[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]





 THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR, 
                            JUDGE, AND JURY

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 24, 2014

                               __________

                           Serial No. 113-142

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                                  ______

                         U.S. GOVERNMENT PRINTING OFFICE 

90-892 PDF                     WASHINGTON : 2014 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
       
       
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington             ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia                 PETER WELCH, Vermont
THOMAS MASSIE, Kentucky              TONY CARDENAS, California
DOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan        Vacancy
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director
                 
                 
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 24, 2014....................................     1

                               WITNESSES

Mr. Michael Daugherty, Chief Executive Officer, LabMD, Inc.
    Oral Statement...............................................     7
    Written Statement............................................    10
Mr. David Roesler, Executive Director, Open Door
    Oral Statement...............................................    84
    Written Statement............................................    86
Mr. Gerald Stegmaier, Partner, Goodwin Procter
    Oral Statement...............................................    88
    Written Statement............................................    90
Mr. Woodrow Hartzog, Associate Professor, Samford University
    Oral Statement...............................................   122
    Written Statement............................................   124

 
 THE FEDERAL TRADE COMMISSION AND ITS SECTION 5 AUTHORITY: PROSECUTOR, 
                            JUDGE, AND JURY

                              ----------                              


                        Thursday, July 24, 2014

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:37 a.m., in Room 
2154, Rayburn House Office Building, Hon. Darrell E. Issa 
[chairman of the committee] presiding.
    Present: Representatives Issa, Mica, Turner, Duncan, 
Jordan, Chaffetz, Walberg, Lankford, Gosar, Massie, Collins, 
Meadows, Bentivolio, DeSantis, Cummings, Maloney, Norton, 
Tierney, Clay, Lynch, Connolly, Duckworth, Kelly and Lujan 
Grisham.
    Staff Present: Jen Barblan, Senior Counsel; Molly Boyl, 
Deputy General Counsel and Parliamentarian; Ashley H. Callen, 
Deputy Chief Counsel for Investigations; Sharon Casey, Senior 
Assistant Clerk; Steve Castor, General Counsel; John Cuaderes, 
Deputy Staff Director; Adam P. Fromm, Director of Member 
Services and Committee Operations; Linda Good, Chief Clerk; 
Tyler Grimm, Senior Professional Staff Member; Christopher 
Hixon, Chief Counsel for Oversight; Mark D. Marin, Deputy Staff 
Director for Oversight; Ashok M. Pinto, Chief Counsel, 
Investigations; Andrew Shult, Deputy Digital Director; Rebecca 
Watkins, Communications Director; Jeff Wease, Chief Information 
Officer; Sang H. Yi, Professional Staff Member; Meghan Berroya, 
Minority Deputy Chief Counsel; Courtney Cochran, Minority Press 
Secretary; Jennifer Hoffman, Minority Communications Director; 
Julia Krieger, Minority New Media Press Secretary; Lucinda 
Lessley, Minority Policy Director; Juan McCullum, Minority 
Clerk; Dave Rapallo, Minority Staff Director; and Brandon 
Reavis, Minority Counsel/Policy Advisor.
    Chairman Issa. The committee will come to order. Without 
objection, the chair is authorized to declare a recess of the 
committee at any time. Today's hearing, ``The Federal Trade 
Commission and Its Section 5 Authority: Prosecutor, Judge, and 
Jury.''
    The Oversight Committee mission statement is that we exist 
to secure two fundamental principles. First, Americans have a 
right to know that the money Washington takes from them is well 
spent. And second, Americans deserve an efficient, effective 
government that works for them. Our duty on the Oversight and 
Government Reform Committee is to protect these rights. Our 
solemn responsibility is to hold government accountable to 
taxpayers, because taxpayers have a right to know what they get 
from their government. It is our job to work tirelessly, in 
partnership with citizen watchdogs, to deliver the facts to the 
American people and bring genuine reform to the Federal 
bureaucracy.
    With that, I would recognize the ranking member for his 
opening statement.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Today's hearing will cover several new issues for this 
committee. First, the Republican briefing memo says that the 
committee will examine, ``whether the FTC has the authority to 
pursue data security enforcement actions under its current 
Section 5 authority.'' In Section 5 of the FTC Act, Congress 
gave the FTC authority to protect American consumers, that is 
our constituents, and ensure that their personal, medical, 
financial, and other information is protected from unauthorized 
disclosure. The FTC has been using this authority to ensure 
that companies who receive this type of consumer information 
take appropriate steps to safeguard it. In fact, a Federal 
judge recently upheld this authority and rejected an attempt 
to, ``carve out a data security exception.''
    Yesterday, Senator Rockefeller, the chairman of the Senate 
Commerce Committee and an expert on this issue, sent a letter 
to the chairman emphasizing this point. He wrote, ``Another 
apparent purpose of your hearing is to express skepticism about 
the FTC's long-standing and well-established legal authority 
under Section 5 of the FTC Act. This skepticism is unfounded, 
and your public position was recently rejected by a Federal 
judge in the FTC data security case against Wyndham 
Corporation.''
    He goes on to say, ``Over the past 13 years, the Commission 
has initiated dozens of administrative adjudicatory proceedings 
in cases in Federal court challenging practices that 
compromised security of consumers' data and that resulted in 
improper disclosures of personal information collected from 
consumers.''
    According to the Republican memo, today the committee will 
also examine, ``recent FTC actions related to data security 
practices.'' One of the witnesses testifying today is Michael 
Daugherty, the CEO of a company called LabMD. The FTC has 
brought an enforcement action against LabMD, and Mr. Daugherty 
admits that more than 900 files on his billing manager's 
computer were accessible for public sharing and downloading, 
which is a major security breach.
    Mr. Daugherty has written a book entitled ``The Devil 
Inside the Beltway.'' In it, he refers to the FTC as, 
``terrorists,'' He also accuses the FTC of engaging in, 
``psychological warfare'' and ``torture,'' and of 
``administering government chemotherapy.'' Of course he has a 
right to his opinion, but this committee should base its 
oversight work on facts rather than the extreme rhetoric of a 
defendant in an ongoing enforcement action.
    As part of our investigation, we have also received 
competing allegations about Tiversa, a data security firm that 
provided information to the FTC about LabMD's security breach. 
Obviously, we all agree that the FTC should rely only on 
evidence it believes to be legitimate. If allegations are 
ultimately verified that Tiversa provided intentionally 
falsified data, that data clearly should not be used in any 
enforcement action. But to date, we have obtained no evidence 
to corroborate these allegations. So they remain just that, 
unconfirmed allegations.
    Unfortunately, on June 17th, the chairman sent a letter to 
the FTC inspector general alleging coordination and 
collaboration between the FTC and Tiversa, and suggesting that, 
``the FTC aided a company whose business practices allegedly 
involved disseminating false data about the nature of data 
security breaches.'' The chairman wrote that, ``the FTC appears 
to have acted on information provided by Tiversa without 
verifying it in any meaningful way.'' He also requested that 
the inspector general examine the actions of several specific 
FTC employees.
    I do not know how the chairman had reached these 
conclusions since the committee has not yet spoken to a single 
FTC employee. The committee just requested documents from the 
FTC less than a week ago, and the committee has obtained no 
evidence to support claims that the FTC officials directed 
Tiversa employees to fabricate information. To the contrary, 
every single current and former Tiversa employee interviewed by 
the committee staff has uniformly denied receiving any requests 
from FTC employees relating to fabricating information.
    In response to the chairman's request for an investigation, 
the inspector general has now informed the committee that one 
of the employees named in his letter in fact was, ``brought in 
to assist with the LabMD case after Tiversa was no longer 
involved, and she has not been working on the case for the past 
year.'' As I close, so it appears that some of the chairman's 
information was incorrect.
    I am sure we will hear a lot of allegations today from 
parties in this ongoing litigation. Our job is not to take 
sides, but rather to serve as the neutral overseers and base 
our conclusions on the facts and the evidence.
    The consequences of having personal information compromised 
can be devastating. As the new Republican majority leader Kevin 
McCarthy has said, ``Nothing can turn a life upside down more 
quickly than identity theft.'' I agree with him. That is why I 
wrote to Chairman Issa in January proposing the committee 
examine the massive data security breach at Target, which may 
have compromised the personal information of more than 100 
million American consumers. Instead of holding hearings like 
today's, which seeks to cast doubt on whether the FTC even has 
the authority to protect our constituents, the consumers, the 
American consumers, I hope the committee will turn to 
constructive efforts to improve corporate data security 
standards across the board. And I thank you, Mr. Chairman.
    Chairman Issa. I thank the ranking member.
    Chairman Issa. Today's hearing concerns the Federal Trade 
Commission and information this committee has uncovered that 
raises some important questions. As long as I have been 
chairman, and as long as I am chairman, this committee will 
focus, as its name implies, Government Oversight and Reform 
Committee. It is not for us to look first to the private 
sector. It is not for us to issue subpoenas and target private 
sector for their beliefs, for their practices, or for the 
failures that they certainly are paying a high price for, as 
Target is and should.
    During my tenure, healthcare.gov was launched. Anyone of 
ordinary skill could have gone into the Web site, changed a few 
statements, a few of the letters in the top of the screen, 
while looking at their record, and seen somebody else's record 
at the launch. On a billion-dollar Web design, it was 
vulnerable to ordinary hacking and accidents at the time it was 
launched.
    The FTC did not sue President Obama or any of the chief 
information officers responsible for this failure. They did not 
sue the Secretary. They did not even sue the companies who 
delivered this shoddy work. Instead these were systematically, 
when discovered, corrected at taxpayers' expense. That was the 
right thing to do. When mistakes are made, when vulnerabilities 
are recognized, it's the responsibility of the entity to do its 
best to fix them.
    If the Federal Trade Commission was overseeing companies 
whose vulnerabilities are exposed, demanding that they fix it 
or face the consequences, absolutely we would say they were 
doing their job. If the Federal Trade Commission had even 
published a best practices minimum requirement for data 
security, we would be able to say that the law was clear, and 
that somebody failed to live up to those stated guidelines. But 
none of these exist. The Federal Trade Commission cannot tell 
you what is right; they only will come in and demand a consent 
decree if, in fact, you, through fault or no fault of your own, 
become a victim of hacking or a recognition of a vulnerability.
    The FTC is using its regulatory authority not to help 
protect consumers, but, in fact, to get simple consent decrees 
using the unlimited power it has to not only sue at government 
expense, but to force you before administrative law judges 
that, in fact, are part of the executive branch. Millions of 
dollars will be spent attempting to defend yourself against the 
Federal Trade Commission even if you are right. And what if 
you're wrong? What if you're wrong? What if something happened? 
What is your choice?
    Several years ago, under Chairman Waxman, I watched a 
demonstration of a vulnerability created by a third-party 
software that people were using to share music. I'm a techie. I 
was impressed. I saw that this software was downloaded by 
hundreds of thousands of people, put onto computers they owned 
or didn't own, and it created a vulnerability. It was 
deceptive--at least according to testimony, it was deceptive in 
how it did it. And our own people loaded the software and 
agreed that when you loaded it, the default would make the hard 
drive of the computer it was loaded on vulnerable in every one 
of its directories, when, in fact, you were really only 
attempting to make your music directory available for sharing.
    In both public and private systems around the country, this 
software was downloaded and created what people thought was a 
peer-to-peer music sharing, and, in fact, created a 
vulnerability in which people could look at what was on your 
hard drive.
    We were aghast. We thanked our witnesses for making us 
aware of it, and we committed ourselves to stop the deceptive 
practice of this software company, something over which the FTC 
had authority and should have acted.
    But, in fact, what we are finding is that what we were told 
was only a part of the story. When information does--the 
question today is how is the FTC using that regulatory 
authority, and are they doing their job? Are they targeting the 
culprit or the victim? What information does the agency 
consider to be a reliable basis to embark?
    Mr. Lynch. Mr. Chairman, could I ask you why the clock is 
not running on any of this?
    Chairman Issa. We didn't stop the ranking member from going 
as long as he wanted, well over the time. That's the practice 
of the committee. I thank you.
    Mr. Lynch. That's a good answer. Thank you.
    Chairman Issa. What information does the agency consider to 
be a reliable basis to embark on often erroneous inquisitions, 
in the chairman's opinion, into the activities of American 
companies?
    The committee held two hearings in the past, as I 
mentioned, one in 2007 and another in 2009, about the potential 
for individuals using peer-to-peer file-sharing programs to 
inadvertently share sensitive or otherwise confidential 
information. The key witness in both of these hearings was Mr. 
Robert Boback, the CEO of a cyber intelligence firm, Tiversa, 
Incorporated. That CEO outlined numerous data breaches that 
deeply troubled members of the committee.
    Mr. Boback specifically spoke about an Open Door Clinic, a 
nonprofit AIDS clinic in Chicago's suburbs in 2009. He said, 
``These are AIDS victims, 184 patients, who are now victims of 
identity theft. The clinic released their information and has 
not addressed it.'' But the Open Door Clinic has told us they 
have no information of any of their patients having had their 
identities stolen. We do not know why Mr. Boback made the claim 
to this committee previously, and we will hear that today.
    Earlier this year this committee became aware, on a 
bipartisan basis, of serious accusations that Tiversa engaged 
in a business model that was not focused on protecting 
consumers alone, but obtaining what we would say effectively is 
a new form of protection payments from businesses. As is often 
the case with protection payment demands, many businesses that 
did not pay up faced serious consequences.
    Here's how it worked. Tiversa would contact a company or 
organization and tell them that they had engaged in a practice 
that left customers' data vulnerable. Tiversa would offer to 
sell the company or organization remediation services. Many 
companies took their services and paid, at least for a while. 
Others refused and found themselves turned over to the Federal 
Trade Commission.
    The cost and concerns created by an FTC investigation can 
be immense, particularly to a small business that in many cases 
were the ones that Tiversa focused on. But this isn't just 
about allegations of unethical corporate behavior. The 
committee has asked the Federal Trade Commission to provide us 
with evidence that it independently verified information 
provided by Tiversa about businesses before pursuing action. As 
the ranking member said, it's been a short time, but having 
engaged in suits, received consent decrees, and litigated for 
years, we expected that the Federal Trade Commission would be 
able to give us at least a few examples of independent 
confirmation immediately. We are still waiting for the FTC to 
show us such evidence. We look forward to it. And as I will say 
again, we look forward to hearing from the FTC in the future 
directly.
    It's one thing for a company like Tiversa to report all of 
its concerns about consumer data breaches to appropriate 
authorities. It's quite another when enforcement authorities 
are selectively used, through a special relationship, to punish 
firms who refuse to pay for those services.
    The committee has reason to believe that information 
provided by Tiversa on which the FTC relied was inaccurate. Two 
of our witnesses this morning were approached by Tiversa and 
the FTC regarding data breaches. Tiversa provided information 
that alleged data breaches in these organizations to--about 
these breaches in these organizations to the FTC only after 
they refused to sign up for Tiversa's services.
    Mr. Daugherty, the CEO of LabMD, according to my opening 
statement, has been to hell and back. I don't think he's gotten 
back yet. In fact, his fight with the FTC has gone on for 
years. The Commission wanted him to acquiesce to a consent 
decree admitting that he did not take proper precautions to 
avoid data breaches.
    Given that Mr. Daugherty did not believe the allegations 
against him were true or fair, he fought back, and he did so at 
great personal expense. His specialized cancer-screening 
company is now effectively nonexistent.
    I will let Mr. Roesler explain his experience with Tiversa 
and the tribulations he experienced thereafter, but I 
especially want to thank him for being here today. Mr. Roesler 
runs, as previously mentioned, a nonprofit AIDS clinic near 
Chicago, Illinois, and has taken time away from his important 
work and agreed to join us this morning because of how 
important he believes it is to tell his story.
    I also want to thank Mr. Stegmaier for appearing this 
morning. He will be providing invaluable testimony about the 
FTC's actions as they relate to going after companies that are 
alleged to have unfair, deceptive trade practices.
    Today's hearing is an opportunity to hear from alleged 
victims of these arrangements made between Tiversa and the 
Federal Trade Commission. Neither the FTC nor Tiversa are here 
today, but I do expect to have both of them here at a future 
date to respond to the concerns and allegations that I expect 
we will hear today.
    Today's hearing is the result of a whistleblower who at 
great personal expense came to this committee. This committee 
is grateful to all the brave individuals who come forward to 
provide information as whistleblowers. It is only through 
whistleblowers that we see an exposure of wrongdoing by the 
government as well as private companies. Whistleblowers are not 
always without responsibility. Whistleblowers may, in fact, 
know what they know because for a time they participated in the 
wrongdoing. Nevertheless, whistleblowers are invaluable. When 
someone's conscience, whether they were involved or not, brings 
them forward, they should never be the target of this 
committee.
    This whistleblower gave us a proffer, seeking immunity only 
for what he was to testify to that he had done on behalf of 
Tiversa. He detailed for this committee information that was 
invaluable to our ongoing--to our investigation, which is only 
ongoing because of his coming forward.
    At a point in the future, I expect this committee will need 
to schedule a vote on granting immunity for this whistleblower. 
To date, we have not been able to convince the minority to 
consider immunity for this whistleblower. Instead, at every 
turn the minority has chosen to seek accusations against the 
whistleblower; against his personal wrongdoing, his personal 
misconduct, his personal life. But, in fact, to our knowledge, 
no evidence has come forward that would in any way dispute the 
accuracy of the detailed story that he told.
    For those Members here on both sides of the aisle, if you 
have not already seen his video proffer of how he participated 
in the activity, I ask you to schedule time, Members only, to 
see this proffer, because as we consider immunity, it is 
important that you understand the nature and detail of the 
evidence and accusations brought by this whistleblower.
    I make no credible statement as to a whistleblower's 
authenticity. What I can say in this case is without the 
whistleblower, we would not be having this hearing today. And 
if the whistleblower is guilty of a crime, the crime had to be 
committed by others that he is accusing. There can be no crime 
if, in fact, he is not telling the truth. And if he is telling 
the truth, he participated in a deception that affected both 
the Federal Trade Commission and the United States Congress.
    I would ask all Members, please, take time out of your busy 
schedule to view the proffer. It is detailed, it takes nearly 
an hour, but it will lead, I believe, to the kind of 
recognition that you cannot see here today in an open hearing.
    Chairman Issa. It is now my honor to welcome our witnesses. 
Mr. Michael Daugherty is the chief executive officer of LabMD. 
Mr. David Roesler is executive director of Open Door Clinic in 
Illinois. Mr. Gregory Stegmaier is a partner at Goodwin Procter 
in D.C., in Washington, D.C. And Mr. Woodrow N. Hartzog is an 
associate professor at the Cumberland School of Law at Samford 
University.
    Gentlemen, pursuant to the committee rules, would you 
please rise to take the oath and raise your right hand?
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Please be seated.
    Let the record indicate that all witnesses answered in the 
affirmative.
    For our first two witnesses in particular, you are here to 
tell your story. I know testimony is new to you. We have a 5-
minute rule. Your entire opening statements as prepared will be 
placed in the record. But I understand that you may go over 
slightly. We are not going to hold you exactly to 5 minutes, 
but to the greatest extent possible, try to stay within the 5 
minutes, which will help us ask you more questions in follow-up 
dialogue.
    Mr. Daugherty.

                       WITNESS STATEMENTS

                 STATEMENT OF MICHAEL DAUGHERTY

    Mr. Daugherty. Thank you.
    Good morning, Chairman Issa, Ranking Member Cummings, and 
members of the committee. My name is Michael Daugherty, and I 
am the president and CEO of LabMD, a cancer-detection 
laboratory based in Atlanta, Georgia. We were a private company 
that I founded in 1996, a small medical facility that at its 
peak employed approximately 40 medical professionals who 
touched nearly 1 million lives. Thank you for the opportunity 
to speak to you as a small businessman and medical professional 
about my experience and opinion at the hands of the Federal 
Trade Commission.
    What happened to my company, its employees, physicians, and 
their patients is what springs from the FTC's unsupervised 
playbook, and that playbook relies upon coercive and 
extortionist strategies to make large and small companies alike 
quickly succumb to FTC demands.
    In May 2008, our nightmare began with a call that could 
happen to any American. It was from Robert Boback, the CEO of 
Tiversa. And in the words of former FTC Commissioner Rosch, 
Tiversa is more than an ordinary witness, informant, or 
whistleblower. It is a commercial entity that has a financial 
interest in intentionally exposing and capturing sensitive 
files on computer networks.
    Mr. Boback told LabMD that Tiversa had found LabMD patient 
data on the Internet, but refused to tell us more unless we 
paid and retained them. Everyone in medicine knows you cannot 
go out intentionally looking for vulnerable medical files so 
you can take them, read them, keep them, distribute them. This 
is probably a crime, but it's definitely vigilante behavior, 
and it's outrageous.
    In January of 2010, Alain Sheer, an attorney with the FTC, 
contacted LabMD with an 11-page, single-spaced letter opening a 
nonpublic inquiry. We responded by sending in nearly 10,000 
pages of documents, and we invited the FTC to come to Atlanta 
to see our facility, to tell us what to do differently, to tell 
us what their standards were. The FTC declined. We quickly 
discovered that until told otherwise by the courts or Congress, 
the FTC presumes to have jurisdiction to investigate any 
company or person.
    When we asked the FTC where they were going with this, they 
would obscurely mention consent decrees, and we learned that 
FTC consent decrees actually are this: You sign up for 20 years 
of audits, you enter the FTC ``hall of shame'' via craftily 
worded press releases and half-truth congressional testimony. 
The fact that you have not been found any wrongdoing stays 
buried deep in the fine print. And the threat of being tied up 
for years in court and drained financially is their gun to the 
head to extract false confessions.
    In August 2010, I had to find out what was going on here, 
because something felt odd and wrong. And I learned that 
Homeland Security gave $24 million to Dartmouth to partially 
fund their data hemorrhage study. And Dartmouth stated that it 
got the LabMD file by using Tiversa's unique and powerful 
technology.
    Tiversa put out a press release in May 2009 I found, which 
in part stated, Tiversa--this is their words--``Tiversa today 
announced the findings of new research that revealed 13 million 
breached files emanating from over 4 million sources. Tiversa's 
patent-pending technology monitors over 450 million users, 
issuing 1.5 billion searches per day. Over a 2-week period, 
Dartmouth College researchers and Tiversa searched file-sharing 
networks and discovered a treasure trove, a spreadsheet from an 
AIDS clinic with 232 client names; a 1,718-page document from a 
medical testing laboratory. And requiring no software or 
hardware, Tiversa detects, locates, and identifies exposed 
files in real time.''
    What does Tiversa want you to think ``exposed'' means? Out 
of 13 million files found by Tiversa, how odd is it that the 2 
mentioned in their press release are sitting at this table 
today?
    I was stunned that nobody was asking who this private 
company was who was stockpiling other people's sensitive 
information. What gave them the right to assume ownership?
    September 2013 to April 2014, the FTC pursued litigation 
against LabMD via their optional administrative process rather 
than in Federal court. FTC Commissioner Wright said this 
process provides the FTC with institutional and procedural 
advantages. This is lawyerspeak for the FTC stacks the deck way 
in favor via rules Congress allows them to make. They admit 
hearsay that would never fly in Federal court, which is why we 
aren't in Federal court. Federal courts won't intervene because 
Congress says they can't.
    When asked about the FTC data security standards, Alain 
Sheer said, ``There is nothing out there for a company to look 
at. There is no rulemaking. No rules have been issued.'' Yet 
even without any standards, they show others what happens if 
you push back. They subpoenaed approximately 40 different 
individuals from my company, long-gone LabMD employees that 
left the company up to 7 years before, current staff, managers, 
outside physicians, vendors. These witnesses were forced to 
retain counsel and were intimidated and scared. Here is the 
message to all that are watching from the FTC: This is FTC 
justice, and this is going to happen to you if you don't play 
along.
    And then the penny dropped. During the trial, a former 
Tiversa employee who was to testify regarding Tiversa's 
acquisition of LabMD data and subsequent submission of the data 
to the FTC invoked his Fifth Amendment right against self-
incrimination.
    All Americans should be outraged by the FTC's unchecked 
ability to pursue a claim that is not based on any legal 
standard; outraged that the FTC's administrative proceedings do 
not afford the same guarantees of due process that our Federal 
courts provide; and outraged with the FTC's use of, and 
reliance upon, information from a private for-profit entity. If 
this has happened to LabMD, a small medical facility, a cancer-
detection center, this can happen to anyone.
    This does nothing to help Americans adapt to the constantly 
changing cybersecurity landscape. We are not mind readers; we 
are law-abiding citizens. I call on the FTC to stop attacking 
victims of crimes. And I thank the committee for its time and 
attention to this matter.
    Chairman Issa. Thank you.
    
    [Prepared statement of Mr. Daugherty follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. Mr. Roesler.
    I'm sorry, you're finished, right?
    Mr. Daugherty. Oh, yeah.
    Chairman Issa. Thank you.
    Mr. Roesler.

                   STATEMENT OF DAVID ROESLER

    Mr. Roesler. Good morning, committee members. My name is 
David Roesler. I am and have been the executive director of 
Open Door Clinic in Elgin, Illinois, the far western suburbs of 
Chicago, for the past 15 years. I am appearing today in 
response to an invitation to testify on behalf of Open Door 
regarding its involvement with the FTC and a company called 
Tiversa.
    Between September of 2008 and March of 2013, Open Door was 
involved in a class-action lawsuit due to a file that was found 
on the Internet that contained names, some with Social Security 
numbers, some with addresses, some with birth dates.
    Open Door is a small, not-for-profit AIDS organization. 
Currently we have about 30 employees. We had about 15 during 
this time. We provide medical care, support services for our 
clients.
    In July of 2008, a company called Tiversa contacted Open 
Door and said that they had had access to a confidential 
document obtained from a P2P network on the Internet. 
Communications with Tiversa included a contract for services. 
The suggested fees for the contract were $475 an hour. We 
contacted our IT service provider, who researched our network; 
found no evidence of any P2P networks at that time.
    In September of 2009, Tiversa contacted Open Door again to 
report that documents were still available on the P2P software. 
Open Door's IT provider once again reviewed its network to 
confirm that there was no evidence of any P2P software at that 
time.
    Two months after that, in November of 2009, clients began 
calling their case managers at the clinic, reporting that they 
were receiving phone calls from a law firm asking them to join 
a class-action lawsuit because their information had been 
released by Open Door. At Open Door's November board meeting, 
shortly after the clients started calling, one of the board 
members is a client. He brought in a letter that he got in the 
mail, also from this out-of-State law firm, telling them that 
they had their information out on the Internet, and would they 
join a class-action lawsuit.
    Then in January of 2010, we received a letter from the FTC. 
The letter indicated that they had found a file on a peer-to-
peer network, and it had a different title than the document 
that had been reported found by Tiversa.
    Also in January that same month, in 2010, Open Door was 
successful at getting a law firm to provide us some pro bono 
work to help us understand what our compliance and 
responsibilities were. Open Door and its IT provider once again 
reviewed our network, all of our workstations to confirm that 
there was no P2P software at that time.
    In February, a month later, February of 2010, a class-
action lawsuit was filed in Kane County against Open Door. 
Sensational newspaper headlines; numerous media outlets began 
showing up at our door. And 3 years later Open Door's 
settlement agreement was approved by the court, dismissing the 
class action. Open Door and its insurers agreed to these 
motions.
    Open Door denied, and continues to deny, any legal 
responsibility for the disclosure. Had the case been tried, we 
would have expected to prevail, but because of the 
uncertainties, the expense of litigation, Open Door and its 
insurers agreed to terminate this litigation under these terms.
    Thank you for letting me tell my story.
    
    Chairman Issa. Thank you.
    [Prepared statement of Mr. Roesler follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. Mr. Stegmaier.

                STATEMENT OF GERARD M. STEGMAIER

    Mr. Stegmaier. Mr. Chairman Issa, Ranking Member Cummings, 
members of the subcommittee, my name is Gerry Stegmaier, and 
I'm pleased to be here today to discuss the Federal Trade 
Commission's data security enforcement activities under Section 
5 of the FTC Act. The views I express are my own, not of our 
clients or of our firm.
    I'm a partner at Goodwin Procter LLP, and an adjunct 
professor at George Mason University School of Law, where I've 
taught privacy, consumer protection, and constitutional law 
courses for the last 13 years. I regularly appear before the 
Federal Trade Commission, State attorneys general, and assist 
businesses with all aspects of their privacy and information 
governance concerns. I appreciate the opportunity to appear 
before you today.
    In 2013, there were 63,437 reported security incidents, and 
1,367 confirmed data breaches. That is not a number reporting 
the number of accessible information, which is one of the 
things that Mike spoke about. According to Verizon's 2014 data 
breach investigation report, 44 million data records across the 
globe have been exposed.
    Companies are aware of the need for data security, and have 
taken steps to be more secure. Data security is important to 
consumers, the economy, and business, but equally important is 
the basic constitutional principle that people have a right to 
know what the law expects of them before we prosecute them.
    I think a simple analogy helps illustrate this in practice. 
When we want people to regulate how fast they drive their cars, 
we post speed limit signs. If you violate that posted limit, 
and the sign has been there for more than 60 days, you will 
likely receive a citation. The law calls this fair notice, and 
the Constitution protects us from government overreach with it. 
It is the shield that protects us from the deference that 
agencies receive.
    While this analogy may not be a good one, it's important to 
note that it represents the feelings of many organizations that 
confront FTC enforcement actions relating to data security.
    The agency has offered no formal rulemakings or 
adjudications related to data security, and the FTC appears to 
regulate data security primarily through complaints and consent 
orders, as we've heard. Neither the complaints nor the consent 
orders are binding, reliable precedent. They are 
nonprecedential. Some might call this stop-and-frisk black box 
justice.
    FTC complaints and consent orders are inconsistent and 
often lack critical information. For example, it is often 
unclear whether implementing some or all of the measures in a 
given order would result in fair data security, or even serve 
to avoid future enforcement actions had the underlying company 
admitted them in the first instance or practiced them.
    The FTC's often repeated position is that security 
standards can't be enforced in an industry-specific, case-by-
case manner without more guidance provides little comfort to 
those appearing before the agency. Because the FTC decides on 
an individual and postinfraction basis whether a company is 
noncompliant, the risk of enforcement actions is unimaginable 
and unpredictable, as we have heard. The penalties that may 
result from noncompliance are potentially ruinous. Combined 
with ambiguity of the law, unnecessary compliance risks for 
regulated entities has created a situation ripe for overreach, 
unfairness, and an uneven application of the law.
    The FTC's existing enforcement and guidance practices also 
pose serious due process concerns relating to fair notice of 
the law's requirements. Current enforcement environment 
consists of aggressive enforcement against the victims of 
third-party criminal hacking who operate in a realm without 
clear and unmistakable data security law. Improved 
authoritative--and I emphasize authoritative-- interpretations 
of Section 5 by the agency and the courts are crucial to 
improve compliance and provide entities with sufficient 
information to understand how to respond.
    Let me be clear. The FTC has the means to more clearly 
define the law and provide useful, reliable guidance. The 
existing tools are there. Sadly, there's plenty of room for 
improvement with the use of these existing tools, and 
improvements are essential to clarify the underlying 
uncertainty, which we have heard about, and, more importantly, 
to address the constitutional issue of fair notice and due 
process.
    The current reasonableness test, absent additional 
flexible, principles-based authoritative guidelines or court-
resolved litigation, will do little or nothing to clarify the 
data security obligations of companies. Using the standards 
reasonable and appropriate without articulating such factors as 
the nature of business, the kind of information collected, or 
any other factors that may come into play may not ensure that 
fair notice occurs.
    In essence, we tell our clients do what you say and say 
what you do. We need to hear from the agency what they're doing 
and what they're saying so that the people who are subject to 
prosecution can understand how to respond and how to behave in 
the first instance.
    The FTC itself has not consistently defined what sensitive 
information is, and without clarification, the agency's 
enforcement will continue to be perceived as arbitrary, and we 
will lack an understanding of reasonableness.
    I thank you for your time and attention. I'm pleased to 
answer any questions you might have.
    Chairman Issa. Thank you.
    [Prepared statement of Mr. Stegmaier follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. Mr. Hartzog.

                  STATEMENT OF WOODROW HARTZOG

    Mr. Hartzog. Chairman Issa, Ranking Member Cummings, and 
members of the committee, thank you very much for inviting me 
to provide testimony today. My name is Woodrow Hartzog, and I'm 
an associate professor at Samford University's Cumberland 
School of Law and affiliate scholar at the Center for Internet 
and Society at Stanford Law School. I am testifying today in my 
personal academic capacity, and not on behalf of any entity.
    For the past 2 years, my coauthor, Daniel Solove, and I 
have researched the Federal Trade Commission's regulation of 
privacy and data security breaches, which I will collectively 
call data protection. We have analyzed all 170-plus FTC data 
protection complaints to find trends and understand what the 
FTC's data protection jurisprudence actually tells us. I would 
like to make two main points regarding what I've learned about 
the FTC's regulation in this area.
    First, the FTC's regulation of privacy and data security 
under Section 5 has served a vital role in the U.S. system of 
data protection. The FTC's involvement has given a heavily 
self-regulatory system of data protection necessary legitimacy 
and heft. The FTC also fills significant gaps left by the 
patchwork of statutes, torts, and contracts that make up the 
U.S. data protection scheme.
    The FTC's regulation of data protection also helps foster 
consumers' trust in companies. It is very difficult for 
consumers to determine whether a company has reasonable data 
security practices or not. The FTC's regulation of data 
protection helps give consumers confidence that their personal 
information will be safe and properly used.
    The second point that I would like to make is that the 
overwhelming pattern that is apparent from the FTC's data 
protection jurisprudence is that the agency has acted 
judiciously and consistently in outlining the contours of 
impermissible data protection practices. Section 5 of the 
Federal Trade Commission Act generally prohibits unfair or 
deceptive trade practices. This is an intentionally broad grant 
of authority. Congress explicitly recognized the impossibility 
of drafting a complete list of unfair, deceptive trade 
practices. Any such list is destined to be quickly outdated or 
easily circumvented.
    Despite this broad grant of authority, the FTC actually 
brings relatively few data security complaints, especially 
compared to the total number of reported data breaches. The 
Privacy Rights Clearinghouse has reported that since 2005, 
there have been over 4,300 data breaches made public, with a 
total of 868 million records breached. Yet the FTC has filed 
only 55 total data security-related complaints, averaging 
around 5 complaints a year since 2008. Instead of attempting to 
resolve all of the data breaches, the FTC typically pursues 
only what it considers to be the most egregious data security 
practices.
    The FTC has used a reasonableness standard to determine 
what constitutes an unfair, deceptive data security practice. 
What constitutes reasonableness is determined virtually 
entirely by industry standard practices, and is contingent upon 
the sensitivity and volume of data, the size and complexity of 
a company, and the costs of improving security and reducing 
vulnerabilities. This deference to industry keeps the FTC from 
creating arbitrary and inconsistent data rules.
    The FTC does not pull rules out of thin air. Rather, it 
looks to the data security field and industry to determine fair 
and reasonable practices. Virtually all data security 
regulatory regimes which use a reasonableness approach, of 
which there are many, not just the FTC, have four central 
requirements in common: identification of assets and risks; 
data-minimization procedures; administrative, technical and 
physical safeguards; and data breach response plans. The 
details of these requirements are filled in by industry 
frameworks, accessible resources online, and a vast network of 
privacy professionals and technologists dedicated to helping 
companies of all sizes understand their data protection 
obligations.
    Of course there is always room for improvement with any 
regulatory agency, but diminishing FTC power will probably not 
ultimately make the climate easier for business. In fact, given 
the vital importance of data protection in commerce, a 
reduction in FTC authority would likely result in the passage 
of more restrictive and possibly conflicting State laws 
regarding data security, more actions by State attorneys 
general, more lawsuits from private litigants, and more clashes 
with the European Union over the legitimacy of U.S. privacy 
law. In the long run, a weakened FTC would likely result in a 
more complicated and less industry-friendly regulatory 
environment.
    Data protection is a complex and dynamic area for 
consumers, companies, and regulators. Section 5 enables the FTC 
to be adaptive and serve as a stabilizing force for consumers 
and companies. Thank you very much.
    Chairman Issa. Thank you.
    [Prepared statement of Mr. Hartzog follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. I will now recognize myself for a round of 
questioning.
    Mr. Daugherty, there was an allegation by Tiversa that 
there was a data breach. Have you seen ever any indication, 
collateral indication, that that breach went to third parties 
that resulted in any use of the identity information? Any?
    Mr. Daugherty. Thank you, Chairman Issa.
    As a matter of fact, no, sir, we have not.
    Chairman Issa. Okay. Mr. Roesler, same thing. You put up 
with years of a lawsuit. Did any of the complainants have any 
demonstrated information that their identifiable information 
had actually gone somewhere, or just that there was a 
vulnerability?
    Mr. Roesler. To my knowledge, there is none.
    Chairman Issa. Now, if there was a breach, meaning it was 
taken--you had what was it, 184 records that were alleged? Mr. 
Daugherty, you had thousands?
    Mr. Daugherty. Correct. Nine thousand.
    Chairman Issa. I've heard an expression that I'd like to 
see if you all agree with. If you have thousands of records, 
whether it is 184 in your case or many, many thousands, if they 
have actually gone out to third parties somewhere, they've, in 
other words, mined them, doesn't it defy gravity that none of 
them have led to any use of that information in either of your 
cases?
    Mr. Daugherty. Yes, Chairman Issa, I would agree with that.
    Chairman Issa. Okay. So I'm not a student of statistics, 
but I had to take it in college. I certainly agree.
    So the allegation that you're facing is that you had a 
vulnerability, not an actual breach in reality, because a 
breach would demonstrate some use. What they really said was, 
Mr. Roesler, you didn't protect your site, you didn't have a 
good enough lock on your site; is that correct?
    Mr. Roesler. I believe so, yes.
    Chairman Issa. Mr. Daugherty, same thing. Your lock wasn't 
good enough.
    Mr. Daugherty. That's correct, sir.
    Chairman Issa. Now, the American people may not understand 
cybersecurity at this point, but they understand the padlock on 
their front door, their garage door opener. And I just want to 
put it in perspective for a moment.
    Ninety percent of the garage door openers made before the 
year 2000, a product that simply takes the chip and 
sequentially goes through the combinations, will open every one 
of those garage doors. Before 2000, the vast majority of garage 
doors, simply you had to go through anywhere from 250 to a few 
thousand combinations, and eventually your garage door would 
open. People haven't gone back and changed their garage doors. 
Unless you have a Medeco key or a number of other very high-
security keys, if you have a typical key, it can be picked by 
any locksmith.
    So are these people leaving a vulnerability? Maybe yes, 
maybe no. But I want to put it in perspective for both of you.
    The allegation, as I understand it from previous testimony 
before this committee, is effectively one of your employees may 
have installed a program that was sort of the equivalent of 
putting a little bit of bubble gum in the door latch so that 
the door didn't really lock, and there was a vulnerability. In 
both cases, as far as I understand, there was no allegation 
that you instructed the employee to do it, or that you did it, 
or that it was done with your knowledge. And, Mr. Roesler, I 
understand in your case you never found the alleged peer-to-
peer; is that correct?
    Mr. Roesler. That's correct. And I don't know that the 
allegations were ever about an employee. Simply that a file 
that Open Door had created had gotten out.
    Chairman Issa. Right. But a file that was never found 
except in the hands of Tiversa.
    Mr. Daugherty. Same. As a matter of fact, if you look at 
the FTC's press release announcing the litigation, they never 
used the word ``breach.'' That's correct, sir.
    Chairman Issa. So we're not talking about a loss of data, 
we're talking about the vulnerability, the same vulnerability 
that every time a notebook like this or a computer notebook 
walks out of a government office with personal information on 
it, like it did in the case of the famous VA one where somebody 
simply left their notebook, and a million veterans' 
identifiable information was there, it's a vulnerability. If it 
actually occurs, it occurs because of a human failure in most 
cases, not because of an inherent system failure.
    Mr. Daugherty, you were running a dotcom. Did you have 
professional advice and counsel, and did you buy software to 
protect against this type of thing?
    Mr. Daugherty. We ran a medical laboratory.
    Chairman Issa. But, I mean, you had an online presence.
    Mr. Daugherty. We had an online presence.
    Chairman Issa. Mr. Roesler, same thing. From your 
testimony, you engaged professional outside people to give you 
security.
    Mr. Roesler. That's correct.
    Chairman Issa. So you used what you would consider and 
still consider to be maybe not best practices, but the best 
practices you knew of and could afford, right?
    Mr. Roesler. Yes.
    Chairman Issa. We were told under oath by Mr. Boback twice 
that, in fact, deceptive software was what they went out 
looking for and found these breaches. And I just want to close 
by asking just one question.
    Mr. Roesler--and I keep mispronouncing it.
    Mr. Roesler. It's Roesler.
    Chairman Issa. Roesler. Mr. Roesler, in your case you had a 
kind of a unique thing that I want to make sure you get a 
chance to explain to us. A company, Tiversa, in Pittsburgh, 
more or less, contacts you. Coincidentally a plaintiff's law 
firm in Pittsburgh, Pennsylvania, as I understand it, forms a 
class-action lawsuit and goes after you, and has the 
information to contact those very people who they told you you 
had this breach. So the law firm has the name of all your 
clients; is that right?
    Mr. Roesler. That's exactly right.
    Chairman Issa. And they didn't get it from you. So in your 
case you do have a breach. You know that somebody clandestinely 
got your clients', your AIDS patients' information, gave it to 
a law firm who then used it--and I ask unanimous consent that 
the sample--we'll get it here in a second--letter that that law 
firm sent out to every one of your patients--this is called 
Serrano and Associates--and it says right on the bottom, this 
is a solicitation to provide legal services. And is this a copy 
for the ranking member? I'll give a copy to the ranking member. 
You have seen that solicitation?
    Mr. Roesler. Indeed.
    Chairman Issa. So I just want to make sure for the record 
that both sides understand. Tiversa contacts you and says 
there's been a vulnerability, offers you to sell you the 
services for nearly $500 an hour. You turn them down after 
talking to your professionals, find no vulnerability. But then 
a law firm has the very information they were talking about, 
which obviously was gleaned somewhere, and probably off of your 
servers or your drives. They--then it gets somehow to a law 
firm, coincidentally in Pittsburgh, who then goes about 
creating a plaintiff's--a class-action suit, contacts your 
patients, who in no other way were contacted except by this law 
firm, and proceeds to sue you for years.
    Mr. Roesler. That is my perspective.
    Chairman Issa. Okay. I now recognize the ranking member.
    Mr. Cummings. Mr. Chairman, to indulge us before I ask my 
questions, I would ask for just 1 minute to clarify a point for 
the record with unanimous consent with regard to some 
statements you made in your opening statement. May I?
    Chairman Issa. Go ahead.
    Mr. Cummings. Thank you very much.
    The chairman made some points in his opening statement 
about the potential immunity for a witness, and I take this 
moment because, Mr. Chairman, everybody on both sides of the 
aisle care tremendously about whistleblowers. There is not one 
person on this, Republican or Democrat, and our record has 
shown that.
    You said that the Democrats have been unwilling to consider 
immunity. That's not accurate. We have said consistently and 
repeatedly that we are willing to consider immunity. We 
participated in the proffer. We viewed the video, as well as 
many documents. At this stage the committee has not identified 
evidence that would substantiate or corroborate the allegations 
of this witness against other individuals.
    The chairman also said that we have sought out negative 
information about this witness in an effort to discredit him. 
That's not true. The information came to us from the CEO of 
Tiversa's attorney about criminal activity. Once we found out 
about that, we wanted to know more about it. I mean, that's 
just logical.
    Chairman Issa. I thank the ranking member, and I would say 
that this is perhaps outside the scope of this hearing. I would 
also note----
    Mr. Cummings. But you just made these allegations against 
us. It's in the scope of the hearing because you put it in 
there.
    Chairman Issa. You asked unanimous consent. I granted it. 
The fact is that my opinion in the opening statement will 
stand.
    I will say for the record, since you just said it, too, the 
fact is your committee members have refused--even sitting here 
in the House of Representatives, even inside a building with 
total security, they have refused to meet with the 
whistleblower, claiming that based on the allegations of Mr. 
Boback and his attorney, that they are too afraid to, men and 
women. So quite frankly, you can have your opinion--you can 
have your opinion, Mr. Ranking Member, I will have mine.
    Mr. Cummings. Very well. I will continue my 5 minutes then.
    Chairman Issa. I will start your 5 minutes over in a 
moment.
    Mr. Cummings. Okay.
    Chairman Issa. I have invited in my opening statement, and 
with indulgence of the witnesses, all Members to look at the 
video proffer, and all members of this committee to have access 
directly to the whistleblower for purposes of continuing the 
proffer.
    I made it clear in my opening statement--and I will 
reiterate it because I think the ranking member's point is 
good--serious allegations about the personal life of the 
witness have come forward. But, again, as I said in my opening 
statement, allegations do not go to the direct claims of the 
whistleblower as to the facts that he said in his proffer had 
occurred.
    So is the whistleblower claiming he did no wrong? Just the 
opposite. The whistleblower has come forward with a proffer, 
because, in fact, if he makes that testimony, he will do so at 
the risk of prosecution. The whistleblower has already taken 
the Fifth in another venue, and, as a result, qualifies for the 
question.
    Now, in the Lois Lerner case, Mr. Cummings, we had a 
witness who you kept saying you wanted immunity for, but she 
only said she was innocent. In this case we have an 
individual----
    Mr. Cummings. There you go again.
    Chairman Issa. This individual, this individual came 
forward and said wrongdoing occurred. It has led to today's 
hearing. And I simply, in my opening, asked all Members to take 
the time to look at the information individually, because I do 
believe that to get a full understanding and cross-dialogue--
because everything that is brought out by our whistleblower is 
subject to, in fact, credibility check as to the facts 
brought--but that dialogue will not be possible unless the 
whistleblower is granted the limited immunity as to exactly 
what, and only what, he came forward with as allegations 
against Tiversa, and, as a result, the FTC and perhaps false 
statements made before this committee.
    It is a serious claim, I take it seriously, and I ask all 
Members to individually look at it. Mr. Cummings, most Members 
have never seen any of it, and that's why I was making it 
available today in open hearing to look at it and make their 
own decisions.
    And I thank the gentleman. Please restore his time to 5 
minutes.
    Mr. Cummings. Thank you, Mr. Chairman.
    The chairman also said we had sought out negative 
information about this witness in an effort to discredit him. 
That is not true. The witness has engaged in numerous criminal 
activities that go to credibility, and he failed to disclose to 
the committee during his proffer, he failed to disclose them. 
And some of these activities were occurring at the same time 
that we were speaking with the--that he was speaking with the 
committee.
    Generally, I believe the committee should grant immunity to 
witnesses who have admitted to engaging in criminal conduct 
only in rare circumstances when those witnesses provide 
concrete evidence of criminal activity by others. I appreciate 
the goal of rewarding whistleblowers who come forward 
voluntarily to identify waste, fraud, and abuse, and we have a 
record of that. But I do not believe that immunity is a proper 
reward when individuals provide evidence relating only to their 
own wrongdoing.
    Although we remain open--and I say, I want to be clear--
although we remain open to considering immunity should 
additional evidence emerge, we cannot responsibly support 
immunity at this time.
    Now, according to the Republican memo for today's hearing, 
one of the main topics is, ``whether the FTC has the authority 
to pursue data-security enforcement actions under its current 
Section 5 authority.'' So let's ask our witnesses.
    Mr. Stegmaier, you have written extensively on this topic. 
In one article, you wrote, ``The agency is the Federal 
Government's largest consumer protection agency. The Commission 
routinely investigates publicly reported data-related incidents 
with the threat of subsequent litigation. Since 2000, the FTC 
has brought 42 data-security cases.''
    Mr. Stegmaier, with respect to the hearing question today, 
I take it from your writings that you agree that the FTC has 
the authority to bring enforcement actions under Section 5 to 
protect the data security of consumers; is that right?
    Mr. Stegmaier. Mr. Cummings, thank you. That is actually a 
really great question, and I appreciate the way that you have 
presented it.
    At the outset, let me just note that I come before the 
committee today with the understanding that the committee 
sought my expertise and understanding specifically about fair 
notice and due process concerns.
    Whether or not the agency has jurisdiction is actually, 
ironically, something that Congress has given the agency 
incredible deference to determine in and on its own, and it's 
actually subject to a number of pending lawsuits and 
litigation.
    So the answer to your question, I think, is that the agency 
absolutely believes that it has such jurisdiction, but that 
answer to that question hasn't been definitively resolved. And, 
historically, under caselaw, the agency would receive such 
deference.
    But my focus is more on whether or not people who are going 
to be subject to that deference, whatever the ultimate outcome 
may be, have fair notice about what the law requires of them.
    Mr. Cummings. Mr. Hartzog, you have also written 
extensively on the FTC's work on data security, so let me ask 
your expert opinion. Does the FTC have the authority to bring 
data-security actions under Section 5?
    And one of the things that we should all be concerned about 
is a chilling effect. And I just wanted you to respond to that.
    Mr. Hartzog. Sure. I think that, yes, the FTC does have the 
authority under Section 5 to regulate data-security practices. 
If you look at the plain wording of Section 5, it is 
intentionally quite broad. There are limitations, so, you know, 
there are limits as to what constitutes an unfair practice and 
a deceptive trade practice. But, certainly, you know, given the 
heft of both the opinion, the recent opinion, in the Wyndham 
decision and the FTC's practice generally in the way that we 
interpret statutes, the FTC has the authority to regulate data 
security.
    With respect to chilling effects, I think that the FTC has 
proceeded in a pretty judicious and conservative manner with 
respect to the regulation of data security, and so it is not 
like there has been a dramatic lurch forward. As a matter of 
fact, they have been inching along through several different 
Presidential administrations basically along the exact same 
course with no appreciable difference. And so I think that the 
body of jurisprudence is actually sound in that regard.
    Mr. Cummings. Professor, can you describe why it is 
important for the FTC to exercise its authority over data-
security breaches?
    Mr. Hartzog. Sure. There are several reasons. One is it 
gives the U.S. system of data protection legitimacy and heft. 
So many, for example, international agreements, like the EU-
U.S. Safe Harbor Agreement, is contingent upon the FTC being 
able to regulate data security, particularly now that there are 
questions about the strength of the U.S. data-protection 
program.
    Also, the U.S. system of regulating privacy is done in a 
patchwork manner, so there is no one great law that regulates 
data security across the United States. And what that does is 
it leaves a number of different gaps. And the only statutes 
that really--the only avenue by which we can provide a baseline 
of data protection in the United States right now is Section 5 
of the FTC Act.
    And so Section 5 helps harmonize a lot of data-security 
practices, and it also has been consistent with a lot of other 
data-security regulatory regimes.
    Mr. Cummings. You heard the testimony of Mr. Daugherty and 
Mr. Roesler--by the way, gentlemen, I am sorry that you have 
gone through what you have gone through. I spent my life 
representing people who were not properly--they were improperly 
accused.
    But you heard their testimony. I was just wanting to get 
your reaction to that. It seems as if there is a question--and 
Mr. Stegmaier talked about this a bit--as to charging folks. 
The way that folks are charged, they use data that--I think, 
Mr. Stegmaier, you would agree with this, based upon what you 
just said--that might you consider unfair charging. Would that 
be a fair statement?
    Mr. Stegmaier. I am not sure I understood----
    Mr. Cummings. Okay.
    Mr. Stegmaier. --precisely the question, sir.
    Mr. Cummings. But you understand what I am saying, right, 
Mr. Hartzog?
    Mr. Hartzog. So I think that the allegations that have been 
brought up are that there is not enough notice given to 
companies and that they are expected to follow rules that they 
say they don't know what they are.
    The answer that I would give to that is that the FTC uses a 
reasonableness test, and a reasonableness test for regulating 
data security is the most common way, if you look across 
regulatory regimes, to regulate data security. So the Gramm-
Leach-Bliley Act and HIPAA and many State regimes, all of them 
use a reasonableness test.
    And the way that you execute a reasonableness test is you 
defer to some other existing body of standards, right? And so, 
in this case, it is a complete deference to industry standards. 
The FTC actually doesn't create the standard at all. Rather, 
they say, what is industry doing? And there is a whole body of 
study, so there are whole industries and fields of study 
dedicated to what makes not just cutting-edge data security but 
just industry-standard data security and best practices. And 
that is what the FTC says you should look to to determine what 
the baseline is.
    And so the FTC actually isn't unique in its regulatory 
approach. There are States and other statutory schemes that 
utilize very similar approaches.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Mr. Daugherty. Can you explain to me, then, why the HIPAA 
and HHS is not coming after LabMD?
    Mr. Hartzog. I am sorry?
    Mr. Daugherty. Can you please explain then, if you are 
talking about industry standards--we are a medical facility. We 
are under HHS and HIPAA. They have not come after LabMD or 
cited anything.
    Mr. Hartzog. Well, I actually can't speculate as to why. 
There are lots of different reasons why claims are brought or 
not brought.
    Chairman Issa. It is a good question, but we probably won't 
have any more between witnesses----
    Mr. Daugherty. Sorry.
    Chairman Issa. --if you don't mind.
    But I do want to clarify just two things very, very 
quickly. You said a body of jurisprudence. That would imply 
that there has been decisions at the district and then the 
appellate court. Are there any?
    Mr. Hartzog. Well, we do have a decision at the district-
court level in the Wyndham case, but, actually, jurisprudence 
can come from a number of different sources. And primarily, in 
the case of the FTC, it comes from the complaints that they 
filed.
    Chairman Issa. Okay. So the consent decrees are a body of 
jurisprudence where they sue and settle, and you are calling 
that a body of jurisprudence. I just wanted to make sure that 
is what you were talking about.
    Mr. Hartzog. Well, not the consent decrees, but rather the 
complaints that indicate what the FTC considers to be an unfair 
and deceptive trade practice.
    Chairman Issa. Okay.
    And only one more quick one for Mr. Daugherty and Mr. 
Roesler.
    Were you given any safe haven or guidance by the FTC as to 
how you could, in fact, not fall under unfair practices at any 
time from the beginning until today, those so-called standards 
that Mr. Hartzog has said exist?
    Mr. Daugherty. Well, sir, thank you for that question, 
Chairman Issa.
    No. As a matter of fact, I stated, and as further indicated 
in my written testimony, quite to the contrary. In briefs and 
in quotations from the FTC, they argue they don't need to 
promulgate rules or inform us of standards. And even their 
experts said that we should Google them.
    And this is just not a way to regulate an American industry 
and economy, let alone the world of medicine.
    Mr. Roesler. My response would be that----
    Chairman Issa. Yes, of course.
    Mr. Roesler.--the communication that Open Door received 
from the FTC was one simple letter; it was a warning that we 
received from them. There was no other communication. And 
during that time, it was simply about a file being out, and 
they listed the file.
    Chairman Issa. So they just didn't pursue you, nor did they 
give you guidance on how to remedy.
    Mr. Roesler. That is my understanding.
    Chairman Issa. And did you have something else you want to 
follow up on?
    Mr. Cummings. Just to follow up on--a friendly follow-up on 
the chairman's question.
    Mr. Hartzog, you just heard what they said. You talked 
about a body of jurisprudence, and here you have folks who are 
saying they had no idea what was going on. Can you react to 
that?
    Is that a fair statement, gentlemen?
    You didn't----
    Mr. Hartzog. I would actually say that it's not a fair 
statement, nor is the FTC unique in requiring, you know, a 
standard to which there is not, you know, to the utmost 
specificity, right?
    So, for example, in tort law, you are expected to build 
products safely, but there is not a manual that you get when 
you start designing products that says, you know, here are the 
130 steps that you can take to make a product safe, right? You 
actually look to industry standards, which is another thing 
that is relatively common. And that is the kind of evidence 
that is used to determine whether you are acting reasonably or 
not.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Chairman Issa. I thank all of you.
    I will tell you, as somebody who has set industry 
standards, sat as a chairman of a trade association, I 
understand that safe havens are critical, industry standards, 
if you live up to them, you are supposed to get a level of 
immunity, at least from persecution by your government. It 
doesn't seem like that exists here.
    Mr. Mica?
    Mr. Mica. Thank you, Mr. Chairman.
    And, Mr. Daugherty, you had Lab Med?
    Mr. Daugherty. LabMD, sir.
    Mr. Mica. Okay, LabMD.
    And you had Open Door, Mr. Roesler?
    Mr. Roesler. That is correct.
    Mr. Mica. Two different activities.
    Now, were you first notified by FTC that there was some 
breach or some problem with your handling of data, Mr. 
Daugherty?
    Mr. Daugherty. We----
    Mr. Mica. When did FTC notify you first?
    Mr. Daugherty. They sent us an 11-page letter starting the 
inquiry.
    Mr. Mica. Before that, no?
    Mr. Daugherty. No, sir. We were just under HIPAA.
    Mr. Mica. And before that, no with you.
    I am just trying to look at what took place here. So you 
both are conducting your business or activities, and you both 
get calls from this firm, Tiversa. And that was the first 
notice that you had from anyone that you had problems as far as 
data security.
    Is that correct, Mr. Daugherty?
    Chairman Issa. And I would only ask one thing, that 
whenever you answer, make sure it is verbal. The clerk is not 
allowed to write down a head nod.
    Mr. Mica. Yeah, nods don't count.
    So, Mr. Daugherty?
    Mr. Daugherty. Yes----
    Mr. Mica. When you first--I want to find out when you first 
found out from some outside source that there was some breach.
    Mr. Daugherty. The outside source, sir, was--the first one 
was Tiversa in May 2008, and then the----
    Mr. Mica. And Mr. Roesler?
    Mr. Roesler. For Open Door, it was also Tiversa that 
notified us first.
    Mr. Mica. Okay. And that firm told you that they had, I 
guess, been fishing or surfing, whatever the hell they did. And 
then did they offer to help remedy your situation, Mr. 
Daugherty?
    Mr. Daugherty. They--well, yes, sir. They would not----
    Mr. Mica. What was the offer?
    Mr. Daugherty. The offer was----
    Mr. Mica. How much an hour?
    Mr. Daugherty. $475 an hour, with a 4-hour minimum, no 
guarantee.
    Mr. Mica. Mr. Roesler?
    Mr. Roesler. It was $475 an hour.
    Mr. Mica. And, Mr. Daugherty, what did you tell them?
    Mr. Daugherty. I told them I was not interested until they 
gave me more information.
    Mr. Mica. Okay.
    And, Mr. Roesler, what did you tell them?
    Mr. Roesler. I didn't respond.
    Mr. Mica. You didn't respond. Okay.
    So, after your initial contacts, your first contact of the 
breach, then you were later notified by FTC that there was a 
problem, Mr. Daugherty?
    Mr. Daugherty. Well, we were called by----
    Mr. Mica. It was subsequent.
    Mr. Daugherty. Later in 2008, we were told by Tiversa they 
were giving it to Federal Trade Commission, and then Federal 
Trade Commission contacted us 14 months later.
    Mr. Mica. Uh-huh.
    And Mr. Roesler?
    Mr. Roesler. Yes, afterwards. Uh-huh.
    Mr. Mica. Yeah.
    And we tend to believe that FTC was informed or got that 
information from that company. Would you assume the same thing, 
Mr. Daugherty?
    Mr. Daugherty. Yes, sir, I would.
    Mr. Mica. What would you assume, Mr. Roesler? You gave it 
to them? You called them up and said, ``We are doing this, and 
you ought to investigate us?''
    Mr. Roesler. Excuse me?
    Mr. Mica. I am just--that was a joke.
    Mr. Roesler. All right. Thank you.
    So I don't know. I don't know the answer to that question. 
If that is how----
    Mr. Mica. But somehow they got the data.
    Mr. Roesler. That is correct.
    Mr. Mica. Well, to me, it looks like a little bit of an 
extortion game from a company trying to make a few bucks off of 
you guys, fishing and then coming after you. That is just my 
assumption. Now, we don't have FTC and others in here. We will 
have to find out more of what took place.
    Part of this is that, you know, FTC was set up for a good 
and noble purpose, and that is to deal with deceptive and 
unfair trade practices. And we should have the right, too, to 
have whistleblowers give them information. But a lot of the 
discussions also went around the standards and what is fair. 
But the standards do not exist specifically, Mr. Hartzog, as 
part of the testimony. That is first.
    And then, secondly, you made a good point, that we don't 
want to clip FTC's wings to inhibit their power to go after bad 
actors. Is that correct?
    Mr. Hartzog. Yes, that is correct.
    Mr. Mica. But if we find out, again, that the motivation 
for this was their nonparticipation in this scheme, it doesn't 
seem like they were treated fairly, one, and, two, that you two 
were never given notice to correct the practice. Were you given 
notice to correct what they considered----
    Mr. Daugherty. Oh, we were just given endless questions for 
years and then a suit. No. That was all we were given.
    Mr. Mica. Were you given a remedial course or----
    Mr. Roesler. In our letter, it was suggested that we----
    Mr. Mica. Cease and desist?
    Mr. Roesler. Something like that.
    Mr. Mica. Remedy your situation?
    Mr. Roesler. That is right. Look into it.
    Mr. Mica. Uh-huh. Because I think, again, businesses need 
to be notified by the regulatory agencies if there is a 
practice, and then if they don't clean their act up--you didn't 
devise those software systems, it was probably something you 
purchased, that had a----
    Mr. Daugherty. LimeWire was never even purchased. That is 
just malware that was out there----
    Mr. Mica. Uh-huh.
    Mr. Daugherty. --that was put in by an employee with a 
total lack of authorization.
    Mr. Mica. But it wasn't a purposeful thing, and when you 
found out, you tried to remedy it.
    Mr. Daugherty. Absolutely, sir.
    Mr. Mica. Mr. Roesler?
    Mr. Roesler. We never had any evidence of having----
    Mr. Mica. But when you found out, did you try to remedy it, 
the situation?
    Mr. Roesler. We just researched to find that we had no risk 
of that. That was----
    Mr. Mica. Okay. All right.
    I yield back.
    Chairman Issa. Okay. Thank you.
    Mr. Hartzog, just to make sure, was LimeWire ever gone 
after by the FTC for their deceptive practices of creating the 
vulnerabilities?
    Mr. Hartzog. I----
    Chairman Issa. You have looked through the body of 
jurisprudence.
    Mr. Hartzog. I do not believe so, so I----
    Chairman Issa. But they never went after the people who 
created the vulnerability, just people who were victims.
    Mr. Hartzog. Yeah, I don't--I am not privy to 
investigations. I only know about the filed complaints. But as 
far as I know, there was no filed complaint against LimeWire.
    Chairman Issa. Yeah. That makes sense. They were probably 
without deep pockets and too slippery.
    The gentleman from Massachusetts, Mr. Tierney.
    Mr. Tierney. Thank you.
    Mr. Hartzog, apparently there was ultimately an agreement 
or a decision that the companies that are testifying here today 
did not live up to industry standards or some other measure of 
reasonableness. Is that fair to say?
    Mr. Hartzog. Yes, that is fair.
    Mr. Tierney. All right. So in that determination by the FTC 
of whether or not they complied with the reasonableness on 
that, is the sophistication of the company, the size of the 
company, the resources the company might have for establishing 
secure IT, the danger of the release of their data, are all of 
those factors in that determination of reasonableness?
    Mr. Hartzog. Absolutely. That is one of the reasons why a 
one-size-fits-all checklist for data security will never work, 
because it is far too dependent upon variables like that. And 
so, of course, large companies, large tech companies--you know, 
Microsoft and Amazon and all these others--are expected to have 
significantly different and probably more robust data-security 
practices than, say, smaller businesses. Now, of course, there 
is a baseline for everyone collecting personal information, but 
it varies wildly as to what is constituted in any given 
circumstance.
    Mr. Tierney. So is there an FTC process where, when they 
become notified that a problem may exist, they notify the 
individual and give them an opportunity to cure?
    Mr. Hartzog. Because I am not privy to a lot of the 
internal investigations within the FTC, I am unable to answer 
that question.
    Mr. Tierney. Mr. Stegmaier, do you have any information on 
that, whether or not the FTC as a matter of course, when they 
have an allegation or a concern that somebody may not be being 
reasonable in securing their IT, they give that company an 
opportunity to cure before they take action?
    Mr. Stegmaier. I have never had an experience in 13 years 
of doing this where they proffer the opportunity to cure in the 
manner that I think you are suggesting.
    I have had a number of nonpublic resolutions, many, many 
times. But I haven't had this sort of, I think in the 
chairman's words, safe-harbor situation where they say, ``We 
have brought this to your attention, we see that you have taken 
corrective measures, and we have determined that that, you 
know, is in fact good enough.'' In fact, it is their practice, 
in part of Mr. Hartzog's analysis, that the agency doesn't 
typically issue what would be referred to as a closing letter 
for investigations.
    But in my, you know, private, personal capacity appearing 
before the agency representing clients, the characterization 
you described is not consistent with my experience.
    Mr. Tierney. Are either Mr. Hartzog or Mr. Stegmaier 
familiar with a situation where their clients were notified, as 
Mr. Roesler was, that you apparently have a problem and then no 
further action was taken because your client did something 
about it?
    Mr. Stegmaier. So it hasn't been my experience that the 
agency is typically calling to the attention of individual 
companies incidents or situations, but, rather, they come, 
investigation in hand, with an investigatory posture, trying to 
figure out what happened, rather than more a notice and 
corrective posture.
    But, to be clear, I am aware of numerous cases where the 
agency has chosen not to continue investigating.
    Mr. Tierney. Okay.
    Is that similar to your information, Mr. Hartzog?
    Mr. Hartzog. That's correct, based on my information.
    Mr. Tierney. Thank you.
    Mr. Roesler, you received a letter from the FTC notifying 
you that they believed you had an issue and suggesting that you 
do something about it.
    Mr. Roesler. That's correct.
    Mr. Tierney. All right. And what you did about it, you 
said, was you went and rechecked again to see if your people 
could find anything on the peer-to-peer; is that right?
    Mr. Roesler. What I said was that our IT subcontractor 
looked at our network to see if there was any P2P software 
within our network or on any of our computer laptops, any work 
stations.
    Mr. Tierney. Did you at all do any research or ask your 
legal counsel, your IT subcontractor, to do some research about 
what the best practices in your industry were and whether or 
not you were, in fact, complying with those?
    Mr. Roesler. Indeed, we did.
    Mr. Tierney. And what was the result of that?
    Mr. Roesler. The result was that we were meeting those 
standards, our network was secure, and that we were compliant.
    Mr. Tierney. And did the FTC ever take any follow-up action 
against you?
    Mr. Roesler. None that I am aware of.
    Mr. Tierney. Thank you.
    Mr. Stegmaier and Mr. Hartzog, again, your help, if you 
would. When a determination is made by the FTC that there is 
noncompliance or that there is an unfair or deceptive practice, 
are the penalties automatic, set at a certain amount once it is 
found? Or is there discretion for the FTC to take into 
consideration mitigating factors?
    Mr. Stegmaier. So the agency doesn't actually have 
statutory penalty authority. They enter into a consent decree, 
which typically doesn't have a monetary penalty or a remedy.
    As to the factors that they use in terms of how they decide 
which cases to prosecute or which cases not to prosecute, I 
would respectfully disagree with Mr. Hartzog in the sense that, 
having done this for a long, long time, the precise motivations 
and contours of what constitutes reasonable behavior and 
reasonable information-security behavior from the perspective 
of the agency that's authoritative is no more clear to me today 
than it was 13 years ago.
    Mr. Tierney. I am going to let you guys fight that out 
offline here on that.
    So if there's not a monetary penalty, what is the nature of 
the action that the FTC takes ultimately?
    Mr. Stegmaier. I think one way to think about it is to have 
a new board member who helps supervise your privacy and data-
security process for the next 20 years, including, typically, 
biennial privacy and data-security audits through an approved 
third-party contractor who essentially will, you know, audit 
and review your processes and report to the agency.
    Additionally, they have a tool which they call--is commonly 
referred to as fencing-in relief, through which, once you're 
under an order, you are subject to financial penalties if you 
should violate the order. And, in my experience, it's not 
uncommon for companies to spend as much as a half-a-million 
dollars a year or more simply to undertake to comply with the 
underlying orders.
    So I would respectfully disagree with Mr. Hartzog to the 
extent that it takes into account the nature and size of the 
underlying companies. In fact, my experience has been the 
opposite, that the size of the company doesn't dictate what 
level of security the agency seems to believe is required in a 
number of instances.
    Mr. Tierney. And I assume that----
    Chairman Issa. The gentleman's time has expired.
    Mr. Tierney. Can I ask unanimous consent for one further 
question?
    Chairman Issa. As long as it doesn't take another minute 
and a half extra, go ahead.
    Mr. Tierney. I'll do my best.
    And the cost of this, sort of, outside entity or auditor 
that you're talking about is borne by whom?
    Mr. Stegmaier. Entirely by the company, sir.
    Mr. Tierney. Thank you.
    Chairman Issa. Thank you.
    Mr. Walberg.
    Mr. Walberg. Thank you, Mr. Chairman.
    And thanks to the witnesses for being here.
    Mr. Stegmaier, if you could just further help me to 
understand, what are the FTCstandards for determining whether 
or not a company's data-security practices violate Section 5?
    Mr. Stegmaier. Thank you very much, sir.
    A couple of things. The articulated standard is one of 
reasonableness, and that is the extent of the standard.
    I note that for the folks that are here today--and I think 
this is important for the committee to understand--I think that 
we learned from Mr. Roesler and Mr. Daugherty that there were 
initially begun investigated--the investigation in 2008. It 
wasn't until 2011 that the Federal Trade Commission issued a 
best-practices guide identifying a number of recommendations 
that it thinks are required for reasonable security.
    But to answer your question I think more directly, the 
troubling thing about that guide and the thing that has been 
difficult for many companies is, if you asked me to identify 
which, if any, of those items that they identify as best 
practices are legally required, I could not tell you.
    Mr. Walberg. So this is an evolving notion, as it were.
    Mr. Stegmaier. Absolutely. And I think the agency itself 
has taken that position repeatedly. The agency takes the 
position that it needs flexibility because technology is 
changing, what we think is privacy is changing, data security 
is changing.
    Mr. Walberg. Well, what, then, gives the FTC the authority 
to take enforcement on these evolving actions, especially in 
what's considered reasonable?
    Mr. Stegmaier. Sure. So, as Mr. Hartzog identified, the 
language of Section 5 is incredibly broad, and courts have 
generally given deference under what's known as the Chevron 
deference--Chevron case to agencies to determine their own 
jurisdiction. So, unless that exercise of jurisdiction is 
arbitrary or capricious, for the most part, absent Congress 
stepping in, the agency's determination, you know, will prevail 
unless or if a court disagrees.
    And, as I mentioned to the chairman earlier, there are a 
number of cases pending that challenge exactly this question.
    Mr. Walberg. Mr. Hartzog, do you agree or disagree that the 
FTC should be taking the lead in establishing new regulations 
governing data-security practices?
    Mr. Hartzog. Well, I think that the FTC certainly plays the 
pivotal role and should play the pivotal role in establishing 
data-security regulation in the United States, but I do think 
that it's wise for the FTC to continue to defer to industry 
standards rather than try to make up their own standards, but, 
rather, follow what industry has determined is reasonable and 
appropriate data security. Because I think that that kind of 
deference keeps the FTC from acting in an arbitrary or 
inconsistent way.
    Mr. Walberg. So, in other words, kind of a shared 
partnership lead?
    Mr. Hartzog. That's right. So it's a co-regulatory regime, 
right, where you let industry say this is what is reasonable in 
our field, and then the FTC then looks to that to determine 
which companies have gone beyond the boundaries of 
reasonableness.
    Mr. Walberg. Mr. Stegmaier, can a business owner look up 
the rules for data security to make sure a business is in 
compliance?
    Mr. Stegmaier. So if you're subject to the Health Insurance 
Portability and Accountability Act, you can. In fact, the HHS 
has issued privacy and data-security regulations. The Federal 
Trade Commission has not.
    If you are a financial institution subject to the Gramm-
Leach-Bliley Act, there has been notice-and-comment rulemaking; 
you can look up those regulations. But, again, if you're 
subject to the FTC's jurisdiction----
    Mr. Walberg. You can't.
    Mr. Stegmaier. --you cannot.
    Mr. Walberg. A pattern is emerging.
    Mr. Daugherty, did you know where to look up the rules or 
informal policies that governed FTC data-security practices 
before you were contacted by FTC?
    Mr. Daugherty. No, sir, because there were none. I mean, 
we've had professionals in and out. We had Stanson's two people 
in. No one said anything about them. We were fully within the 
medical community.
    Mr. Walberg. How easy or difficult is it to keep up with 
these informal policies?
    Mr. Daugherty. Well, I think it's nearly impossible, I 
mean, because they don't tell you till after the fact, whereas 
in HHS, in the world that we reside, in a regulatory world, 
it's quite simple. But in, you know, the world of medicine, 
which they're trying to get into, they're not using that 
format.
    Mr. Walberg. And, finally, Mr. Daugherty, in your opinion, 
is it fair for the FTC to expect businesses like yours to be 
able to locate and follow data-security practices?
    Mr. Daugherty. Oh, we're all for following data-security 
practices, absolutely. But we need to, obviously, have them 
take a leadership role and not a reactionary role.
    As much as they want to say how broad this needs to be, 
breadth does not mean infinity, and there have to be some 
boundaries. And they seem to continually argue, well, we have 
broad scope, we need broad scope. But that doesn't mean they 
don't have to say anything. I mean, we all have laws. That 
doesn't mean we call it a crime when we see it.
    So I think they need to be more reasonable in their 
boundaries and their communications, especially when they 
choose to get into medicine. That is really an alarming 
overreach.
    Mr. Walberg. Sounds reasonable. Thank you.
    My time has expired.
    Mr. Bentivolio. [Presiding.] The chair recognizes the 
gentleman from Massachusetts, Mr. Lynch.
    Mr. Lynch. Thank you, Mr. Chairman.
    Now, this dispute is currently in the FTC administrative 
court; is that correct?
    Mr. Daugherty. Is this to me?
    Mr. Lynch. Yeah, anybody.
    Mr. Daugherty. Okay. Yes, sir, against LabMD, yes it's in 
administrative court, sir.
    Mr. Lynch. It seems to me that's a good place for it. I 
don't understand how this matter--there are a lot of, you know, 
administrative disputes that one side or the other feels 
offended by. It just surprises me that you're before Congress, 
given the small amount of work we do anyway, and now we're 
engaging in this. I just--I don't think this whole dispute, 
this whole hearing is appropriately before us. Let me just get 
that out of the way.
    Earlier, Mr. Hartzog and Mr. Stegmaier, we heard the 
chairman say that--and get confirmation from two of the 
witnesses that there is no breach unless someone uses the 
information that's been put out there. In other words, you can 
have a door that's unlocked, I guess is the analogy that was 
used, and that even though information was not kept secure, 
there's no breach until somebody actually uses that information 
that's been put out there.
    Is that the state of the law?
    Mr. Stegmaier. So, whether or not a security breach exists 
is actually a term of art. As the members of the committee may 
be aware, I think at least 47 States have breach notification 
laws using differing standards or requirements. So I think we'd 
have to think about, sort of, a particular----
    Mr. Lynch. Well, let me ask you, do any of those States say 
that the information has to be used before a breach is 
declared?
    Mr. Stegmaier. They tend to use the operative phrases, 
acquired or accessed without authorization.
    Mr. Lynch. Okay. So just putting the information out on the 
Internet, if nobody is using it, there's no breach?
    Mr. Stegmaier. It's an active matter of dispute as to 
whether the mere accessibility of information constitutes a 
security breach, and a lot of really smart people would 
disagree very vigorously.
    Mr. Lynch. Yeah. So you can put stuff out on the Internet, 
secure information on the Internet, and that wouldn't be a 
breach, Mr. Stegmaier.
    Mr. Stegmaier. That's not what I am saying at all. What I'm 
saying is----
    Mr. Lynch. Okay.
    Mr. Stegmaier. --smart people would disagree, and they 
frequently and regularly do.
    But I think an important consideration is, under HIPAA, for 
example, whether you adhere to the security rule--in other 
words, whether your systems are, in fact, secure--is different 
than whether or not you've had a breach. So under HIPAA----
    Mr. Lynch. Well, I'm just asking you here whether it's 
required in order to be guilty of a security breach, whether 
someone has to use the information. That's what I'm asking you.
    Mr. Hartzog, do you want to take a shot at this?
    Mr. Hartzog. Sure. The mere fact of a breach itself, 
actually, isn't a violation of any particular law, right? So 
there are a couple of points: One is the Section 5 defining an 
unfair trade practice as one that either causes harm or is 
likely to cause harm. You actually don't have to have any kind 
of breach or misuse in the first place.
    Mr. Lynch. Yeah.
    Mr. Hartzog. The second point is, the only harm that can 
come isn't necessarily one of, like, say, user ID theft, right, 
so mere exposure can constitute it.
    And then the third thing to remember is that the wrongful 
actions here aren't that a breach occurred, right? A breach is 
really perhaps just a symptom of the problem, which is a 
failure to have good data-security practices. So regardless of 
whether the breach happened or whether it didn't happen, 
whether information was available or whether it wasn't 
available, all of that only really goes towards showing whether 
there were good, reasonable data-security practices or not. And 
that's really what we're looking for.
    Mr. Lynch. Right. That's the preventative aspect of this.
    Mr. Hartzog. Right.
    Mr. Lynch. If we had to wait till your Social Security was 
used by someone, you know, then----
    Mr. Hartzog. Correct.
    Mr. Lynch. --we would have to sit on our hands until 
somebody was abused, you know, somebody's information was 
acquired. And----
    Mr. Hartzog. Which is very difficult to show. And it's 
important to remember that data security is a probabilities 
game, right? So----
    Mr. Lynch. Right.
    Mr. Hartzog. --what you want to--there's no such thing as 
perfect data----
    Mr. Lynch. Let me just jump to this quick. Mr. Roesler, 
your clinic serves patients that may have HIV or AIDS; is that 
right?
    Mr. Roesler. That's correct.
    Mr. Lynch. Did the master list file have personal 
information about clients of the Open Door Clinic?
    Mr. Roesler. It did.
    Mr. Lynch. And about how many Open Door clients were listed 
in the master list file? Do you know?
    Mr. Roesler. About 150.
    Mr. Lynch. And the FTC wrote you that the clinic file 
master list was available to users on this peer-to-peer file-
sharing network, right?
    Mr. Roesler. They did.
    Mr. Lynch. So the information was out there. So are you 
saying that the FTC was wrong to contact you on that? Is that 
part of your complaint?
    Mr. Roesler. Not at all. No.
    Mr. Lynch. Okay. Where did the--the FTC has not filed an 
enforcement action against you for that, right?
    Mr. Roesler. That's correct.
    Mr. Lynch. So wherein lies the overreach on the part of the 
FTC?
    Mr. Roesler. I am not aware of overreach.
    Mr. Lynch. Okay.
    I'll yield back. Thank you.
    Mr. Bentivolio. The chair recognizes the gentleman from 
Tennessee, Mr. Duncan.
    Mr. Duncan. Well, thank you, Mr. Chairman.
    And I appreciate Chairman Issa calling this hearing because 
what I've heard thus far is very disturbing to me. I was 
presiding over the House until a few minutes ago, and so I 
didn't--I'm sorry, I didn't get to hear the testimony.
    But if I understand this correctly, Mr. Daugherty, this 
Tiversa firm contacted you or your company and told you of 
possible problems and asked you to hire them at a rate of $475 
an hour, and then when you declined to do so, they turned you 
into the FTC.
    Mr. Daugherty. That's correct. That was all in 2008.
    Mr. Duncan. And then the FTC started pursuing you, taking 
action against you.
    Mr. Daugherty. That's correct.
    Mr. Duncan. And I think I just was told that you're close 
to being out of business, or----
    Mr. Daugherty. The laboratory operations closed in January 
of this year because we've been completely sideswiped by this.
    Mr. Duncan. And Mr.--is it ``Roesler'' or ``Roesler''?
    Mr. Roesler. It's ``Roesler.''
    Mr. Duncan. ``Roesler.'' Mr. Roesler, your story is very 
similar, is that correct, except you're still in business?
    Mr. Roesler. I don't know that my story is similar. It's 
got its differences. Yes, we are still in business.
    Mr. Duncan. But you were contacted by Tiversa----
    Mr. Roesler. That's correct.
    Mr. Duncan. --and for $475 an hour they would take care of 
your problems?
    Mr. Roesler. That's also correct.
    Mr. Duncan. And then when you declined, they contacted the 
FTC.
    Mr. Roesler. That I'm not aware.
    Mr. Duncan. Well, according to the staff briefing we have, 
the FTC--this Tiversa company told on or reported or turned 
almost 100 companies into the FTC.
    And, Mr. Hartzog, don't you think that, in light of what's 
come out here today, that the FTC should check on something 
like this, if another private company turns in a company, to 
see what conflict of interest is present? Because there 
certainly was a conflict of interest in these cases we're 
hearing about.
    Mr. Hartzog. It's difficult for me to speculate on that 
without knowing the exact details. But it's my understanding 
that the FTC actually gets information about what constitutes, 
you know, a potentially unfair or deceptive trade practice from 
lots of different sources, including public complaints in 
general, many of which might be valid and many of which might 
actually be invalid. And----
    Mr. Duncan. Well, I know they get them from many sources, 
but when there's an obvious seemingly almost criminal conflict 
of interest involved, it looks like the FTC would at least 
check that out. Because that could easily be checked out on the 
front end of things.
    Mr. Hartzog. Well, certainly, the FTC should make sure that 
any allegation that's turned into them is actually valid. And 
so I think that, of course, it's incumbent upon them to make 
sure that the facts that are alleged to them are actually true.
    Mr. Duncan. Mr. Stegmaier, you're a law professor. Do you 
think anyone should be prosecuted criminally on things like 
this, what you've heard here today?
    Mr. Stegmaier. If the facts as alleged turn out to be true, 
no, I would not think that prosecution should necessarily be 
appropriate. But I think if I'm understanding your question 
more correctly, do I think it's appropriate for this committee 
and Congress to review the agency's behavior, I think it's 
incumbent on Congress to do so.
    Mr. Duncan. What do you think should be done in addition to 
this committee looking into it?
    Mr. Stegmaier. So I don't profess to be an expert on all of 
the remedies or different, you know, mechanisms. But one of the 
things that I think we've seen and I think is, you know, 
critically relevant is to create an environment where companies 
can understand what's actually expected of them as a matter of 
law so that then when and if the agency should come to 
investigate them there's much less of an element of surprise. 
And that's really sort of the crux, right? The Constitution 
protects us from being prosecuted when we couldn't possibly 
have known what the law is.
    And I think Mr. Daugherty could testify or would testify 
about his experience in that regard, and I think he has 
testified to the effect that he understood that he was subject 
to HHS's jurisdiction. And being subject to the FTC's 
jurisdiction and then what that meant in terms of what's 
actually required is as opaque today as it was in 2008 for him.
    Mr. Duncan. Well, the problem that many of us see now is 
that the Federal Government is prosecuting people for 
unintentional violations of the law. And that's not supposed to 
be criminal, but a zealous prosecutor can make an innocent, 
unintentional violation of the law seem to be criminal, and 
that's a pretty dangerous thing.
    The government should be in the business of trying to help 
companies stay in business, not with the goal of trying to run 
people out of business, unless they have definite proof of 
intentional efforts to defraud people.
    Thank you very much, Mr. Chairman.
    Mr. Bentivolio. The chair recognizes the gentleman from 
Virginia, Mr. Connolly.
    Mr. Connolly. Thank you, Mr. Chairman.
    And welcome to our panel, especially my constituent, Mr. 
Stegmaier, who's obviously cogent, astute, perspicacious, very 
compelling testimony. And we're not surprised, coming from the 
11th Congressional District of Virginia.
    Mr. Stegmaier. Thank you, sir.
    Mr. Connolly. Mr. Stegmaier, I wanted to clarify something 
you testified to just now. What is the status of Mr. 
Daugherty's case before the FTC?
    Mr. Stegmaier. So I haven't been following the precise 
contours of the case other than the existence of the 
administrative procedure is highly, highly unusual. I'm not 
aware of any other case that's actually used that procedure.
    Mr. Connolly. Mr. Daugherty, what is the status of your 
case?
    Mr. Daugherty. The case is on pause until the immunity 
decision and proffer is worked out with this committee. And 
then the judge will make a decision from that point.
    Mr. Connolly. Okay. So it's still in adjudication. Pending.
    Mr. Daugherty. Pending.
    Mr. Connolly. But there's been no verdict delivered or----
    Mr. Daugherty. No. This is correct.
    Mr. Connolly. Well, I will say I share some of--more than 
some of the misgiving of my colleague from Massachusetts, Mr. 
Lynch, about the appropriateness of this committee even the 
perception of intervening in the midst of, you know, a 
regulatory adjudication, for fear that, you know, we start to 
set a precedent. So anybody, you know, who doesn't like a 
procedure can just come here and we'll have a hearing and judge 
it for ourselves. I just think that's a dangerous precedent if 
that, indeed, is what's going on.
    Mr. Stegmaier, the title of this hearing is ``FTC Section 5 
Authority: Prosecutor, Judge, and Jury.'' Do you view the FTC 
as playing a role as prosecutor, judge, and jury?
    Mr. Stegmaier. Absolutely. I think the structure of the 
administrative state, Section 5 being very broadly worded, with 
the agency getting deference to its own determinations about 
its jurisdiction, as well as its interpretations of the law 
being plausible, absolutely create a situation where it is 
difficult, if not impossible, to create due process remedies or 
ways for review that most regular people would think our system 
of justice entitles them to.
    And with respect, Mr. Connolly, to your comments about this 
particular proceeding, one of the things that strikes me is 
that, with respect to the fair notice doctrine and due process 
generally, if not here, where else? And I think that really 
begs the question. You know, in other words, Mr. Daugherty, I 
am not sure has any other place that he could go unless and 
until this proceeding is resolved.
    So, you know, again, maybe I'm a bit of, you know, sort of 
a sentimentalist, but I think the due process concerns here are 
so significant that I would be, you know, troubled to wonder 
where else one might go for redress.
    Mr. Connolly. That sounds good, Mr. Stegmaier, but we 
cannot be substituting ourselves for regulatory agencies in the 
midst of their administrative procedures. The precedent that 
sets is very dangerous, in my opinion.
    And, by the way, if there were thousands of them, there's 
no way you could raise the expectation that, no, no, this is 
where you come for redress if you don't like the process. 
Though, I am not disagreeing with you about the fact that there 
may be way too much authority, frankly, vested in this process. 
And that's a legislative issue, but not an adjudication.
    Mr. Hartzog, would you respond to what Mr. Stegmaier said? 
Didn't he make a pretty good point there?
    Mr. Hartzog. Sure. No, so I would actually disagree. I 
mean, I agree in the sense that, you know, this kind of title 
of ``judge, jury, and executioner'' is--the FTC is not unique 
among administrative agencies in that it has been given 
enforcement power and the power to kind of dictate rules. 
That's actually kind of administrative law generally, right? 
So, to the extent that the FTC has the power to enforce the law 
and create rules through case-by-case adjudication, the FTC 
seems to be hardly unique in that respect.
    With respect to, kind of, fair notice, due process 
concerns----
    Mr. Connolly. Well, can I just interrupt you there? Mr. 
Daugherty has a blog in which he refers to the FTC as ``lying, 
cheating, breaking every rule in the book.'' ``All professional 
tyrants and bullies have plenty of tricks up their sleeves. 
This nest,'' presumably the FTC, ``is no exception.''
    So Mr. Daugherty----
    Chairman Issa. [Presiding.] Would the gentleman yield?
    Mr. Connolly. Of course.
    Chairman Issa. I think many Members on your side of the 
aisle have said the same about me on the dais. These 
allegations are not unique, are they?
    Mr. Connolly. Yeah, but I don't know if we all have blogs.
    But, I mean, putting a charitable interpretation on what 
clearly is a source of anger and frustration for Mr. Daugherty 
is a sense of: I am not being treated fairly. This process is 
far beyond just a routine administrative process. It is one 
that, you know, is all-encompassing and all-powerful and 
capricious. My word, not his.
    So is this just like any other administrative process? Is 
there something unique or different about this one? I'm not 
referring to the particular case; I'm talking about the 
process. Because you just said, well, it's hardly unique. But 
if I read this blog and only rely on it for witness to the FTC 
process, I might conclude it most certainly is different and 
unique, or at least I hope it would be, if this is accurate.
    Mr. Hartzog. Well, I can't comment as to the factual 
specifics. My----
    Mr. Connolly. I'm not asking you to.
    Mr. Hartzog. Right, right. So without knowing the internal 
deliberations of what happened with respect to the FTC 
investigation with this particular case, I will say if you look 
at the complaint that was filed in this case, it is very 
consistent with all of the other FTC data-security complaints. 
The FTC has been regulating data security since the late 1990s, 
and they've done so in a very conservative and incremental 
manner. The language that they employ is very consistent across 
every single complaint. The language that they use in their 
consent orders is very consistent.
    And so if you look at the complaint that was filed in this 
case, it does, indeed, look very similar to lots of other 
complaints filed by the FTC. And so, in that regard, this is, 
you know, just another, kind of, incremental iteration on the 
FTC's data-security regulations.
    Mr. Connolly. And just a final point, if I may, Mr. 
Chairman.
    Do you agree with Mr. Stegmaier that, if not here, where, 
that this is a place to come for redress if you feel you're not 
getting it in the administrative law review--I mean, the 
administrative judicial process?
    Mr. Hartzog. Well, I would just call note to the fact that 
everyone that is subjected to an FTC complaint has the right to 
judicial review. And so, you know, that seems to be the 
structure that was put in place precisely to put a check on 
administrative agencies.
    Chairman Issa. Would the gentleman yield?
    Mr. Connolly. Of course.
    Chairman Issa. Just for a short colloquy. I think you made 
an assertion that perhaps this hearing and our what you called 
``intervening'' with the FTC was inappropriate. I just want to 
go through a couple of things very quickly for our benefit.
    Have you had a chance to look at any of the proffer 
material brought to the committee voluntarily by a 
whistleblower?
    Mr. Connolly. I'm not sure what the chairman is referring 
to. I've looked at a lot of material.
    Chairman Issa. No, no. There was a proffer brought. The 
committee staff has reviewed some of it. There was a 
whistleblower who came to us, unrelated. We did not initiate 
it, but rather a whistleblower came to us. And that, in 
combination--and perhaps your staff can arrange--at the 
beginning, I asked everyone to look at the proffer. It goes 
more than an hour.
    But, additionally, the reason that this committee feels 
that, notwithstanding an ongoing--many-year ongoing FTC 
activity, that, in fact, because Mr. Boback testified before 
this committee twice while he was, in fact, turning people into 
the FTC for eventual prosecution, and because a whistleblower 
came to us, and because that whistleblower took the Fifth at 
the--asserted his Fifth Amendment rights at that proceeding, my 
understanding is the administrative law judge has for the time 
being held up, with no prejudice whatsoever, his proceeding as 
we continue to try to go forward.
    The judge is able to go forward with the case at any time, 
of course, but both this chairman believes that we should hear 
the testimony of the whistleblower here and I think the FTC 
would like to hear the testimony of that individual because, 
since he was a prior employee of Tiversa, he is, in fact, 
likely to be a fact witness as to whether or not there is 
credible evidence against Mr. Daugherty's company, which, by 
the way, doesn't go to the FTC's authority that we're 
discussing here today. It really goes to the question of, is 
the FTC accurate in one or more of its pleadings?
    And for the gentleman's edification, it is our opinion 
that, at a minimum, if the assertions that have been made are 
true, the FTC has been misled and this committee has been 
misled on multiple occasions. The Secret Service, NCIS, the 
White House, through the assertion made--and I don't know if 
the gentleman was here when it was made, but the assertion that 
Marine One's cockpit upgrade was compromised when it was in 
Iran may not have been true. All of those things caused this 
committee to think that we need to act now and to look into it.
    But I appreciate the gentleman's rightful statement that 
it's not for us to second-guess the FTC. Their administrative 
law judge has to make their own decision. We also, though, 
believe that we have an independent obligation based on the 
things I outlined, and I would hope the gentleman would agree.
    Mr. Connolly. Mr. Chairman, it might surprise you to hear 
that, in some measure, I do agree. However, I guess I'm raising 
the question, not for a solution here, about, what are the 
right boundaries for us, and when do we properly intervene 
because of our oversight function and duty?
    I was asked before this hearing, you know, do we have a 
role to play in oversight of FTC, and my answer was absolutely. 
And if there's, you know, something to be reformed or something 
certainly to be looked at, that is absolutely a proper function 
of this committee. And the idea that it's never proper is to be 
rejected.
    However, there are boundaries. And when there's a specific 
case in front of a judge, I am concerned that it not even be 
construed as a perception that we are attempting to tilt the 
judgment in a particular way or to make ourselves the place of 
redress when people have a grievance, even though that 
grievance may very well be legitimate.
    Our role is not to hear the case all over again. It is to 
try to, you know, ameliorate the grievance if there are 
legitimate aspects to it that can be addressed legislatively. 
That's what I was raising.
    Chairman Issa. And I think the gentleman and I would agree 
that we have to be very careful, both yesterday with the IRS 
and today with the FTC. But I do believe, when somebody has 
testified before this committee multiple times, the assertions 
may be incorrect, and, as a result, a series of suits already 
completed by the Federal Trade Commission with consent decrees 
might, in fact, have been flawed.
    And, tangentially, Mr. Roesler, obviously, we are concerned 
that a pattern of activity, business practices, you may have 
been a victim of and suffered--you and your insurance company 
suffered distraction and cost for years. So we are concerned 
with it.
    And that's why I was so appreciative of your being here 
today. This was a tough one for you to do. It's tough for you 
to tear yourself away and to take time out. But, hopefully, 
maybe a little bit like some hearings we've had over the years, 
where people don't understand them at the beginning of it, if, 
in fact, they come to some of the assertions being true, then 
at the end of it all people will say, yes, it was worthwhile.
    If, Mr. Connolly, if, at the end of it all, whistleblower 
statements are wrong, assertions are wrong, and all of what we 
have been told is not true, and if, for example, that 
Pittsburgh event, the law firm was just a coincidence, if, in 
fact, both of these individuals had real breaches, then, in 
fact, if all those things be true, then, in fact, we went down 
a look-see that didn't end up. But today I believe very 
strongly and I think at least two of our witnesses feel 
strongly that there's at least a credible case to look into it.
    And I might close--and I thank the gentleman for so much 
yielding. I remember when Pat Tillman's family was in front of 
this committee. I remember us looking at various events that 
were very controversial, assertions by grieving family members. 
This committee has taken the breadth of investigations by both 
sides' chairmen, and we have explored them. We explored 
steroids in baseball. We've done a number of things. The 
ranking member and I have continued to work on trying to clean 
up the NFL's problem with human growth hormones. Those are not 
within the mainstream.
    So I do appreciate the gentleman. And I want to be very 
careful. I would ask, again, all Members to look at the 
proffer, to meet with the whistleblower. Even if he is never to 
be granted the opportunity to testify, the proffer itself might 
give you the reason for why we are going forward to try to find 
the facts through other means and why this hearing is here 
today.
    Mr. Cummings. Will the gentleman yield?
    Chairman Issa. Of course.
    Mr. Cummings. First of all, Mr. Chairman, you know, I was 
questioning as I was listening to Mr. Connolly whether this is, 
in fact, intervention. I'm not sure that it is, to be frank 
with you. But I'm hoping that, at the end of the day, that the 
FTC hears this. Clearly, there are some things that need to be 
resolved here.
    And, you know, when I hear the stories of Mr. Daugherty, 
Mr. Roesler, I think it concerns all of us if you have been 
treated unfairly, because we try to fight against that kind of 
thing.
    But, again, I think--and I'm glad you said what you said 
about being careful. Because it's interesting, in my office, 
Mr. Connolly, I tell my staff that if somebody walks in there 
and there's any kind of pending anything, judicial, quasi-
judicial, I'm not touching it, I'm just not going to touch it, 
because I don't want to interfere.
    Mr. Connolly. Right.
    Mr. Cummings. And I think there's probably a problem with 
it anyway, ethically.
    But, hopefully, this will lead to something where there's 
some clarification, Mr. Chairman, so that we don't have these 
kind of situations, or, if nothing else, at least some clarity 
comes to the people who are in the industry as to what is 
expected of them, what's fair, what's reasonable.
    Mr. Cummings. And if we can come to that--and, again, as I 
said a little bit earlier, Mr. Chairman, we have not said 
absolutely against immunity for a whistleblower. We just want 
to make sure that we dot our i's, cross our t's.
    And so, thank you very much.
    Chairman Issa. I thank the ranking member, and I thank Mr. 
Connolly.
    We now go to the very patient quasi-expert on HIPAA, Dr. 
Gosar.
    Mr. Gosar. Well, thank you, Chairman.
    I'm a dentist before I came to Congress, so I'm very aware 
of HIPAA and OSHA, and it's very different from what I'm 
understanding here, Mr. Daugherty, right? I mean, we have 
classes, we have rules, regs. They're pretty astute and pretty 
well-defined, right?
    Mr. Daugherty. Yes, Congressman. As a matter of fact, we 
enjoy daily mailing offers for educational seminars that anyone 
could have at any day.
    Mr. Gosar. And so, like, a typical small business, you 
update, you try to keep up with trends, making sure that you're 
up to par in protecting databases, as well, true?
    Mr. Daugherty. Correct. We always had an IT staff of at 
least 3 people, even when we were only, like, 15 employees. And 
we also had an outside company help.
    And, as a matter of fact, we upgraded to--we found in the 
small-business community and in the medical community that's 
under 100 or 200 employees, there were no security products out 
there. So when the FTC approached us, when we were trying to 
get an answer of what to do and we couldn't get an answer, we 
went out to the industry, and they didn't have products for us. 
They only were with 500-employee companies and up. So we had to 
find a company that would actually customize something for us 
that was built for someone bigger that would actually work with 
us, and we could only find two vendors to do it.
    Mr. Gosar. So, I want to get back to this fair notice. It 
seems like if what I heard from Mr. Hartzog in regards to 
looking across the industry for fair and applicable 
application, they should've taken some of that into 
consideration.
    Mr. Daugherty. Well, I would agree with that, sir, yes.
    Mr. Gosar. Yeah.
    Mr. Hartzog, are you real familiar with why the FTC is even 
in business today? Do you understand the history from 1978 to 
1980? In fact, my Democratic colleagues almost--actually shut 
them down during 1980.
    Mr. Hartzog. I----
    Mr. Gosar. And underneath, in regards to--the FTC only 
survived in its agreement to limit its discretion by issuing 
its now-revered unfairness policy statement, true?
    Mr. Hartzog. That's correct.
    Mr. Gosar. So there's even more onus--you bypassed it, but 
there's even more onus on the FTC to be fair and applicable 
across these applications. Would you agree?
    Mr. Hartzog. Yes. They are----
    Mr. Gosar. Well, I mean, so the statute and the mission is 
very specific to the FTC, right? So the application across all 
agency boards are not exactly what you said.
    Mr. Hartzog. Well, with respect to whether something 
constitutes an unfair trade practice. So it actually isn't even 
limited to deception, but the policy codification was to an 
unfair trade practice.
    Mr. Gosar. Well, my whole point is the FTC is further 
scrutinized by its jurisdiction in regards to that. So they 
were disciplined by Congress, okay?
    Would you agree with that, Mr. Stegmaier?
    Mr. Stegmaier. I think the agency has more of a track 
record, historically, and speaking purely historically, of 
potentially running afoul and having congressional oversight. 
And, for example, their rulemaking authority is highly 
constrained coming out of some of the same things I believe 
you're talking about.
    Mr. Gosar. Yeah. So let me--I guess my question is, if 
we're coercing settlements, what good is the rule of law? How 
are we overseeing the FTC in a proper adjudication if they're 
already being scrutinized a little differently because of their 
past history?
    Mr. Stegmaier. I think it's a really good question, and I 
think it's one we need to explore further.
    Certainly, having represented companies that felt they were 
being coerced, I very much sympathize with the tone and tenor 
of your statement. And, in the same breath, I would just say 
that my experience with the folks actually working at the 
agency has been of a really bright, hardworking, dedicated 
group of people that believe in what they're trying to do. And 
I think one of the things that can be happening here is a bit 
of disliking the messenger versus the message.
    And part of that is simply because we, as a society, 
haven't resolved what privacy and data security mean, but we 
have a law enforcement agency that's out there prosecuting 
companies with what it thinks it means, you know, over more 
than a decade now. And that's really, I think, what brings us 
here, is a tough spot independent of anything that Mr. 
Daugherty or the other information before the committee or the 
proffer, none of which I'm specifically familiar with.
    Mr. Gosar. And it seems to me that we haven't had oversight 
or reauthorization of the FTC, and maybe we need a mission. I 
mean, just because you're bright and you're affable in your 
job, it doesn't make you right in your application of the law, 
does it, Mr. Stegmaier?
    Mr. Stegmaier. So I made a note to myself earlier: Just 
because you do something doesn't mean you have the authority to 
do it. And so I would agree that a measure of oversight and 
review is appropriate, given, as the agency acknowledges, that 
technology is moving very rapidly, data is moving very rapidly, 
and, clearly, the agency has a very important role to play, but 
that is one that is, you know, limited and subject to 
congressional review.
    Mr. Gosar. And so, would you still agree that the review of 
you're innocent until proven guilty?
    Mr. Stegmaier. I would agree that you are absolutely 
innocent until proven guilty. I think that's the entire reason 
why I'm here today.
    And I think, more importantly, it's really a shame if 
you're prosecuted and you couldn't possibly have known what the 
legal requirement was for which you are being prosecuted. And 
that's what the fair notice doctrine is about in the articles 
I've written.
    Mr. Gosar. Yeah.
    Mr. Hartzog, would you agree with that?
    Mr. Hartzog. I agree with the general statement, but I 
would also say that the case-by-case way of establishing law is 
actually a part of----
    Mr. Gosar. I mean, you didn't give a very good, I mean, 
notice about applicability across the board here. You tried to 
cite as an expert witness, and you tried to cite, which you 
really couldn't. And shouldn't that be more based upon 
predicated caselaw so we should see, instead of coerced 
settlements, we see more applicability going towards the 
courts?
    Mr. Hartzog. If I might, actually----
    Chairman Issa. The gentleman's time has expired, but you 
may answer.
    Mr. Hartzog. Thank you.
    If you look at the complaints, actually, we actually see 
substantial overlap of the FTC complaints with the HIPAA 
security rule and Gramm-Leach-Bliley. And so, actually, it's 
actually a fairly nuanced standard. If you look at the 
complaints which, established in a case-by-case manner, really 
outline what an unfair or deceptive trade practice is.
    Mr. Gosar. Thank you.
    Chairman Issa. Thank you.
    We now go to the gentlelady from Illinois, Ms. Duckworth.
    Ms. Duckworth. Thank you, Mr. Chairman.
    Thank you, gentlemen, for being here today.
    I just want to establish some clarification. And, Mr. 
Roesler, I know you do tremendous work in support of our 
citizens who are suffering from AIDS and do everything that you 
can through your organization to support your clients.
    I just want to, sort of, go through the timeline of your 
particular instance. You were contacted by Tiversa saying that 
they had these files that they had found on peer-to-peer 
networks and that for a certain amount of money they could help 
you with it. Subsequent to that, you then went to your IT 
providers and did a thorough search and determined that nothing 
in your networks had been breached. Is that correct?
    Mr. Roesler. That is correct.
    Ms. Duckworth. And, at a later point in time, you received 
a letter from the FTC saying that there was this file in the 
Internet, and it was a different file name from the file that 
Tiversa had informed you was out there. Is that correct?
    Mr. Roesler. That's also correct.
    Ms. Duckworth. Great.
    Prior to this time, did you not suffer a break-in to your 
facilities, where a laptop was physically stolen from your 
facility?
    Mr. Roesler. That's correct. In 2007, Open Door was the 
victim of a theft of one of our laptops in our Aurora clinic 
space.
    Ms. Duckworth. Correct. And you did report that crime to 
the police?
    Mr. Roesler. That was reported, yes.
    Ms. Duckworth. Yes.
    So when you got the notice from FTC with a different file 
and in going back and reviewing, is it true that you have 
determined that these files that were on the Internet were not 
a result of any type of a security breach to your network but 
probably came from that laptop that was stolen?
    Mr. Roesler. That is an assumption that we do have, that 
the laptop that was stolen had these as well as other documents 
on that computer.
    Ms. Duckworth. And so the FTC has not pursued--has not 
contacted you other than that first letter to say they found 
these files on the Internet, this is a warning, you need to 
deal with it. Is that correct?
    Mr. Roesler. That is correct. Thank you.
    Ms. Duckworth. Okay.
    Do you have any evidence that the FTC turned over 
information of any of those files to any law firm that then 
initiated the class action lawsuit against you?
    Mr. Roesler. No evidence at all.
    Ms. Duckworth. No evidence at all.
    So what I'm trying to get to here is the fact that there 
are two different things going on. There are the practices, 
which I think appear to be very egregious, on the part of 
Tiversa, which I want to get to the bottom of, and then the 
fact that you were very much a victim of an actual theft to a 
facility that probably did have a lock on your front door, 
quite literally, and then the FTC finding a different file on 
the Internet from the one Tiversa contacted you with and said, 
hey, this file is out there, take a look at it. You dealt with 
it.
    The only thing that I'm somewhat concerned with in terms of 
your actions is that you did not notify your clients for over a 
year whose names were on that stolen laptop. Is that correct?
    Mr. Roesler. That is correct.
    Ms. Duckworth. But that's a matter for State law; that's 
not under the jurisdiction of this committee here.
    But you've settled the lawsuit with this law firm, wherever 
they got the information from, not from the FTC but from 
somewhere else. Your clients--many of whom are back with you 
and are happy with the treatment that they're getting?
    Mr. Roesler. That's correct. We are back to doing business 
as usual.
    Ms. Duckworth. Which you love, which is taking care of your 
clients.
    Mr. Roesler. Very much. Thank you.
    Ms. Duckworth. Thank you.
    Mr. Hartzog, could you give me your opinion on, was it 
appropriate for the FTC to contact Mr. Roesler to say that, 
hey, we found a file on the Internet that contains your 
clients' names?
    Mr. Hartzog. Sure, in the sense that the FTC has, you know, 
a broad ability to look into lots of different data breaches to 
determine whether there was reasonable data security or not.
    Chairman Issa. Would the gentlelady yield just for a point 
of information?
    Ms. Duckworth. Yes, I'll yield.
    Chairman Issa. The committee can provide you with the 
produced written data that shows that Tiversa provided that 
information to the FTC. So the source in both cases was Tiversa 
directly in contact and then indirectly when the FTC gained 
from Tiversa that same information that Open Door failed to, if 
you will, pay for protecting.
    Ms. Duckworth. Thank you, Mr. Chairman. But I do think the 
FTC did contact Mr. Roesler with a different file name.
    Which is how I believe you were able to come to the 
conclusion or the assumption, a working hypothesis, as it were, 
that it likely came from this laptop and not from a breach of 
your network.
    Mr. Roesler. Okay, no, that's not exactly correct.
    Ms. Duckworth. Okay.
    Mr. Roesler. So during the litigation and during discovery, 
the law firm was able to produce quite a few documents that had 
been downloaded from a peer-to-peer network. It was when we 
started looking through the piles of documents that we were 
able to ascertain what the likelihood is of which employee 
might have been producing most of those documents. And from 
there, we were able to then figure a timeline that, well, this 
employee doesn't currently have these documents on their 
current laptop; however, come to think of it, 2 years ago, 
their laptop had been stolen out of our clinic. And that's when 
we started moving backwards in that thought process.
    Ms. Duckworth. Okay. Thank you.
    I'm out of time, Mr. Chairman.
    Chairman Issa. Thank you. If the gentlelady would just 
allow me to follow up on your line?
    Mr. Roesler, do you believe that Tiversa provided you with 
all the information and all the files that they had found?
    Mr. Roesler. Could you repeat that question?
    Chairman Issa. In other words, when they approached you and 
said, we found this vulnerability, do you believe at that time 
they provided you with a sample of what they had found or all 
of it so that you could figure out the source?
    Mr. Roesler. Thank you, Chairman. That's a very good 
question.
    They produced one document, what I believe to be--it is my 
opinion, but that they had more than the one that they 
described to us that they had at the time.
    Chairman Issa. And I'll go to the ranking member in just a 
second.
    The reason I want to do that is Ms. Duckworth's two 
different documents. Since our data that's been found in 
discovery shows that Tiversa did turn over to the FTC the 
documents, or that we have a list with your name and so on on 
it, it appears as though what FTC brought you, which was a 
different document, was also from the same source of Tiversa.
    And, Ms. Duckworth, the reason--and I appreciate that 
you're talking in terms of looking at Tiversa and so on--is, as 
far as we can tell, the only taker of this personal 
identifiable information that we know for sure reached into his 
systems on his network and pulled out files was Tiversa, who 
reached in, pulled them out, and turned them over to the FTC. 
That's the part that we know, is that at least one company 
found the vulnerability, took the information, gave it at a 
minimum to the FTC. And there is some question by the committee 
as to how the law firm got that same list and produced a class 
action, a law firm in the same city.
    And that's, I think, what the gentlelady is really looking 
at, is this doesn't look good. And the effects on Open Door 
were devastating.
    Ms. Duckworth. Well, I would agree with the chairman that 
the effects on Open Door was devastating, but I don't agree 
that they reached into their network. Open Door has determined 
that there was no breach of their network. And, in fact, the 
data breach came from a stolen laptop. So if Tiversa got this 
information, they got it from someone else who uploaded the 
information from a stolen laptop, 2 years prior, to the 
Internet.
    It was not a breach of their network. They did a thorough 
search of their network. And, in fact, Tiversa is getting this 
information that someone else, presumably the thief who broke 
into their facilities and stole their laptop or someone that 
got that information off the laptop, uploaded. It's two 
different mechanisms----
    Chairman Issa. And I share with the gentlelady very much 
versions of that possibility. That laptop that was stolen 
could've had LimeWire added to it. It could've been put up on 
the thieves' Internet site, and Tiversa could have found it out 
on the Internet. The interesting thing was that Tiversa did not 
go to the laptop or to some other posting; they actually went 
to this company and said, we found the vulnerability on your 
site.
    And that's what is so perplexing, is they didn't say, we 
found this information in the Internet. They went to Open Door 
and said, we found your vulnerability and we offer you services 
for your vulnerability. Now, my understanding is Tiversa also 
will talk about helping cleanse lost data, clean up what's been 
out there on the Internet. There's a lot of services people 
talk about.
    But it is confusing that, in fact, this data, we know for 
sure, got into Tiversa's hands. And in our discovery, we do not 
yet know, did they really get it off of your Web site at Open 
Door? Did they get it off the stolen laptop?
    One thing we're convinced about is that they may very well 
have never gotten it, seen it somewhere in the Internet, except 
on a vulnerability from a peer-to-peer. And, in fact, it may 
never have been made available so as to harm the 180-plus AIDS 
patients that in some measure felt offended and served a 
lawsuit.
    Ms. Duckworth. I would have to disagree with one portion of 
that, Mr. Chairman. I share your concern with Tiversa's very 
predatory practices, and I think we should look more into it 
and I would love to have them here. But I think, in this case, 
Tiversa said they found this data on a peer-to-peer network, 
not on Open Door's network. They found it on a peer-to-peer 
network. That's what they told Open Door, ``We found it on a 
peer-to-peer network.''
    Open Door then went in and looked at their peer-to-peer 
network and saw and confirmed that it had not been breached and 
that there was no vulnerability in their peer-to-peer network. 
Just because Tiversa found it on a peer-to-peer network does 
not mean that that peer-to-peer network belonged to Open Door. 
Someone else uploaded it from, likelihood, that stolen laptop 
to a different network.
    So I just want to make sure that Tiversa is--they could 
possibly be trolling the Internet for this data on various 
peer-to-peer networks, not necessarily Open Secret's, found it, 
and then tried to get them to purchase services. So it's two 
different things. And I just want to make sure that this is--
the things that Open Door has suffered has been because of 
Tiversa and Tiversa's actions with the law firm.
    And, in fact, as far as the FTC is concerned, they sent 
them a note saying, there's this form out there--there's this 
file out there, you need to take a look at it. And they've not 
prosecuted, they've done nothing else. Really, they've been the 
victims of a class action lawsuit that was initiated by Tiversa 
after they found a document on a separate peer-to-peer network 
that was not the one that was Open Secret's--I mean, Open 
Door's.
    Chairman Issa. You may very well be right. And I think 
you're getting a nod from Open Door.
    But I think the gentlelady has made the exact point that I 
hope we can all come together on, which is we have a 
whistleblower who wants to give us detailed information 
directly related to each of these events with actual recorded 
hard disk data and only asked that his involvement and his 
testimony as to how he was involved in this at Tiversa not lead 
to his prosecution. And that is all that, in fact, when you see 
the proffer, if you will please see it, video proffer, you're 
going to see, is a demonstration specifically of that. And it 
does give us a fact witness, however flawed in any other way, a 
fact witness who will make specific allegations as to 
particular companies and where their data was or wasn't; 
additionally, and for me as a former ranking member and member 
of this committee, is also prepared to testify about evidence 
that was presented to this committee under oath. And that's why 
we have sought to have this witness.
    Today's hearing deals with what we know and what happened 
to these individuals and with some of the pitfalls of, does the 
FTC, for example, in the case of Open Door, did they get second 
corroboration or did they send that letter in your case, and a 
lawsuit in your case, based on a single source that may or may 
not have been accurate?
    And, to a certain extent, I know we're all getting mired in 
Section 5 authority. This is more than Section 5 authority. 
It's about whether an agency, even if it has the authority, 
what are the safeguards before they file a lawsuit? What are 
the safeguards to make sure that the allegations are 
independently corroborated? Because cybersecurity is, in fact, 
as the gentlelady knows, it's not a hard science where you can 
be sure. And if somebody says this happened, making sure it 
happened is important.
    So this is a broad subject. Cybersecurity is a core element 
of our oversight, not just here but throughout government. And 
it's one of the reasons I thought bringing up the whole 
question of how do we move cybersecurity positively--because, 
Mr. Hartzog, I think you would agree, and, Mr. Stegmaier, I 
think you would agree, that to the extent the FTC has 
authority, it's in order to protect against unfair practices, 
that's their basic--but, in fact, to move us into greater 
security and reliability of people's information when it's held 
by third parties. And that goes to the core of cybersecurity in 
and out of government.
    So my view was this hearing, separate from the other 
discussion that I hope to have with the whistleblower, this 
hearing was worthwhile not because there's an ongoing 
investigation or case, Mr. Daugherty, and not because of what 
you've suffered alone, but because you're helping America 
understand this is complex, we have to make sure that 
allegations are correct, and we have to make sure that if 
there's a bad actor basically selling services in an unethical 
way that we hold them accountable.
    And that's why I'm so interested in your line of 
questioning and I support it and I appreciate it.
    Ms. Duckworth. Thank you, Mr. Chairman.
    Again, I don't think the FTC filed a lawsuit against Mr. 
Roesler, just warned him that the file was out there. But I 
agree with you that I would like to know more about this 
process, so it would be great if we could have the FTC here in 
testimony.
    Chairman Issa. And we do intend to. What we're asking is 
that they answer our questions as to some of this corroboration 
and so on. We expect to ask both Tiversa and the FTC.
    One of the challenges--and I hope the ranking member will 
chime in on this, too. Mr. Connolly's statement about an 
ongoing lawsuit means that we have to think about how and when 
we bring the FTC in so that we not put them here specifically 
talking about a lawsuit that is ongoing. So I want to be a 
little careful on that. We are working with the IG. And the 
FTC's IG is available to come in and brief your office, because 
she has a separate investigation that we're respecting, her 
ongoing investigation.
    Mr. Cummings?
    Mr. Cummings. Thank you.
    Mr. Chairman, I want to just go back to something you just 
said.
    And I want to direct this to you, Mr. Hartzog. When the 
chairman--and I think when you boil a lot of this down, this 
issue of independent corroboration and trying to be fair--and I 
think that's what the chairman is saying. He's not--I think 
he's saying that, you know, there may be appropriate times, but 
trying to have a sense of fairness with it all. Because these 
gentlemen, I think, would say that they feel that they have 
been treated unfairly.
    So can you talk about, I mean, how that would work and how 
other agencies deal with that? Do you understand what I'm 
saying?
    Mr. Hartzog. Sure. Sure. So it's difficult for me to 
speculate on the way that other agencies deal with that. But I 
will say that it's important to remember that when the FTC gets 
information about a potential breach or a vulnerability, that's 
just the very beginning of the inquiry, right? So the FTC 
doesn't police data breaches; the FTC polices unreasonable 
data-security practices.
    Now, a breach can be evidence of a data-security practice, 
but that's just the starting point, right? So if you look at 
the complaints, the complaints actually have kind of a litany 
of data-security failures, so failure to have a training 
program and failure to implement administrative and technical 
and physical safeguards. And all of these things are things 
that are incumbent upon the FTC to actually prove if they 
allege them in the complaint.
    And so I think that we want to be careful not to assume 
that just because the FTC has been notified of a breach, that 
that immediately means that the company that suffered the 
breach is liable, right? So the FTC is--it's on the FTC to fill 
that out, right, to say, well, what actually were the--were 
there unreasonable data-security practices that allowed this 
breach to happen? Or was this a breach that was going to happen 
regardless of whether there were reasonable data-security 
practices?
    And that, to me, is really where the FTC, you know, starts 
doing its real investigative work, in that, you know, the 
notification of a breach is just kind of the first tip that 
leads to an investigation.
    Chairman Issa. Thank you.
    Mr. Clay?
    Mr. Clay. Thank you, Mr. Chairman, and thank you for 
conducting this hearing.
    Some critics of the FTC's approach to data protection have 
argued that the FTC has not provided adequate notice of the 
guidelines a company must follow to avoid an enforcement 
action. For example, in Federal litigation in New Jersey, 
Wyndham Hotels argued, ``If the FTC can regulate data security 
at all, it must do so through published rules that give 
regulated parties fair notice of what the law requires.''
    Professor Hartzog, do you agree that published rules are 
required to give organizations notice of the data-security 
standards that are required?
    Mr. Hartzog. I don't think that that's necessarily 
accurate. I think that administrative agencies like the FTC 
actually have the choice of publishing rules or proceeding in a 
case-by-case basis and establishing the contours of the law in 
that way.
    And, in this instance, when you have a complex and ever-
evolving problem like data security, which is really more of a 
process than a set of rules, then the FTC has chosen, and I 
think probably wisely, to proceed in a case-by-case basis in 
order to incrementally establish rules and be adaptive to the 
ever-changing needs of consumers to have their data protected.
    Mr. Clay. Well, how can a company know when it's going to 
run afoul of the data-security requirements if they don't have 
notice of the rules?
    Mr. Hartzog. I would actually argue that they do have 
notice of what's required. So there are several different 
things that you can look to. When you have a reasonableness 
approach, the FTC isn't the only agency, the only regulatory 
scheme that uses a reasonableness approach. So States do, and 
there are other statutes that take advantage of it.
    And you can look to basic things, right? So even in the 
statement that the FTC issued on its 50th data-security 
complaint let it know that there are really five basic things 
that you have to do. You know, you have to identify your assets 
and risks; you have to minimize data; you have to implement 
safeguards; and you have to have a breach response plan. And 
those are the basic components.
    And the way that you then fill that in is you look to lots 
of different variables, like the size of the company and the 
sensitivity of the data and the amount of data that you're 
collecting and the resources that you have available, which of 
course vary wildly according to company.
    And so it actually, I think, would be a mistake to try to 
put those into rules because they inevitably would be either 
overinclusive or overprotective or underinclusive depending 
upon the context. And so, really, the only way forward, in my 
mind, is to proceed upon a reasonableness basis here.
    Mr. Clay. Okay.
    Other critics of the FTC Section 5 enforcement authority 
have argued that the FTC should establish bright-line data-
security standards in advance of any enforcement measures 
delineating exactly what companies must do to comply with this 
data-security obligation.
    Professor Hartzog, in your recent article on the FTC and 
data protection, you address this point, writing, ``Many 
critics want a checklist of data-security practices that will 
provide a safe harbor in all contexts. Yet data security 
changes too quickly and is far too dependent upon context to be 
reduced to a one-size-fits-all checklist.''
    Professor, can you elaborate briefly on what you mean here? 
How is data security changing in ways that make formal 
rulemaking impractical?
    Mr. Hartzog. Sure. So I've spoken with a lot of data-
security professionals in doing my research, and they almost 
uniformly tell me that you can either have a one-size-fits-all 
checklist that lists the 17 things that you're supposed to do 
or you can have good data security, but you can't have both.
    And the reason why that is is that data security changes so 
much, and it wouldn't make much sense to say that small 
businesses have to follow the same data-security protocols that 
Target and Amazon have to follow. And so it actually is very 
dependent upon all these variables.
    And to the extent that we've heard testimony today saying 
that, you know, oh, well, we have guidance from HIPAA and we 
have guidance from Gramm-Leach-Bliley, I would ask everyone 
actually to look at the complaints filed by the FTC. They're 
very similar to the requirements in HIPAA and Gramm-Leach-
Bliley. And so, to the extent that everyone is kind of fine 
with the way that those work, I think you can see similar kinds 
of requirements in the complaints filed by the FTC.
    Mr. Clay. And you also wrote that flexibility to adapt to 
new situations, the FTC can wait until a consensus around 
standards develops and then codify them as this happens.
    Mr. Hartzog. That's correct. So one of the problems with 
formal rulemaking is that if you make it too technologically 
specific, then by the time the rule actually gets passed, it's 
become outdated and you've got to start the whole process all 
over again, and it becomes this never-ending series of trying 
to update standards that have become outdated.
    We've actually seen this in other areas of the law where 
we've tried to list out technological specifications, and we 
now get routinely frustrated, you know, that they're outdated 
because it changes so quickly.
    Mr. Clay. Thank you for your responses.
    Mr. Chairman, my time has expired.
    Chairman Issa. Thank you, Mr. Clay.
    Well, we're going to come to a close, which is probably 
blessed for all of you. But I have just a final set of 
questions, and I'm going to go to each of you.
    Mr. Hartzog, I hear everything you're saying, but if I'm to 
believe what you're saying, the complaints and the consent 
decrees are supposed to be my guidance as to what I have to do. 
I have to find within the complaints a company and a set of 
information that's similar to mine to figure out what I should 
or shouldn't do.
    But even then, the consent decree says, we're going to keep 
an eye on you for 20 years. So, 2 years later, 3 years later, 
what they're doing behind closed doors in their oversight of 
that one company, I don't have visibility on that.
    So how am I supposed to know what the law is?
    Mr. Hartzog. So I would actually say, instead of looking 
kind of to the consent decree, you look to the complaints. And 
the complaints actually point to industry standards, right? And 
there are various, actually, standards you could look to. So 
you could look to----
    Chairman Issa. But none of those standards are safe havens; 
is that right?
    Mr. Hartzog. Well, no, not explicit safe havens, but I 
think the understanding is----
    Chairman Issa. But wait a second. If I go 34 miles an hour 
in a 35-mile-an-hour zone, I'm not going to get a speeding 
ticket. Is that right?
    Mr. Hartzog. I'm really glad you brought that up. So Mr. 
Stegmaier brought up the whole speeding-limit thing, as far as 
how that's adequate notice. I would also add that if you look 
at speeding rules, in inclement rules the speeding rules 
actually change; they say drive reasonably under the 
circumstances. And yet we don't have a problem with that 
speeding law, which is, of course, based on a reasonableness 
standard.
    Chairman Issa. That happens to be an interesting law, 
because it only gets enforced when you have an accident, and 
then they will sue you. They will claim that you were driving 
too fast for conditions.
    I appreciate the fact that you noted, then, that when the 
``fit hits the shan,'' when things go bad--I worked on that for 
a long time; I want you to appreciate that--then they will 
write you a ticket, when even when you drove the speed limit 
something happened. But there has to be a bad occurrence for 
that to be enforced. So I think we're all agreeing it's a good 
example.
    But cybersecurity is a real question. I don't know 
everything about LabMD. I don't know everything about Open 
Door. But I will tell you that people right now, whether they 
have a server in a closet and they're buying the latest 
software from Microsoft and other companies or they're up on 
Amazon or somebody else's virtual network, they don't know what 
the standard is.
    I know one thing. Target and the U.S. Government at 
HealthCare.gov spent millions of dollars on security, hired 
countless experts in and out of house, and they were obviously 
data failures. So it's an inexact science.
    The Federal Trade Commission has a mandate to protect us as 
consumers from, effectively, willful or reckless behavior. 
LimeWire participated in reckless behavior in the switches, how 
they had them turned down, what the default was, perhaps even 
on the peer-to-peer. But, certainly, because they made you most 
vulnerable, unless you knew a lot about the software and 
installation, they created a vulnerability which, quite 
frankly, was intentional.
    And in a hearing before this committee, we pretty much got 
that, that they were--they thought it was great to open wide, 
when, in fact, they were implying it was small. To me, that's 
what the Federal Trade Commission was supposed to go after. 
They just weren't, apparently, an easy enough target.
    So as we look at, not Section 5 authority--because I 
believe that Section 5 authority intended on deceptive and 
unfair practices in the Internet world, in the cyber world, 
being an authority; I think they did. But I think they wanted 
us to go after LimeWire, after people who claimed things.
    And, quite frankly, I think maybe they want to go after a 
company like Tiversa, who goes around and trolls all over the 
Internet, using expertise that some might say was similar to 
the CIA--who, by the way, paid Tiversa at one point. And they 
go out and they find all these vulnerabilities, and then they 
turn them into business practices. And, in fact, every 
indication is they not only found the vulnerabilities but they 
stole information off those products. They stole them after the 
CEO of that company testified that these people were victims. 
Mr. Boback testified before this committee that people whose 
employees loaded LimeWire were victims, that, in fact, the 
person loading LimeWire was a victim because he or she didn't 
understand that they were creating the vulnerability.
    So the very person who said you're a victim of this peer-
to-peer software before this committee then used that 
vulnerability to pull data, to steal data. And to the extent 
they stole data only so they could inform the company and show 
them that it happened, I might say that it wasn't wrong. But to 
the extent that it was $475 an hour, that becomes a little more 
questionable. To the extent that they then go to the FTC if you 
don't say yes, as though they have a civic obligation.
    Our discovery is not finished, but at this point it appears 
as though if you paid Tiversa, you never would've gotten that 
letter from the FTC. Mr. Daugherty, if you'd paid Tiversa, you 
never would've had these years of agony. And for just a few 
hundred thousand dollars, you probably would still have a going 
concern instead of litigation ongoing.
    Now, that doesn't go to the merit of the letter, it doesn't 
go to the merit of the suit. It goes to the whole question of 
the practice. We haven't passed a law that says, if you go out 
and surf the Internet, look for vulnerabilities and take things 
off of people's private sites, including HIPAA-related 
material, that, in fact, you're a criminal. Maybe we should. 
And that's within the jurisdiction of Energy and Commerce and 
other committees, and we take it seriously. And it's one of the 
reasons that this hearing is important.
    Now, I have a closing very self-serving question, mostly 
for, if you will, my two company victims. Things have been said 
here and allegations made and questions about Tiversa as a 
company. I don't normally investigate companies. It's not the 
practice of this committee.
    But given--and I'm going to leave Mr. Daugherty, because 
you're in a lawsuit. I'm just going to leave you out of it for 
a moment.
    But, Mr. Roesler, your case is completely finished; is that 
correct?
    Mr. Roesler. It is.
    Chairman Issa. And so you're done, you have no financial 
interest in anything that we look into; isn't that correct?
    Mr. Roesler. That's correct.
    Chairman Issa. So do you believe it's reasonable for this 
committee to find out what Tiversa took off of your Web site or 
your site or some other site, where they got that information 
that they approached you with an offer to sell you services?
    Mr. Roesler. I believe it's worth the while if there's a 
pattern, that I am not the only victim, then it's worth the 
while.
    Chairman Issa. If we thought you were the only one, we 
wouldn't be here.
    Do you believe it's important for us to verify the 
relationship between Tiversa and the various companies--many of 
whom we have lists of, so we know you're not the only one--that 
they turned over to the FTC based on one question? The ones 
that they offered services to that bought the services where 
they never turned over to the FTC, but ones who declined were 
often turned over to the FTC. Is that a question you think we 
should find out the answer to?
    Mr. Roesler. I believe that would be a very good question.
    Chairman Issa. And, lastly, the law firm that sued you in a 
class action, do you believe it's fair for us to find out 
whether there was a direct connection between these two 
Pittsburgh-based companies and data taken from somewhere yet 
unknown, provided to the law firm, and the law firm then going 
out and reaching out to your patients and clients? Do you 
believe we should ask those questions as part of a broader 
investigation to find out whether, in fact, that was 
coincidence or, in fact, an attack on your company because you 
didn't buy their services?
    Mr. Roesler. Mr. Chairman, one of the reasons why I'm glad 
to be here today is the hope that possibly that question could 
be answered.
    Chairman Issa. Well, I'm going to recognize Mr. Cummings.
    These are some of the areas in which I believe that 
somebody should investigate. For now, the somebody is us. Our 
hope is that the FTC IG, who has some authority but not as much 
as we do, oddly enough, to get information from nongovernment 
entities, and perhaps the Justice Department and others will 
look into it.
    But until we find somebody else, at least for the 
foreseeable future, my intent is to continue asking those 
questions. We will invite Tiversa and others in. As I said at 
the opening, I would hope to hear--that all the Members would 
hear from the whistleblower, not because his accusations are 
alone of anything other than the basis under which we began 
this, but because when you get one set of allegations and you 
go out to corroborate them and you have those as a first 
statement, then when you find the second corroboration, 
normally it allows you to show that it is true. I want to get 
to the truth. I know Mr. Cummings does.
    So for all of you, Section 5 authority--it's not our job to 
second-guess what Congress gave them. They gave them the 
authority. Section 5 authority, it is for us to ask, are they 
acting in a way that allows unfair actors to be held 
accountable and others to know how to meet their obligation? 
You have our commitment, we intend to continue and do it.
    As to unfair practices practiced in the cyber world and as 
to people's vulnerabilities and how they correct it, this is an 
ongoing part of this investigation. The questions I asked you, 
I said they were self-serving. It's the intent of this 
committee to continue for as long as it takes to feel that all 
parties are satisfied that we asked all the right questions and 
got as many answers as we could.
    Mr. Cummings?
    Mr. Cummings. Thank you very much, Mr. Chairman.
    When I--first of all, I want to thank the witnesses for 
being here. You know, sometimes I think witnesses wonder 
whether they have an impact. And I can tell you that all of you 
were excellent. And I really appreciate what you said, and I 
think the Members listened to you very carefully.
    When I first read the title of the hearing, I was very 
concerned with the question of whether FTC has the authority to 
pursue data-security enforcement actions under its current 
Section 5 authority. And I think, based upon what the chairman 
just said, I think we all agree that they do. And I agree with 
him, the question is how they go about doing that.
    And I think that there are moments that present themselves 
in our lives where we have to stop for a moment and at least 
take a look at what we're doing and how we're doing it.
    Mr. Roesler, Mr. Daugherty, as I said before, if you've 
been treated unfairly--you know, and both of you are dealing--
your businesses dealt with health issues, right? Health. And 
health is a big, big deal for me, personally, and I'm sure it's 
a big deal for most of us. But I want us to be very careful.
    You know, government does have a role to play. It really 
does. When people's information is out there, their lives can 
be turned upside down. I've had people come to me as a 
Congressman, talk about their identity being stolen and taking 
years and years to get it back. We have to have some folks 
making sure that we protect as best we can against that.
    And I think that there's always a balance. You know, 
there's got to be a balance so that we don't just run over 
people like you, Mr. Roesler, and you, Mr. Daugherty, but, at 
the same time, make sure that folks who are aiming to do these 
kinds of things know that we're not going to stand for it and 
that somebody's going to be looking and somebody's going to 
bring them to justice.
    So that's where, you know--that's--you know, if you listen 
to everything that has been said here today, I think that's 
what it pretty much boils down to. How do we strike that 
balance?
    And so I thank you, Mr. Chairman. I think it was a good 
hearing. I look forward to hearing from the FTC. And you're 
right, trying to hear from the FTC is going to be kind of 
tricky, because it seems as if--I mean, if you could limit the 
questions to their general procedures without getting into the 
case, I think that might be helpful, but it's going to be 
tricky. But I think we do need to hear from them as to how they 
go about this.
    But, again, this is a critical moment. And I think we need 
to try to take advantage of it so that, if something needs to 
be corrected, that we correct it. I think anybody wants to have 
some idea of what they're being accused of. I mean, was there 
ways to get the information out in a better way? You know, this 
is what you need to look out for. It's just like when you're 
riding down the road and it says, you know, 25 miles an hour, 
radar enforced by photos. You know, I mean, at some point, it's 
nice to have a little notice. And all of us know after we've 
gotten a ticket or two that we slow down. And we know those 
areas by heart; we just know them.
    And so, again, I thank you all for your testimony. I 
really, really appreciate it.
    And thank you.
    Chairman Issa. Thank you.
    I'll leave the record open for 7 days, not only for Members 
to put in opening statements and extraneous material, but for 
the witnesses to provide any additional information they deem 
appropriate as a result of the questions here.
    Chairman Issa. I want to thank you for your testimony. I 
want to thank you for making this a worthwhile hearing.
    And we stand adjourned.
    [Whereupon, at 12:24 p.m., the committee was adjourned.]