On July 24, 2014, the House Oversight and Government Reform Committee (Committee) held a hearing entitled “The FTC and its Section 5 Authority: Prosecutor, Judge and Jury.” Chairman Darrell Issa (R-CA) stated that he convened the hearing to consider whether the Federal Trade Commission (FTC) inappropriately targeted a company named LabMD and certain other companies for investigation after allegedly relying on possibly false information supplied by a security consultancy. Witnesses at the hearing—including the Chief Executive Officer of LabMD, a now-defunct medical testing company that has been subject to FTC enforcement—discussed the FTC’s role in examining their companies’ data security practices, and in particular, the FTC’s ongoing administrative case against LabMD.

While the specifics of the LabMD case were discussed at the hearing and continue to be subject to ongoing Committee investigation, the overarching policy context of the hearing was the FTC’s investigative and enforcement power in the area of data security. Lawmakers and witnesses focused on whether Section 5 of the FTC Act, which addresses “unfair or deceptive acts or practices,” permits the agency to enforce data security standards, particularly in the absence of specific FTC guidance to industry on this topic.

On this point, one witness expressed concern that the FTC has not given guidance in the data security space that would allow regulated parties to be on notice of what practices may subject them to FTC enforcement, while another witness described the FTC’s “reasonableness” standard. The Committee’s examination of data security enforcement comes at a time of increased attention from, and debate among, federal and state policymakers about data security legislation, as well as other significant cases addressing the limits of regulators’ authority to set data security standards in the absence of express statutory authority.