FTC Forced To Disclose

FTC told to disclose the data security standards it uses for breach enforcement (Computerworld, 2 May 2014) – The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday. The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010. LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place. The judge held that while LabMD may not inquire about the FTC’s legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC’s Bureau of Consumer Protection “shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial,” Chappell ruled. [ Polley : Steptoe writes : “LabMD is surely hoping that having the FTC acknowledge on the record that it does not actually have “data security standards” will underscore – for the ALJ, for courts, for Congress, and the public – LabMD’s contention that the FTC is acting as a lawless bully.”]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Victor Habbick.