FTC told to disclose the data security standards it uses for breach enforcement
Administrative judge rules in favor of LabMD in long-standing dispute
Computerworld - The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency's chief administrative law judge ruled Thursday.
The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010.
LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place.
The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company's data security practices are unfair or not under Section 5 (a) of the FTC Act.
In a six-page ruling, the FTC's chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case.
The judge held that while LabMD may not inquire about the FTC's legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC's Bureau of Consumer Protection "shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial," Chappell ruked.
The decision is a victory for the many groups that are opposed to the FTC's pursuit of companies that have suffered data breaches in recent years.
Groups like the Chamber of Commerce, TechFreedom, the American Hotel and Lodging Association, the National Federation of Independent Businesses, the International Franchise Association and Cause of Action all filed motions supporting LabMD.
The groups have accused the FTC of overstepping its authority in forcing costly consent decrees and settlements from companies that have suffered data breaches in recent years. They have claimed that the FTC's prosecution of breached entities under the unfair trade practices provision of the FTC Act is both unauthorized and illegal.
LabMD is one of two companies that have challenged the FTC lawsuits so far. The company shut down operations a few months ago, citing the cost involved in fighting the FTC complaint. The only other company to challenge the FTC in similar fashion is Wyndham Hotels.
Reed Rubinstein, senior vice president for litigation at Cause of Action, welcomed Thursday's ruling.
"It means we will have an opportunity to speak on the record with the witness from the FTC about the standards they believe were in place" at the time LabMD information was allegedly leaked.
"They have been extremely reticent about disclosing what they believe LabMD did wrong at any particular moment in time. This is an opportunity to obtain a little more specificity" about the FTC's complaint, Reed said.
The FTC did not immediately respond to a request for comment.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts