know, is all-encompassing and all-powerful and \ncapricious. My word, not his.\n    So is this just like any other administrative process? Is \nthere something unique or different about this one? I'm not \nreferring to the particular case; I'm talking about the \nprocess. Because you just said, well, it's hardly unique. But \nif I read this blog and only rely on it for witness to the FTC \nprocess, I might conclude it most certainly is different and \nunique, or at least I hope it would be, if this is accurate.\n    Mr. Hartzog. Well, I can't comment as to the factual \nspecifics. My----\n    Mr. Connolly. I'm not asking you to.\n    Mr. Hartzog. Right, right. So without knowing the internal \ndeliberations of what happened with respect to the FTC \ninvestigation with this particular case, I will say if you look \nat the complaint that was filed in this case, it is very \nconsistent with all of the other FTC data-security complaints. \nThe FTC has been regulating data security since the late 1990s, \nand they've done so in a very conservative and incremental \nmanner. The language that they employ is very consistent across \nevery single complaint. The language that they use in their \nconsent orders is very consistent.\n    And so if you look at the complaint that was filed in this \ncase, it does, indeed, look very similar to lots of other \ncomplaints filed by the FTC. And so, in that regard, this is, \nyou know, just another, kind of, incremental iteration on the \nFTC's data-security regulations.\n    Mr. Connolly. And just a final point, if I may, Mr. \nChairman.\n    Do you agree with Mr. Stegmaier that, if not here, where, \nthat this is a place to come for redress if you feel you're not \ngetting it in the administrative law review--I mean, the \nadministrative judicial process?\n    Mr. Hartzog. Well, I would just call note to the fact that \neveryone that is subjected to an FTC complaint has the right to \njudicial review. And so, you know, that seems to be the \nstructure that was put in place precisely to put a check on \nadministrative agencies.\n    Chairman Issa. Would the gentleman yield?\n    Mr. Connolly. Of course.\n    Chairman Issa. Just for a short colloquy. I think you made \nan assertion that perhaps this hearing and our what you called \n``intervening'' with the FTC was inappropriate. I just want to \ngo through a couple of things very quickly for our benefit.\n    Have you had a chance to look at any of the proffer \nmaterial brought to the committee voluntarily by a \nwhistleblower?\n    Mr. Connolly. I'm not sure what the chairman is referring \nto. I've looked at a lot of material.\n    Chairman Issa. No, no. There was a proffer brought. The \ncommittee staff has reviewed some of it. There was a \nwhistleblower who came to us, unrelated. We did not initiate \nit, but rather a whistleblower came to us. And that, in \ncombination--and perhaps your staff can arrange--at the \nbeginning, I asked everyone to look at the proffer. It goes \nmore than an hour.\n    But, additionally, the reason that this committee feels \nthat, notwithstanding an ongoing--many-year ongoing FTC \nactivity, that, in fact, because Mr. Boback testified before \nthis committee twice while he was, in fact, turning people into \nthe FTC for eventual prosecution, and because a whistleblower \ncame to us, and because that whistleblower took the Fifth at \nthe--asserted his Fifth Amendment rights at that proceeding, my \nunderstanding is the administrative law judge has for the time \nbeing held up, with no prejudice whatsoever, his proceeding as \nwe continue to try to go forward.\n    The judge is able to go forward with the case at any time, \nof course, but both this chairman believes that we should hear \nthe testimony of the whistleblower here and I think the FTC \nwould like to hear the testimony of that individual because, \nsince he was a prior employee of Tiversa, he is, in fact, \nlikely to be a fact witness as to whether or not there is \ncredible evidence against Mr. Daugherty's company, which, by \nthe way, doesn't go to the FTC's authority that we're \ndiscussing here today. It really goes to the question of, is \nthe FTC accurate in one or more of its pleadings?\n    And for the gentleman's edification, it is our opinion \nthat, at a minimum, if the assertions that have been made are \ntrue, the FTC has been misled and this committee has been \nmisled on multiple occasions. The Secret Service, NCIS, the \nWhite House, through the assertion made--and I don't know if \nthe gentleman was here when it was made, but the assertion that \nMarine One's cockpit upgrade was compromised when it was in \nIran may not have been true. All of those things caused this \ncommittee to think that we need to act now and to look into it.\n    But I appreciate the gentleman's rightful statement that \nit's not for us to second-guess the FTC. Their administrative \nlaw judge has to make their own decision. We also, though, \nbelieve that we have an independent obligation based on the \nthings I outlined, and I would hope the gentleman would agree.\n    Mr. Connolly. Mr. Chairman, it might surprise you to hear \nthat, in some measure, I do agree. However, I guess I'm raising \nthe question, not for a solution here, about, what are the \nright boundaries for us, and when do we properly intervene \nbecause of our oversight function and duty?\n    I was asked before this hearing, you know, do we have a \nrole to play in oversight of FTC, and my answer was absolutely. \nAnd if there's, you know, something to be reformed or something \ncertainly to be looked at, that is absolutely a proper function \nof this committee. And the idea that it's never proper is to be \nrejected.\n    However, there are boundaries. And when there's a specific \ncase in front of a judge, I am concerned that it not even be \nconstrued as a perception that we are attempting to tilt the \njudgment in a particular way or to make ourselves the place of \nredress when people have a grievance, even though that \ngrievance may very well be legitimate.\n    Our role is not to hear the case all over again. It is to \ntry to, you know, ameliorate the grievance if there are \nlegitimate aspects to it that can be addressed legislatively. \nThat's what I was raising.\n    Chairman Issa. And I think the gentleman and I would agree \nthat we have to be very careful, both yesterday with the IRS \nand today with the FTC. But I do believe, when somebody has \ntestified before this committee multiple times, the assertions \nmay be incorrect, and, as a result, a series of suits already \ncompleted by the Federal Trade Commission with consent decrees \nmight, in fact, have been flawed.\n    And, tangentially, Mr. Roesler, obviously, we are concerned \nthat a pattern of activity, business practices, you may have \nbeen a victim of and suffered--you and your insurance company \nsuffered distraction and cost for years. So we are concerned \nwith it.\n    And that's why I was so appreciative of your being here \ntoday. This was a tough one for you to do. It's tough for you \nto tear yourself away and to take time out. But, hopefully, \nmaybe a little bit like some hearings we've had over the years, \nwhere people don't understand them at the beginning of it, if, \nin fact, they come to some of the assertions being true, then \nat the end of it all people will say, yes, it was worthwhile.\n    If, Mr. Connolly, if, at the end of it all, whistleblower \nstatements are wrong, assertions are wrong, and all of what we \nhave been told is not true, and if, for example, that \nPittsburgh event, the law firm was just a coincidence, if, in \nfact, both of these individuals had real breaches, then, in \nfact, if all those things be true, then, in fact, we went down \na look-see that didn't end up. But today I believe very \nstrongly and I think at least two of our witnesses feel \nstrongly that there's at least a credible case to look into it.\n    And I might close--and I thank the gentleman for so much \nyielding. I remember when Pat Tillman's family was in front of \nthis committee. I remember us looking at various events that \nwere very controversial, assertions by grieving family members. \nThis committee has taken the breadth of investigations by both \nsides' chairmen, and we have explored them. We explored \nsteroids in baseball. We've done a number of things. The \nranking member and I have continued to work on trying to clean \nup the NFL's problem with human growth hormones. Those are not \nwithin the mainstream.\n    So I do appreciate the gentleman. And I want to be very \ncareful. I would ask, again, all Members to look at the \nproffer, to meet with the whistleblower. Even if he is never to \nbe granted the opportunity to testify, the proffer itself might \ngive you the reason for why we are going forward to try to find \nthe facts through other means and why this hearing is here \ntoday.\n    Mr. Cummings. Will the gentleman yield?\n    Chairman Issa. Of course.\n    Mr. Cummings. First of all, Mr. Chairman, you know, I was \nquestioning as I was listening to Mr. Connolly whether this is, \nin fact, intervention. I'm not sure that it is, to be frank \nwith you. But I'm hoping that, at the end of the day, that the \nFTC hears this. Clearly, there are some things that need to be \nresolved here.\n    And, you know, when I hear the stories of Mr. Daugherty, \nMr. Roesler, I think it concerns all of us if you have been \ntreated unfairly, because we try to fight against that kind of \nthing.\n    But, again, I think--and I'm glad you said what you said \nabout being careful. Because it's interesting, in my office, \nMr. Connolly, I tell my staff that if somebody walks in there \nand there's any kind of pending anything, judicial, quasi-\njudicial, I'm not touching it, I'm just not going to touch it, \nbecause I don't want to interfere.\n    Mr. Connolly. Right.\n    Mr. Cummings. And I think there's probably a problem with \nit anyway, ethically.\n    But, hopefully, this will lead to something where there's \nsome clarification, Mr. Chairman, so that we don't have these \nkind of situations, or, if nothing else, at least some clarity \ncomes to the people who are in the industry as to what is \nexpected of them, what's fair, what's reasonable.\n    Mr. Cummings. And if we can come to that--and, again, as I \nsaid a little bit earlier, Mr. Chairman, we have not said \nabsolutely against immunity for a whistleblower. We just want \nto make sure that we dot our i's, cross our t's.\n    And so, thank you very much.\n    Chairman Issa. I thank the ranking member, and I thank Mr. \nConnolly.\n    We now go to the very patient quasi-expert on HIPAA, Dr. \nGosar.\n    Mr. Gosar. Well, thank you, Chairman.\n    I'm a dentist before I came to Congress, so I'm very aware \nof HIPAA and OSHA, and it's very different from what I'm \nunderstanding here, Mr. Daugherty, right? I mean, we have \nclasses, we have rules, regs. They're pretty astute and pretty \nwell-defined, right?\n    Mr. Daugherty. Yes, Congressman. As a matter of fact, we \nenjoy daily mailing offers for educational seminars that anyone \ncould have at any day.\n    Mr. Gosar. And so, like, a typical small business, you \nupdate, you try to keep up with trends, making sure that you're \nup to par in protecting databases, as well, true?\n    Mr. Daugherty. Correct. We always had an IT staff of at \nleast 3 people, even when we were only, like, 15 employees. And \nwe also had an outside company help.\n    And, as a matter of fact, we upgraded to--we found in the \nsmall-business community and in the medical community that's \nunder 100 or 200 employees, there were no security products out \nthere. So when the FTC approached us, when we were trying to \nget an answer of what to do and we couldn't get an answer, we \nwent out to the industry, and they didn't have products for us. \nThey only were with 500-employee companies and up. So we had to \nfind a company that would actually customize something for us \nthat was built for someone bigger that would actually work with \nus, and we could only find two vendors to do it.\n    Mr. Gosar. So, I want to get back to this fair notice. It \nseems like if what I heard from Mr. Hartzog in regards to \nlooking across the industry for fair and applicable \napplication, they should've taken some of that into \nconsideration.\n    Mr. Daugherty. Well, I would agree with that, sir, yes.\n    Mr. Gosar. Yeah.\n    Mr. Hartzog, are you real familiar with why the FTC is even \nin business today? Do you understand the history from 1978 to \n1980? In fact, my Democratic colleagues almost--actually shut \nthem down during 1980.\n    Mr. Hartzog. I----\n    Mr. Gosar. And underneath, in regards to--the FTC only \nsurvived in its agreement to limit its discretion by issuing \nits now-revered unfairness policy statement, true?\n    Mr. Hartzog. That's correct.\n    Mr. Gosar. So there's even more onus--you bypassed it, but \nthere's even more onus on the FTC to be fair and applicable \nacross these applications. Would you agree?\n    Mr. Hartzog. Yes. They are----\n    Mr. Gosar. Well, I mean, so the statute and the mission is \nvery specific to the FTC, right? So the application across all \nagency boards are not exactly what you said.\n    Mr. Hartzog. Well, with respect to whether something \nconstitutes an unfair trade practice. So it actually isn't even \nlimited to deception, but the policy codification was to an \nunfair trade practice.\n    Mr. Gosar. Well, my whole point is the FTC is further \nscrutinized by its jurisdiction in regards to that. So they \nwere disciplined by Congress, okay?\n    Would you agree with that, Mr. Stegmaier?\n    Mr. Stegmaier. I think the agency has more of a track \nrecord, historically, and speaking purely historically, of \npotentially running afoul and having congressional oversight. \nAnd, for example, their rulemaking authority is highly \nconstrained coming out of some of the same things I believe \nyou're talking about.\n    Mr. Gosar. Yeah. So let me--I guess my question is, if \nwe're coercing settlements, what good is the rule of law? How \nare we overseeing the FTC in a proper adjudication if they're \nalready being scrutinized a little differently because of their \npast history?\n    Mr. Stegmaier. I think it's a really good question, and I \nthink it's one we need to explore further.\n    Certainly, having represented companies that felt they were \nbeing coerced, I very much sympathize with the tone and tenor \nof your statement. And, in the same breath, I would just say \nthat my experience with the folks actually working at the \nagency has been of a really bright, hardworking, dedicated \ngroup of people that believe in what they're trying to do. And \nI think one of the things that can be happening here is a bit \nof disliking the messenger versus the message.\n    And part of that is simply because we, as a society, \nhaven't resolved what privacy and data security mean, but we \nhave a law enforcement agency that's out there prosecuting \ncompanies with what it thinks it means, you know, over more \nthan a decade now. And that's really, I think, what brings us \nhere, is a tough spot independent of anything that Mr. \nDaugherty or the other information before the committee or the \nproffer, none of which I'm specifically familiar with.\n    Mr. Gosar. And it seems to me that we haven't had oversight \nor reauthorization of the FTC, and maybe we need a mission. I \nmean, just because you're bright and you're affable in your \njob, it doesn't make you right in your application of the law, \ndoes it, Mr. Stegmaier?\n    Mr. Stegmaier. So I made a note to myself earlier: Just \nbecause you do something doesn't mean you have the authority to \ndo it. And so I would agree that a measure of oversight and \nreview is appropriate, given, as the agency acknowledges, that \ntechnology is moving very rapidly, data is moving very rapidly, \nand, clearly, the agency has a very important role to play, but \nthat is one that is, you know, limited and subject to \ncongressional review.\n    Mr. Gosar. And so, would you still agree that the review of \nyou're innocent until proven guilty?\n    Mr. Stegmaier. I would agree that you are absolutely \ninnocent until proven guilty. I think that's the entire reason \nwhy I'm here today.\n    And I think, more importantly, it's really a shame if \nyou're prosecuted and you couldn't possibly have known what the \nlegal requirement was for which you are being prosecuted. And \nthat's what the fair notice doctrine is about in the articles \nI've written.\n    Mr. Gosar. Yeah.\n    Mr. Hartzog, would you agree with that?\n    Mr. Hartzog. I agree with the general statement, but I \nwould also say that the case-by-case way of establishing law is \nactually a part of----\n    Mr. Gosar. I mean, you didn't give a very good, I mean, \nnotice about applicability across the board here. You tried to \ncite as an expert witness, and you tried to cite, which you \nreally couldn't. And shouldn't that be more based upon \npredicated caselaw so we should see, instead of coerced \nsettlements, we see more applicability going towards the \ncourts?\n    Mr. Hartzog. If I might, actually----\n    Chairman Issa. The gentleman's time has expired, but you \nmay answer.\n    Mr. Hartzog. Thank you.\n    If you look at the complaints, actually, we actually see \nsubstantial overlap of the FTC complaints with the HIPAA \nsecurity rule and Gramm-Leach-Bliley. And so, actually, it's \nactually a fairly nuanced standard. If you look at the \ncomplaints which, established in a case-by-case manner, really \noutline what an unfair or deceptive trade practice is.\n    Mr. Gosar. Thank you.\n    Chairman Issa. Thank you.\n    We now go to the gentlelady from Illinois, Ms. Duckworth.\n    Ms. Duckworth. Thank you, Mr. Chairman.\n    Thank you, gentlemen, for being here today.\n    I just want to establish some clarification. And, Mr. \nRoesler, I know you do tremendous work in support of our \ncitizens who are suffering from AIDS and do everything that you \ncan through your organization to support your clients.\n    I just want to, sort of, go through the timeline of your \nparticular instance. You were contacted by Tiversa saying that \nthey had these files that they had found on peer-to-peer \nnetworks and that for a certain amount of money they could help \nyou with it. Subsequent to that, you then went to your IT \nproviders and did a thorough search and determined that nothing \nin your networks had been breached. Is that correct?\n    Mr. Roesler. That is correct.\n    Ms. Duckworth. And, at a later point in time, you received \na letter from the FTC saying that there was this file in the \nInternet, and it was a different file name from the file that \nTiversa had informed you was out there. Is that correct?\n    Mr. Roesler. That's also correct.\n    Ms. Duckworth. Great.\n    Prior to this time, did you not suffer a break-in to your \nfacilities, where a laptop was physically stolen from your \nfacility?\n    Mr. Roesler. That's correct. In 2007, Open Door was the \nvictim of a theft of one of our laptops in our Aurora clinic \nspace.\n    Ms. Duckworth. Correct. And you did report that crime to \nthe police?\n    Mr. Roesler. That was reported, yes.\n    Ms. Duckworth. Yes.\n    So when you got the notice from FTC with a different file \nand in going back and reviewing, is it true that you have \ndetermined that these files that were on the Internet were not \na result of any type of a security breach to your network but \nprobably came from that laptop that was stolen?\n    Mr. Roesler. That is an assumption that we do have, that \nthe laptop that was stolen had these as well as other documents \non that computer.\n    Ms. Duckworth. And so the FTC has not pursued--has not \ncontacted you other than that first letter to say they found \nthese files on the Internet, this is a warning, you need to \ndeal with it. Is that correct?\n    Mr. Roesler. That is correct. Thank you.\n    Ms. Duckworth. Okay.\n    Do you have any evidence that the FTC turned over \ninformation of any of those files to any law firm that then \ninitiated the class action lawsuit against you?\n    Mr. Roesler. No evidence at all.\n    Ms. Duckworth. No evidence at all.\n    So what I'm trying to get to here is the fact that there \nare two different things going on. There are the practices, \nwhich I think appear to be very egregious, on the part of \nTiversa, which I want to get to the bottom of, and then the \nfact that you were very much a victim of an actual theft to a \nfacility that probably did have a lock on your front door, \nquite literally, and then the FTC finding a different file on \nthe Internet from the one Tiversa contacted you with and said, \nhey, this file is out there, take a look at it. You dealt with \nit.\n    The only thing that I'm somewhat concerned with in terms of \nyour actions is that you did not notify your clients for over a \nyear whose names were on that stolen laptop. Is that correct?\n    Mr. Roesler. That is correct.\n    Ms. Duckworth. But that's a matter for State law; that's \nnot under the jurisdiction of this committee here.\n    But you've settled the lawsuit with this law firm, wherever \nthey got the information from, not from the FTC but from \nsomewhere else. Your clients--many of whom are back with you \nand are happy with the treatment that they're getting?\n    Mr. Roesler. That's correct. We are back to doing business \nas usual.\n    Ms. Duckworth. Which you love, which is taking care of your \nclients.\n    Mr. Roesler. Very much. Thank you.\n    Ms. Duckworth. Thank you.\n    Mr. Hartzog, could you give me your opinion on, was it \nappropriate for the FTC to contact Mr. Roesler to say that, \nhey, we found a file on the Internet that contains your \nclients' names?\n    Mr. Hartzog. Sure, in the sense that the FTC has, you know, \na broad ability to look into lots of different data breaches to \ndetermine whether there was reasonable data security or not.\n    Chairman Issa. Would the gentlelady yield just for a point \nof information?\n    Ms. Duckworth. Yes, I'll yield.\n    Chairman Issa. The committee can provide you with the \nproduced written data that shows that Tiversa provided that \ninformation to the FTC. So the source in both cases was Tiversa \ndirectly in contact and then indirectly when the FTC gained \nfrom Tiversa that same information that Open Door failed to, if \nyou will, pay for protecting.\n    Ms. Duckworth. Thank you, Mr. Chairman. But I do think the \nFTC did contact Mr. Roesler with a different file name.\n    Which is how I believe you were able to come to the \nconclusion or the assumption, a working hypothesis, as it were, \nthat it likely came from this laptop and not from a breach of \nyour network.\n    Mr. Roesler. Okay, no, that's not exactly correct.\n    Ms. Duckworth. Okay.\n    Mr. Roesler. So during the litigation and during discovery, \nthe law firm was able to produce quite a few documents that had \nbeen downloaded from a peer-to-peer network. It was when we \nstarted looking through the piles of documents that we were \nable to ascertain what the likelihood is of which employee \nmight have been producing most of those documents. And from \nthere, we were able to then figure a timeline that, well, this \nemployee doesn't currently have these documents on their \ncurrent laptop; however, come to think of it, 2 years ago, \ntheir laptop had been stolen out of our clinic. And that's when \nwe started moving backwards in that thought process.\n    Ms. Duckworth. Okay. Thank you.\n    I'm out of time, Mr. Chairman.\n    Chairman Issa. Thank you. If the gentlelady would just \nallow me to follow up on your line?\n    Mr. Roesler, do you believe that Tiversa provided you with \nall the information and all the files that they had found?\n    Mr. Roesler. Could you repeat that question?\n    Chairman Issa. In other words, when they approached you and \nsaid, we found this vulnerability, do you believe at that time \nthey provided you with a sample of what they had found or all \nof it so that you could figure out the source?\n    Mr. Roesler. Thank you, Chairman. That's a very good \nquestion.\n    They produced one document, what I believe to be--it is my \nopinion, but that they had more than the one that they \ndescribed to us that they had at the time.\n    Chairman Issa. And I'll go to the ranking member in just a \nsecond.\n    The reason I want to do that is Ms. Duckworth's two \ndifferent documents. Since our data that's been found in \ndiscovery shows that Tiversa did turn over to the FTC the \ndocuments, or that we have a list with your name and so on on \nit, it appears as though what FTC brought you, which was a \ndifferent document, was also from the same source of Tiversa.\n    And, Ms. Duckworth, the reason--and I appreciate that \nyou're talking in terms of looking at Tiversa and so on--is, as \nfar as we can tell, the only taker of this personal \nidentifiable information that we know for sure reached into his \nsystems on his network and pulled out files was Tiversa, who \nreached in, pulled them out, and turned them over to the FTC. \nThat's the part that we know, is that at least one company \nfound the vulnerability, took the information, gave it at a \nminimum to the FTC. And there is some question by the committee \nas to how the law firm got that same list and produced a class \naction, a law firm in the same city.\n    And that's, I think, what the gentlelady is really looking \nat, is this doesn't look good. And the effects on Open Door \nwere devastating.\n    Ms. Duckworth. Well, I would agree with the chairman that \nthe effects on Open Door was devastating, but I don't agree \nthat they reached into their network. Open Door has determined \nthat there was no breach of their network. And, in fact, the \ndata breach came from a stolen laptop. So if Tiversa got this \ninformation, they got it from someone else who uploaded the \ninformation from a stolen laptop, 2 years prior, to the \nInternet.\n    It was not a breach of their network. They did a thorough \nsearch of their network. And, in fact, Tiversa is getting this \ninformation that someone else, presumably the thief who broke \ninto their facilities and stole their laptop or someone that \ngot that information off the laptop, uploaded. It's two \ndifferent mechanisms----\n    Chairman Issa. And I share with the gentlelady very much \nversions of that possibility. That laptop that was stolen \ncould've had LimeWire added to it. It could've been put up on \nthe thieves' Internet site, and Tiversa could have found it out \non the Internet. The interesting thing was that Tiversa did not \ngo to the laptop or to some other posting; they actually went \nto this company and said, we found the vulnerability on your \nsite.\n    And that's what is so perplexing, is they didn't say, we \nfound this information in the Internet. They went to Open Door \nand said, we found your vulnerability and we offer you services \nfor your vulnerability. Now, my understanding is Tiversa also \nwill talk about helping cleanse lost data, clean up what's been \nout there on the Internet. There's a lot of services people \ntalk about.\n    But it is confusing that, in fact, this data, we know for \nsure, got into Tiversa's hands. And in our discovery, we do not \nyet know, did they really get it off of your Web site at Open \nDoor? Did they get it off the stolen laptop?\n    One thing we're convinced about is that they may very well \nhave never gotten it, seen it somewhere in the Internet, except \non a vulnerability from a peer-to-peer. And, in fact, it may \nnever have been made available so as to harm the 180-plus AIDS \npatients that in some measure felt offended and served a \nlawsuit.\n    Ms. Duckworth. I would have to disagree with one portion of \nthat, Mr. Chairman. I share your concern with Tiversa's very \npredatory practices, and I think we should look more into it \nand I would love to have them here. But I think, in this case, \nTiversa said they found this data on a peer-to-peer network, \nnot on Open Door's network. They found it on a peer-to-peer \nnetwork. That's what they told Open Door, ``We found it on a \npeer-to-peer network.''\n    Open Door then went in and looked at their peer-to-peer \nnetwork and saw and confirmed that it had not been breached and \nthat there was no vulnerability in their peer-to-peer network. \nJust because Tiversa found it on a peer-to-peer network does \nnot mean that that peer-to-peer network belonged to Open Door. \nSomeone else uploaded it from, likelihood, that stolen laptop \nto a different network.\n    So I just want to make sure that Tiversa is--they could \npossibly be trolling the Internet for this data on various \npeer-to-peer networks, not necessarily Open Secret's, found it, \nand then tried to get them to purchase services. So it's two \ndifferent things. And I just want to make sure that this is--\nthe things that Open Door has suffered has been because of \nTiversa and Tiversa's actions with the law firm.\n    And, in fact, as far as the FTC is concerned, they sent \nthem a note saying, there's this form out there--there's this \nfile out there, you need to take a look at it. And they've not \nprosecuted, they've done nothing else. Really, they've been the \nvictims of a class action lawsuit that was initiated by Tiversa \nafter they found a document on a separate peer-to-peer network \nthat was not the one that was Open Secret's--I mean, Open \nDoor's.\n    Chairman Issa. You may very well be right. And I think \nyou're getting a nod from Open Door.\n    But I think the gentlelady has made the exact point that I \nhope we can all come together on, which is we have a \nwhistleblower who wants to give us detailed information \ndirectly related to each of these events with actual recorded \nhard disk data and only asked that his involvement and his \ntestimony as to how he was involved in this at Tiversa not lead \nto his prosecution. And that is all that, in fact, when you see \nthe proffer, if you will please see it, video proffer, you're \ngoing to see, is a demonstration specifically of that. And it \ndoes give us a fact witness, however flawed in any other way, a \nfact witness who will make specific allegations as to \nparticular companies and where their data was or wasn't; \nadditionally, and for me as a former ranking member and member \nof this committee, is also prepared to testify about evidence \nthat was presented to this committee under oath. And that's why \nwe have sought to have this witness.\n    Today's hearing deals with what we know and what happened \nto these individuals and with some of the pitfalls of, does the \nFTC, for example, in the case of Open Door, did they get second \ncorroboration or did they send that letter in your case, and a \nlawsuit in your case, based on a single source that may or may \nnot have been accurate?\n    And, to a certain extent, I know we're all getting mired in \nSection 5 authority. This is more than Section 5 authority. \nIt's about whether an agency, even if it has the authority, \nwhat are the safeguards before they file a lawsuit? What are \nthe safeguards to make sure that the allegations are \nindependently corroborated? Because cybersecurity is, in fact, \nas the gentlelady knows, it's not a hard science where you can \nbe sure. And if somebody says this happened, making sure it \nhappened is important.\n    So this is a broad subject. Cybersecurity is a core element \nof our oversight, not just here but throughout government. And \nit's one of the reasons I thought bringing up the whole \nquestion of how do we move cybersecurity positively--because, \nMr. Hartzog, I think you would agree, and, Mr. Stegmaier, I \nthink you would agree, that to the extent the FTC has \nauthority, it's in order to protect against unfair practices, \nthat's their basic--but, in fact, to move us into greater \nsecurity and reliability of people's information when it's held \nby third parties. And that goes to the core of cybersecurity in \nand out of government.\n    So my view was this hearing, separate from the other \ndiscussion that I hope to have with the whistleblower, this \nhearing was worthwhile not because there's an ongoing \ninvestigation or case, Mr. Daugherty, and not because of what \nyou've suffered alone, but because you're helping America \nunderstand this is complex, we have to make sure that \nallegations are correct, and we have to make sure that if \nthere's a bad actor basically selling services in an unethical \nway that we hold them accountable.\n    And that's why I'm so interested in your line of \nquestioning and I support it and I appreciate it.\n    Ms. Duckworth. Thank you, Mr. Chairman.\n    Again, I don't think the FTC filed a lawsuit against Mr. \nRoesler, just warned him that the file was out there. But I \nagree with you that I would like to know more about this \nprocess, so it would be great if we could have the FTC here in \ntestimony.\n    Chairman Issa. And we do intend to. What we're asking is \nthat they answer our questions as to some of this corroboration \nand so on. We expect to ask both Tiversa and the FTC.\n    One of the challenges--and I hope the ranking member will \nchime in on this, too. Mr. Connolly's statement about an \nongoing lawsuit means that we have to think about how and when \nwe bring the FTC in so that we not put them here specifically \ntalking about a lawsuit that is ongoing. So I want to be a \nlittle careful on that. We are working with the IG. And the \nFTC's IG is available to come in and brief your office, because \nshe has a separate investigation that we're respecting, her \nongoing investigation.\n    Mr. Cummings?\n    Mr. Cummings. Thank you.\n    Mr. Chairman, I want to just go back to something you just \nsaid.\n    And I want to direct this to you, Mr. Hartzog. When the \nchairman--and I think when you boil a lot of this down, this \nissue of independent corroboration and trying to be fair--and I \nthink that's what the chairman is saying. He's not--I think \nhe's saying that, you know, there may be appropriate times, but \ntrying to have a sense of fairness with it all. Because these \ngentlemen, I think, would say that they feel that they have \nbeen treated unfairly.\n    So can you talk about, I mean, how that would work and how \nother agencies deal with that? Do you understand what I'm \nsaying?\n    Mr. Hartzog. Sure. Sure. So it's difficult for me to \nspeculate on the way that other agencies deal with that. But I \nwill say that it's important to remember that when the FTC gets \ninformation about a potential breach or a vulnerability, that's \njust the very beginning of the inquiry, right? So the FTC \ndoesn't police data breaches; the FTC polices unreasonable \ndata-security practices.\n    Now, a breach can be evidence of a data-security practice, \nbut that's just the starting point, right? So if you look at \nthe complaints, the complaints actually have kind of a litany \nof data-security failures, so failure to have a training \nprogram and failure to implement administrative and technical \nand physical safeguards. And all of these things are things \nthat are incumbent upon the FTC to actually prove if they \nallege them in the complaint.\n    And so I think that we want to be careful not to assume \nthat just because the FTC has been notified of a breach, that \nthat immediately means that the company that suffered the \nbreach is liable, right? So the FTC is--it's on the FTC to fill \nthat out, right, to say, well, what actually were the--were \nthere unreasonable data-security practices that allowed this \nbreach to happen? Or was this a breach that was going to happen \nregardless of whether there were reasonable data-security \npractices?\n    And that, to me, is really where the FTC, you know, starts \ndoing its real investigative work, in that, you know, the \nnotification of a breach is just kind of the first tip that \nleads to an investigation.\n    Chairman Issa. Thank you.\n    Mr. Clay?\n    Mr. Clay. Thank you, Mr. Chairman, and thank you for \nconducting this hearing.\n    Some critics of the FTC's approach to data protection have \nargued that the FTC has not provided adequate notice of the \nguidelines a company must follow to avoid an enforcement \naction. For example, in Federal litigation in New Jersey, \nWyndham Hotels argued, ``If the FTC can regulate data security \nat all, it must do so through published rules that give \nregulated parties fair notice of what the law requires.''\n    Professor Hartzog, do you agree that published rules are \nrequired to give organizations notice of the data-security \nstandards that are required?\n    Mr. Hartzog. I don't think that that's necessarily \naccurate. I think that administrative agencies like the FTC \nactually have the choice of publishing rules or proceeding in a \ncase-by-case basis and establishing the contours of the law in \nthat way.\n    And, in this instance, when you have a complex and ever-\nevolving problem like data security, which is really more of a \nprocess than a set of rules, then the FTC has chosen, and I \nthink probably wisely, to proceed in a case-by-case basis in \norder to incrementally establish rules and be adaptive to the \never-changing needs of consumers to have their data protected.\n    Mr. Clay. Well, how can a company know when it's going to \nrun afoul of the data-security requirements if they don't have \nnotice of the rules?\n    Mr. Hartzog. I would actually argue that they do have \nnotice of what's required. So there are several different \nthings that you can look to. When you have a reasonableness \napproach, the FTC isn't the only agency, the only regulatory \nscheme that uses a reasonableness approach. So States do, and \nthere are other statutes that take advantage of it.\n    And you can look to basic things, right? So even in the \nstatement that the FTC issued on its 50th data-security \ncomplaint let it know that there are really five basic things \nthat you have to do. You know, you have to identify your assets \nand risks; you have to minimize data; you have to implement \nsafeguards; and you have to have a breach response plan. And \nthose are the basic components.\n    And the way that you then fill that in is you look to lots \nof different variables, like the size of the company and the \nsensitivity of the data and the amount of data that you're \ncollecting and the resources that you have available, which of \ncourse vary wildly according to company.\n    And so it actually, I think, would be a mistake to try to \nput those into rules because they inevitably would be either \noverinclusive or overprotective or underinclusive depending \nupon the context. And so, really, the only way forward, in my \nmind, is to proceed upon a reasonableness basis here.\n    Mr. Clay. Okay.\n    Other critics of the FTC Section 5 enforcement authority \nhave argued that the FTC should establish bright-line data-\nsecurity standards in advance of any enforcement measures \ndelineating exactly what companies must do to comply with this \ndata-security obligation.\n    Professor Hartzog, in your recent article on the FTC and \ndata protection, you address this point, writing, ``Many \ncritics want a checklist of data-security practices that will \nprovide a safe harbor in all contexts. Yet data security \nchanges too quickly and is far too dependent upon context to be \nreduced to a one-size-fits-all checklist.''\n    Professor, can you elaborate briefly on what you mean here? \nHow is data security changing in ways that make formal \nrulemaking impractical?\n    Mr. Hartzog. Sure. So I've spoken with a lot of data-\nsecurity professionals in doing my research, and they almost \nuniformly tell me that you can either have a one-size-fits-all \nchecklist that lists the 17 things that you're supposed to do \nor you can have good data security, but you can't have both.\n    And the reason why that is is that data security changes so \nmuch, and it wouldn't make much sense to say that small \nbusinesses have to follow the same data-security protocols that \nTarget and Amazon have to follow. And so it actually is very \ndependent upon all these variables.\n    And to the extent that we've heard testimony today saying \nthat, you know, oh, well, we have guidance from HIPAA and we \nhave guidance from Gramm-Leach-Bliley, I would ask everyone \nactually to look at the complaints filed by the FTC. They're \nvery similar to the requirements in HIPAA and Gramm-Leach-\nBliley. And so, to the extent that everyone is kind of fine \nwith the way that those work, I think you can see similar kinds \nof requirements in the complaints filed by the FTC.\n    Mr. Clay. And you also wrote that flexibility to adapt to \nnew situations, the FTC can wait until a consensus around \nstandards develops and then codify them as this happens.\n    Mr. Hartzog. That's correct. So one of the problems with \nformal rulemaking is that if you make it too technologically \nspecific, then by the time the rule actually gets passed, it's \nbecome outdated and you've got to start the whole process all \nover again, and it becomes this never-ending series of trying \nto update standards that have become outdated.\n    We've actually seen this in other areas of the law where \nwe've tried to list out technological specifications, and we \nnow get routinely frustrated, you know, that they're outdated \nbecause it changes so quickly.\n    Mr. Clay. Thank you for your responses.\n    Mr. Chairman, my time has expired.\n    Chairman Issa. Thank you, Mr. Clay.\n    Well, we're going to come to a close, which is probably \nblessed for all of you. But I have just a final set of \nquestions, and I'm going to go to each of you.\n    Mr. Hartzog, I hear everything you're saying, but if I'm to \nbelieve what you're saying, the complaints and the consent \ndecrees are supposed to be my guidance as to what I have to do. \nI have to find within the complaints a company and a set of \ninformation that's similar to mine to figure out what I should \nor shouldn't do.\n    But even then, the consent decree says, we're going to keep \nan eye on you for 20 years. So, 2 years later, 3 years later, \nwhat they're doing behind closed doors in their oversight of \nthat one company, I don't have visibility on that.\n    So how am I supposed to know what the law is?\n    Mr. Hartzog. So I would actually say, instead of looking \nkind of to the consent decree, you look to the complaints. And \nthe complaints actually point to industry standards, right? And \nthere are various, actually, standards you could look to. So \nyou could look to----\n    Chairman Issa. But none of those standards are safe havens; \nis that right?\n    Mr. Hartzog. Well, no, not explicit safe havens, but I \nthink the understanding is----\n    Chairman Issa. But wait a second. If I go 34 miles an hour \nin a 35-mile-an-hour zone, I'm not going to get a speeding \nticket. Is that right?\n    Mr. Hartzog. I'm really glad you brought that up. So Mr. \nStegmaier brought up the whole speeding-limit thing, as far as \nhow that's adequate notice. I would also add that if you look \nat speeding rules, in inclement rules the speeding rules \nactually change; they say drive reasonably under the \ncircumstances. And yet we don't have a problem with that \nspeeding law, which is, of course, based on a reasonableness \nstandard.\n    Chairman Issa. That happens to be an interesting law, \nbecause it only gets enforced when you have an accident, and \nthen they will sue you. They will claim that you were driving \ntoo fast for conditions.\n    I appreciate the fact that you noted, then, that when the \n``fit hits the shan,'' when things go bad--I worked on that for \na long time; I want you to appreciate that--then they will \nwrite you a ticket, when even when you drove the speed limit \nsomething happened. But there has to be a bad occurrence for \nthat to be enforced. So I think we're all agreeing it's a good \nexample.\n    But cybersecurity is a real question. I don't know \neverything about LabMD. I don't know everything about Open \nDoor. But I will tell you that people right now, whether they \nhave a server in a closet and they're buying the latest \nsoftware from Microsoft and other companies or they're up on \nAmazon or somebody else's virtual network, they don't know what \nthe standard is.\n    I know one thing. Target and the U.S. Government at \nHealthCare.gov spent millions of dollars on security, hired \ncountless experts in and out of house, and they were obviously \ndata failures. So it's an inexact science.\n    The Federal Trade Commission has a mandate to protect us as \nconsumers from, effectively, willful or reckless behavior. \nLimeWire participated in reckless behavior in the switches, how \nthey had them turned down, what the default was, perhaps even \non the peer-to-peer. But, certainly, because they made you most \nvulnerable, unless you knew a lot about the software and \ninstallation, they created a vulnerability which, quite \nfrankly, was intentional.\n    And in a hearing before this committee, we pretty much got \nthat, that they were--they thought it was great to open wide, \nwhen, in fact, they were implying it was small. To me, that's \nwhat the Federal Trade Commission was supposed to go after. \nThey just weren't, apparently, an easy enough target.\n    So as we look at, not Section 5 authority--because I \nbelieve that Section 5 authority intended on deceptive and \nunfair practices in the Internet world, in the cyber world, \nbeing an authority; I think they did. But I think they wanted \nus to go after LimeWire, after people who claimed things.\n    And, quite frankly, I think maybe they want to go after a \ncompany like Tiversa, who goes around and trolls all over the \nInternet, using expertise that some might say was similar to \nthe CIA--who, by the way, paid Tiversa at one point. And they \ngo out and they find all these vulnerabilities, and then they \nturn them into business practices. And, in fact, every \nindication is they not only found the vulnerabilities but they \nstole information off those products. They stole them after the \nCEO of that company testified that these people were victims. \nMr. Boback testified before this committee that people whose \nemployees loaded LimeWire were victims, that, in fact, the \nperson loading LimeWire was a victim because he or she didn't \nunderstand that they were creating the vulnerability.\n    So the very person who said you're a victim of this peer-\nto-peer software before this committee then used that \nvulnerability to pull data, to steal data. And to the extent \nthey stole data only so they could inform the company and show \nthem that it happened, I might say that it wasn't wrong. But to \nthe extent that it was $475 an hour, that becomes a little more \nquestionable. To the extent that they then go to the FTC if you \ndon't say yes, as though they have a civic obligation.\n    Our discovery is not finished, but at this point it appears \nas though if you paid Tiversa, you never would've gotten that \nletter from the FTC. Mr. Daugherty, if you'd paid Tiversa, you \nnever would've had these years of agony. And for just a few \nhundred thousand dollars, you probably would still have a going \nconcern instead of litigation ongoing.\n    Now, that doesn't go to the merit of the letter, it doesn't \ngo to the merit of the suit. It goes to the whole question of \nthe practice. We haven't passed a law that says, if you go out \nand surf the Internet, look for vulnerabilities and take things \noff of people's private sites, including HIPAA-related \nmaterial, that, in fact, you're a criminal. Maybe we should. \nAnd that's within the jurisdiction of Energy and Commerce and \nother committees, and we take it seriously. And it's one of the \nreasons that this hearing is important.\n    Now, I have a closing very self-serving question, mostly \nfor, if you will, my two company victims. Things have been said \nhere and allegations made and questions about Tiversa as a \ncompany. I don't normally investigate companies. It's not the \npractice of this committee.\n    But given--and I'm going to leave Mr. Daugherty, because \nyou're in a lawsuit. I'm just going to leave you out of it for \na moment.\n    But, Mr. Roesler, your case is completely finished; is that \ncorrect?\n    Mr. Roesler. It is.\n    Chairman Issa. And so you're done, you have no financial \ninterest in anything that we look into; isn't that correct?\n    Mr. Roesler. That's correct.\n    Chairman Issa. So do you believe it's reasonable for this \ncommittee to find out what Tiversa took off of your Web site or \nyour site or some other site, where they got that information \nthat they approached you with an offer to sell you services?\n    Mr. Roesler. I believe it's worth the while if there's a \npattern, that I am not the only victim, then it's worth the \nwhile.\n    Chairman Issa. If we thought you were the only one, we \nwouldn't be here.\n    Do you believe it's important for us to verify the \nrelationship between Tiversa and the various companies--many of \nwhom we have lists of, so we know you're not the only one--that \nthey turned over to the FTC based on one question? The ones \nthat they offered services to that bought the services where \nthey never turned over to the FTC, but ones who declined were \noften turned over to the FTC. Is that a question you think we \nshould find out the answer to?\n    Mr. Roesler. I believe that would be a very good question.\n    Chairman Issa. And, lastly, the law firm that sued you in a \nclass action, do you believe it's fair for us to find out \nwhether there was a direct connection between these two \nPittsburgh-based companies and data taken from somewhere yet \nunknown, provided to the law firm, and the law firm then going \nout and reaching out to your patients and clients? Do you \nbelieve we should ask those questions as part of a broader \ninvestigation to find out whether, in fact, that was \ncoincidence or, in fact, an attack on your company because you \ndidn't buy their services?\n    Mr. Roesler. Mr. Chairman, one of the reasons why I'm glad \nto be here today is the hope that possibly that question could \nbe answered.\n    Chairman Issa. Well, I'm going to recognize Mr. Cummings.\n    These are some of the areas in which I believe that \nsomebody should investigate. For now, the somebody is us. Our \nhope is that the FTC IG, who has some authority but not as much \nas we do, oddly enough, to get information from nongovernment \nentities, and perhaps the Justice Department and others will \nlook into it.\n    But until we find somebody else, at least for the \nforeseeable future, my intent is to continue asking those \nquestions. We will invite Tiversa and others in. As I said at \nthe opening, I would hope to hear--that all the Members would \nhear from the whistleblower, not because his accusations are \nalone of anything other than the basis under which we began \nthis, but because when you get one set of allegations and you \ngo out to corroborate them and you have those as a first \nstatement, then when you find the second corroboration, \nnormally it allows you to show that it is true. I want to get \nto the truth. I know Mr. Cummings does.\n    So for all of you, Section 5 authority--it's not our job to \nsecond-guess what Congress gave them. They gave them the \nauthority. Section 5 authority, it is for us to ask, are they \nacting in a way that allows unfair actors to be held \naccountable and others to know how to meet their obligation? \nYou have our commitment, we intend to continue and do it.\n    As to unfair practices practiced in the cyber world and as \nto people's vulnerabilities and how they correct it, this is an \nongoing part of this investigation. The questions I asked you, \nI said they were self-serving. It's the intent of this \ncommittee to continue for as long as it takes to feel that all \nparties are satisfied that we asked all the right questions and \ngot as many answers as we could.\n    Mr. Cummings?\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    When I--first of all, I want to thank the witnesses for \nbeing here. You know, sometimes I think witnesses wonder \nwhether they have an impact. And I can tell you that all of you \nwere excellent. And I really appreciate what you said, and I \nthink the Members listened to you very carefully.\n    When I first read the title of the hearing, I was very \nconcerned with the question of whether FTC has the authority to \npursue data-security enforcement actions under its current \nSection 5 authority. And I think, based upon what the chairman \njust said, I think we all agree that they do. And I agree with \nhim, the question is how they go about doing that.\n    And I think that there are moments that present themselves \nin our lives where we have to stop for a moment and at least \ntake a look at what we're doing and how we're doing it.\n    Mr. Roesler, Mr. Daugherty, as I said before, if you've \nbeen treated unfairly--you know, and both of you are dealing--\nyour businesses dealt with health issues, right? Health. And \nhealth is a big, big deal for me, personally, and I'm sure it's \na big deal for most of us. But I want us to be very careful.\n    You know, government does have a role to play. It really \ndoes. When people's information is out there, their lives can \nbe turned upside down. I've had people come to me as a \nCongressman, talk about their identity being stolen and taking \nyears and years to get it back. We have to have some folks \nmaking sure that we protect as best we can against that.\n    And I think that there's always a balance. You know, \nthere's got to be a balance so that we don't just run over \npeople like you, Mr. Roesler, and you, Mr. Daugherty, but, at \nthe same time, make sure that folks who are aiming to do these \nkinds of things know that we're not going to stand for it and \nthat somebody's going to be looking and somebody's going to \nbring them to justice.\n    So that's where, you know--that's--you know, if you listen \nto everything that has been said here today, I think that's \nwhat it pretty much boils down to. How do we strike that \nbalance?\n    And so I thank you, Mr. Chairman. I think it was a good \nhearing. I look forward to hearing from the FTC. And you're \nright, trying to hear from the FTC is going to be kind of \ntricky, because it seems as if--I mean, if you could limit the \nquestions to their general procedures without getting into the \ncase, I think that might be helpful, but it's going to be \ntricky. But I think we do need to hear from them as to how they \ngo about this.\n    But, again, this is a critical moment. And I think we need \nto try to take advantage of it so that, if something needs to \nbe corrected, that we correct it. I think anybody wants to have \nsome idea of what they're being accused of. I mean, was there \nways to get the information out in a better way? You know, this \nis what you need to look out for. It's just like when you're \nriding down the road and it says, you know, 25 miles an hour, \nradar enforced by photos. You know, I mean, at some point, it's \nnice to have a little notice. And all of us know after we've \ngotten a ticket or two that we slow down. And we know those \nareas by heart; we just know them.\n    And so, again, I thank you all for your testimony. I \nreally, really appreciate it.\n    And thank you.\n    Chairman Issa. Thank you.\n    I'll leave the record open for 7 days, not only for Members \nto put in opening statements and extraneous material, but for \nthe witnesses to provide any additional information they deem \nappropriate as a result of the questions here.\n    Chairman Issa. I want to thank you for your testimony. I \nwant to thank you for making this a worthwhile hearing.\n    And we stand adjourned.\n    [Whereupon, at 12:24 p.m., the committee was adjourned.]\n\n                                 <all>\n</pre></body></html>\n"