Watershed Event on 21st C. Regulation of Privacy, Technology, Civil Liberties & Cybersecurity

UPDATE: In my humble opinion, this hearing was the watershed we expected. Ranking Member Cummings really appeared at the very end of the hearing to be moved by the testimony, expressed it as a “critical moment,” and praised the hearing, which represented extraordinary movement from the party line at the beginning of the hearing. Politico, Mother Jones and all the rest failed to note that movement at all, focusing only on the most vitriolic moments of the hearing. Perhaps I am naive, but the final moments of the hearing appeared to open the door to bipartisan investigation in the public interest.


Original Post:

One of the most interesting and potentially influential political events on privacy, cybersecurity, civil liberties and technology regulation in the US and beyond — and of course that is saying a lot in the age of Snowden — will take place online, free, now, and you simply cannot miss it. The US House Committee on Oversight and Government Reform is about to hold a hearing entitled:

The Federal Trade Commission and Its Section 5 Authority: Prosecutor,

Judge, and Jury

Yes, the event is political, like any Congressional hearing nowadays, and the partisan thunder has been rolling for days before the storm. Yesterday, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) was so “troubled by the impropriety” of the related investigation by House Oversight Committee Chairman Darrell Issa (R-Calif.), which he considers “interference” in the important FTC proceeding against LabMD, that he determined he needed to take the rare step of himself trying to interfere in the House proceeding. The agenda for today’s hearing shows the weakness of Senator Rockefeller’s claim, however. Not only are the CEO of LabMD and another small businessperson on the agenda, but the legal scholars who, as I said in a previous post, have written the most important law review articles on opposite sides of the issue will each testify and take questions.

The ultimate issue at stake is one of the most important facing us in the 21st Century:

How can regulation keep up with exponential rates of change in technology?

The FTC has taken the position that in order to keep up, it needs to be able to enforce regulatory standards without specific notice of those standards. With help from FTC Commissioner Maureen Ohlhausen and the two scholars who will testify today, here’s how I can best express the issue to you:

Why would an agency trying to raise standards for the security of personal information avoid giving notice of its standards? Federal Trade Commissioner Maureen Ohlhausen recently offered remarks[1] that clarify just how important this strategy is to the FTC. In short, her argument is that given widespread innovation and the rate of change in technology, the information regulators need to gather in order to promulgate regulations is so widely dispersed and ephemeral that notice-and-comment rulemaking is stale by the time it is promulgated and carves regulatory categories unfit for their purposes. Her solution is the FTC’s Section 5 “unfairness” jurisdiction, which gathers information only from the parties and makes judgments on those specific facts, calling it “ex postregulation.” She notes that while the results only bind the parties, others can and should look to the results as evidence of how the FTC would regard similar facts, and that “when the FTC weighs that precedent in future cases, it can then consider any changes in the underlying facts.”

If you are trying to run a business, you might find ex post regulation an elegant solution for the regulator but at least worrisome in that the rules regarding your facts are not known in advance. Those who know the FTC’s settlement agreements – almost always involving 20 years of monitoring – find it more troubling. Perhaps most troubling is the knowledge that the consent orders obtained generally involved no admission of wrongdoing, and represent practical business decisions by enterprises wishing to avoid years of ruinous litigation and damage to their reputations, rather than judgments of courts on the merits.

Commissioner Ohlhausen is well aware of the amount of power ex post regulation gives the FTC, and perhaps for that reason starts her speech with “Principle 1: Regulatory Humility.”[2] Professors Solove and Hartzog made the case, in a very thoughtful and influential article written before her remarks and somewhat inconsistent with them, that the FTC has exercised, if not humility, then at least restraint in the actions it has brought, providing justification for current trend of viewing FTC privacy and information security consent orders under its Section 5 unfairness and deception authorities as development of a “common law.”[3]

The FTC’s actions may not have lived up to the justification that Professors Solove and Hartzog have developed for them, nor to the principle of humility. For example, when an administrative law judge recently ordered the FTC to disclose its “unfairness” information security standards in the LabMD case,[4] the FTC did not claim that the security provisions mentioned in its more than fifty information security cases constitute precedent; it generally confirmed that every judgment is case-specific.[5] By the same token, the FTC does not ask its experts in the cases it brings to review its settlement agreements; rather it asks only for–and then relies on–a case-specific judgment based on the expert’s (mostly technical) security expertise; that is ex post information security regulation in action.[6]

Here’s the link again. Don’t miss it!

[1] The Procrustean Problem with Prescriptive Regulation , Remarks of Maureen K. Ohlhausen, Commissioner, U.S. Federal Trade Commission to the Sixth Annual Telecom Policy Conference of the Free State Foundation, Washington, DC, March 18, 2014. Commission Ohlhausen noted that “The views expressed in these remarks are my own and do not necessarily reflect the views of the Federal Trade Commission or any other Commissioner.”

[2] For a good article on how fair notice principles could be considered by the FTC, see Stegmaier, Gerard M. and Bartnick, Wendell,Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements(May 9, 2013). George Mason Law Review, Vol. 20, No. 3, pp. 673-720, 2013. Available at SSRN: http://ssrn.com/abstract=2263037

[3] Solove, Daniel J. and Hartzog, Woodrow,The FTC and the New Common Law of Privacy(August 15, 2013). 114 Columbia Law Review 583 (2014); GWU Legal Studies Research Paper No. 2013-120; GWU Law School Public Law Research Paper No. 2013-120. Available at SSRN: http://ssrn.com/abstract=2312913 orhttp://dx.doi.org/10.2139/ssrn.2312913

[4] http://www.ftc.gov/system/files/documents/cases/140501labmdordercompel.pdf

[5] Transcript of the Testimony of Daniel Kaufman, May 12, 2014, athttp://assets.law360news.com/0543000/543678/LabMD-Kaufman-Transcript.pdfandhttp://www.phiprivacy.net/wp-content/uploads/LabMD-Kaufman-Transcript.pdf

[6] See, e.g., Expert Report of Raquel Hill, Ph.D., included on p. 19 athttp://www.ftc.gov/system/files/documents/cases/140502mtnlimitexpertrpt.pdf