FTC ordered to submit to testifying about data security standards
The ongoing controversial Federal Trade Commission (“FTC”) versus LabMD Inc. enforcement action (Docket No. 9357) took a new twist recently as Chief Administrative Law Judge D. Michael Chappell effectively ordered the FTC to reveal details about what it considers to be the applicable data security standards connected with LabMD’s alleged failure to use “reasonable and appropriate measures to prevent unauthorized access to personal information” which underlie the FTC’s complaint claims that LabMD violated Sec. 5(a) of the FTC Act via unfair acts or practices.
The judge’s grant last week of LabMD’s Motion to Compel marks a potential milestone in the ongoing action and, in connection, with broader understanding by data collectors and corporations of the circumstances and standards utilized by the FTC in responses to potential data incidents.
The motion grant holds that the FTC will “provide deposition testimony as to what data security standards, if any, have been publishing by the FTC or the Bureau, upon which [FTC’s][] Counsel intends to rely at trial to demonstrate that Respondent’s data security practices were not reasonable and appropriate.”
Per the Order the FTC deposition will take place before May 11 and should shed light (though how much remains to be seen) on what “data security standards” the FTC applies, particularly in light of the recent ruling in the ongoing separate FTC v. Wyndham Worldwide Corp case regarding the FTC’s general authority to police and enforce data security incidents.
The LabMD ruling may finally present businesses with the opportunity to gauge a bright line benchmark to gauge their cybersecurity standards in accordance with applied FTC “standards.” Currently, the only available published information from the FTC on data security is a “Protecting Personal Information Guide” for small businesses, which delineates basic cybersecurity measures that should be taken but provides little more than rudimentary explanations on data security.
Although industry and legal watchers have argued that the FTC’s consent agreements and actions have provided a body of “common law” as to privacy matters, a clearer elucidation would be welcomed by all. (See Daniel J. Solove, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 583 (2014) (Noting that an article on the FTC by Sm@rtEdge Attorney Santalesa is cited in footnote 60). Needless to say, to discuss your own cybersecurity concerns or how the recent legal actions by the FTC may affect your business, feel free to contact us at info@SmartEdgeLawGroup.com or 203 307-2665.
