The Federal Trade Commission (FTC) has been proactively reviewing cybersecurity controls for organizations that maintain data on consumers, and will levy fines and remediation plans on those who fail to maintain a reasonable data security program.
The Supreme Court vacated a 2013 FTC enforcement action against LabMD after finding that the action mandated LabMD to “establish a comprehensive information security program” with “precious little” about how that should be accomplished.
In the past, the FTC had attempted to allow entities to determine the best security programs for their business models. Going forward after a consent order, it seems that entities will have to work more closely with the FTC on specific security measures to be implemenyed as part of these consent orders, which could, in fact, create more burdens on entities to come into compliance. It is notable that the Supreme Court did not question the FTC’s authority to execute the order, only the wording of the order that the Court found to be too vague.
The FTC could ask Congress to write legislation to clarify how data security should be regulated to ensure that companies, especially small businesses, have the clarity about how to assess whether they’re doing enough to secure consumers’ data. Foresite consults with organizations to help them determine the most appropriate cybersecurity framework to use, and our attestations have been accepted by the FTC in remediation cases.
In the meantime, other entities should learn from the LabMD/FTC dispute. It is important to have a clear and comprehensive data security policy and it is also important to actually monitor and enforce your own policies and practices. LabMD is now a shuttered business, so this ruling does not reverse the fact that failing to protect their customer’s data led to the demise of the company.