The scope and legitimacy of Federal Trade Commission (FTC) authority was in the spotlight Thursday during a House Committee on Oversight and Government Reform hearing. Ominously titled, “The Federal Trade Commission and Its Section 5 Authority: Prosecutor, Judge and Jury,” the hearing was led by Committee Chairman Darrell Issa (R-CA)—who took several shots at the regulatory agency for going after small businesses under sometimes “erroneous inquisitions” and for not providing businesses with data security best practices.

Issa did not hold back, saying the “FTC is using its regulatory authority not to protect consumers but to get consent decrees” using “unlimited power” to force companies before administrative judges. He cited the ongoing LabMD case—the company's former head, Michael Daugherty, was one of four witnesses testifying before the committee—saying he thought the now-defunct cancer screening company was the victim in this case and that Daugherty “has gone to hell and back, but I don’t think he’s come back.”

At issue is whether Section 5 of the FTC Act gives the agency authority to go after companies with poor data security practices even though it has not published a set of best practices.

“People have a right to know what the law expects of them,” said Goodwin Procter Partner Gerry Stegmaier, CIPP/US. He said, for example, drivers are well aware of how fast they can go on the road because speed limit signs are clearly posted. In his written testimony he continued, “Because the Constitution requires that entities receive fair notice to reasonably understand what behavior complies with the law, does the investigation and prosecution of entities under Section 5 in data security cases violate entities’ constitutional rights to fair notice? And, if so, how might these due process concerns be better addressed?”

But Samford University Associate Prof. Woodrow Hartzog argued that Section 5 is intentionally written to be broad so as “to avoid restrictive categories of practices which are unfair or deceptive” and uses the “reasonableness standard.” More specifically, data security issues are constantly changing, so creating a prescriptive checklist, or a “one-size-fits-all” approach, is not possible as “reasonable data security is far too dependent on context.”

Stegmaier “respectfully disagreed” with Hartzog. “Reasonable behavior is no more clear to me now than it was 13 years ago,” he said, pointing out that the FTC was investigating a data security case in 2008 but didn’t publish its data security recommendations—Protecting Personal Information: A Guide for Business—until 2011.

Hartzog argued the FTC should take a lead role in data security practices and that it’s wise of them to defer to industry standards including, for example, those released by the National Institute of Standards and Technology and the Payment Card Industry Security Standards Council. “It’s a co-regulatory regime, where industry can decide the standard and the FTC decide reasonableness.”

The unexpected twist during Thursday’s hearing, though, came from Issa, who said a former Tiversa employee turned potential whistle-blower has offered to testify for immunity. Issa repeatedly hinted that the former employee, Richard Wallace, may have evidence that the FTC and the committee may have been misled by Tiversa. “I think the FTC would like to hear his testimony,” he said, adding, “If it is accurate, then the FTC and this committee has been misled.”

The case goes back to 2012, when the FTC sued LabMD for not properly protecting the sensitive personal information of more than 9,000 patients. LabMD’s Daugherty said his company had been contacted by Tiversa—a cybersecurity company—and alleges the company tried to blackmail LabMD into paying the company a fee for patching up a security leak. LabMD refused to pay the fee, and Tiversa ended up selling the list of patients' data to researchers.

Though it’s unclear what former Tiversa employee Wallace has to say—and Issa repeatedly urged congressional members to view the proffer—the FTC’s case against LabMD, which has been in an administrative court, is now on hold while the Oversight Committee investigates.

Wallace’s potential testimony aside, Stegmaier said of the bigger picture, “Part of the problem is we as a society have not decided what privacy and data security mean, while at the same time, a law enforcement agency is out there prosecuting it.”

However, in his written testimony, Hartzog argued that the FTC’s power should be “expanded rather than contracted” and that “diminishing FTC power will not ultimately make the climate easier for business.” He warned, rather, that limitations on FTC authority “would likely result in the passage of more restrictive and conflicting state laws, more actions by state attorneys general, more lawsuits from private litigants and more clashes with the EU concerning the overall strength of U.S. privacy law.”

And though no representatives from the FTC or Tiversa were present on Thursday, Issa said he plans to invite them to a future hearing.