House Oversight Committee Chairman Darrell Issa (R-Calif.) fired shots at the Federal Trade Commission (FTC) on Thursday for going after companies with poor data security.
In a hearing over the agency’s enforcement powers, Issa accused the commission of making “often erroneous inquisitions” into small businesses doing their best to protect people’s data.
Under the law, the agency has the ability to go after companies for “unfair or deceptive” practices, a broad authority that it has used to go after dozens of companies who suffered data breaches. The FTC claimed the companies did not live up to their promises about data security.
But critics say firms have no way to ensure that they stay on the right side of the law without fair notice about how precisely companies should secure data.
“All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that is not based on any legal standard,” said Michael Daugherty, the head of a cancer screening company, told the committee on Thursday.
Daugherty’s company, LabMD, allegedly allowed information about nearly 10,000 patients to be compromised.
But Republicans on the Oversight Committee and officials at LabMD say the FTC’s complaint was partly based on information given by cybersecurity firm Tiversa, which has previously offered services to LabMD but was refused. Plus, the lawmakers said, some of the information may be inaccurate.
“To me, it looks little a little bit of an extortion game from a company trying to make a few bucks off of you guys, fishing and them coming after you,” Rep. John Mica (R-Fla.) said.
Issa said the FTC was being manipulated by Tiversa “to punish firms who refuse to pay” for its services.
The FTC's LabMD case is currently on pause while lawmakers on the Oversight Committee discuss immunity for a potential witness.
The authority to go after companies for data security has been questioned in court, but a judge in April sided with the FTC in a separate case about the Wyndham hotel and resort chain, which seemed to settle the issue for the commission’s defenders.
The committee's ranking Democrat, Rep. Elijah Cummings (Md.), said there is “no legitimate debate” about the agency’s powers to go after data security violations.
“The FTC has been using this authority to ensure that companies who receive this type of consumer information take appropriate steps to safeguard it,” he said
Still, the matter remains hotly contested.
Issa on Thursday accused the FTC of picking on smaller companies unlikely to defend themselves rather than larger firms like Tiversa, which may be more responsible for hurting consumers.
Neither officials from the FTC or Tiversa were invited to appear before the committee on Thursday, though Issa said that he expected representatives of both organizations to testify in the future.
-Updated at 6:22 p.m. to clarify the chain of events around the FTC investigation.