03 May FTC told to disclose the data security standards it uses for breach enforcement
As reported in Computerworld yesterday, there was a legal decision handed down in favor of LabMD. See a short quote of the article from Computerworld below and to read the whole post, click HERE.
The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday.
The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010.
LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place.
The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company’s data security practices are unfair or not under Section 5 (a) of the FTC Act.
In a six-page ruling, the FTC’s chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case.
The official response to yesterday’s ruling:
LabMD, a medical facility, is cautiously optimistic that the FTC will be forced to step into an era of fairness and transparency in notifying the business community, both large and small, what their data security standards are. LabMD still strongly objects to the FTC’s overreach into the medical regulatory environment overseen by HHS via HIPAA.