What happens when a government agency adjudicates without authority, assuming Congress will simply provide forgiveness, rather than ask for permission? That is the question that is being asked this week after the Federal Trade Commission petitioned Congress for powers it does not currently have regarding data breaches and cybersecurity while already exercising the very powers they seek.
During a Senate Judiciary Committee hearing on combatting cybercrime, the FTC asked for the authority to regulate data security. By stating, “Under current laws, the FTC only has the authority to seek civil penalties for data security violations involving companies that fail to protect children’s information provided online,” the FTC is admitting it does not currently have the authority to regulate data security.
This wasn’t the first time the FTC asked Congress for such authority. Since 2000, the FTC has sought authority from Congress to regulate data security, admitting it “lacks the authority to require firms to adopt information practice policies.” Despite the FTC’s repeated requests that Congress confer upon it the authority to regulate data security, Congress has refused to grant it.
The FTC is walking a fine, and troubling, line. While using big names like Target and Wyndham to pressure Congress to grant them greater power, the FTC has aggressively gone after small companies that have fallen victim to data thieves, all the while claiming it has such authority.
One such victim is a small medical laboratory in Georgia called LabMD that provides doctors with cancer-detection services. In 2008, a company backed by a federally funded researcher took a patient-information file without LabMD’s knowledge or consent. The company then contacted LabMD, advised the company that it had taken its property, and offered a contract for Internet security services. LabMD declined the services and the company turned the information over to the FTC. After a three-year-long invasive and expensive investigation, the FTC filed a complaint last year alleging that LabMD’s data-security practices violated rules it refused to specify.
Despite the fact that Congress specifically gave the Department of Health and Human Services the sole authority to regulate patient-information data security, which has never accused LabMD of any violation, the FTC has decided to step in and pretend it has the authority it told Congress this week it does not have.
The commission has attempted to get around its lack of authority by claiming in court filings that it has the authority to create “common law” which basically means it can make it up as it goes. However in its statements this week to Congress, it contradicts this very position.
Additionally, while waging aggressive efforts against LabMD, the FTC declined to look into the concerning and well-documented data breaches that have occurred related to Obamacare. In December, Cause of Action filed a Freedom of Information Act request seeking records about FTC investigations into consumer breaches by navigators and health exchanges.
Last week, the FTC informed us, by being unable to produce any relevant documents, that it did not investigate such data security issues including the recent breach by MNSure where the state’s Office of the Legislative Auditor said “slack internal procedures at the new health insurance exchange agency ‘contributed directly’ to the disclosure.”