What Made News?
The Federal Trade Commission’s (FTC) chief administrative law judge ruled recently that the agency must disclose the internal standards it uses to determine whether a company maintains adequate data security. The ruling is part of ongoing litigation between the FTC and a company called LabMD, which, according to the FTC, failed to maintain proper security for consumer data. The ruling could make it easier for companies that collect and manage consumer data to audit their data security practices and ensure compliance with FTC standards.
FTC Cracks Down on Inadequate Data Security
The FTC has been cracking down on companies with inadequate data security practices. In several recent cases, the FTC has claimed that the failure to maintain reasonable and appropriate data security standards for consumers’ sensitive personal information is an unfair practice in violation of Section 5 of the FTC Act. Moreover, the FTC has argued that companies that misrepresent their security practices by, for example, overstating the level of security that they use to protect consumer data or by failing to adhere to their own stated security practices, commit a deceptive practice in violation of Section 5.
The FTC relies on its so-called “unfairness” authority under Section 5 of the FTC Act to enforce data security standards. Despite the recent wave of data security enforcement actions, many have argued that the nebulous unfairness authority doesn’t or shouldn’t extend to data security matters.
The case against LabMD is one of these recent data security matters. Here, the FTC has alleged that LabMD committed an unfair act by exposing the personal information, including medical information, of approximately 10,000 consumers in two separate security lapses. This failure to maintain adequate data security, the FTC asserts, is unfair and violates Section 5. LabMD, however, has fought back against the FTC’s claims, arguing that it violates due process to hold the company responsible for allegedly inadequate data security standards when the FTC has never defined – either in administrative rule, regulation or other guidance – what it considers inadequate data security. As part of the case, LabMD filed a motion with the court asking it to force the FTC to testify about the standards it uses. It is that motion which the court recently granted.
Now, as a result of the most recent ruling, the FTC will be required to provide testimony regarding the specific standards that it has and will use to assert that LabMD’s security practices were inadequate. It will be one of the first instances in which the FTC has provided specific information with respect to what it considers inadequate data security.
The amount of data that companies collect on consumers has grown exponentially in recent years. As regulators show a growing interest in data security, this ruling could help companies stay on the right side of FTC enforcement action.