FTC Told to Disclose the Data Security Standards it Uses for Breach Enforcement

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/752399/FTC_Told_to_Disclose_the_Data_Security_Standards_it_Uses_for_Breach_Enforcement

The Federal Trade Commission (FTC) can be compelled to disclose details of
the data security standards it uses to pursue enforcement action against
companies that suffer data breaches, the agency's chief administrative law
judge ruled Thursday.

The decision came in response to a motion filed by LabMD, a now-defunct
medical laboratory that has been charged by the FTC with unfair trade
practices for exposing sensitive information belonging to 10,000 patients
in 2010.

LabMD has accused the FTC of holding it to data security standards that do
not exist officially at the federal level. It has maintained that the
agency must publicly disclose the data security standards it uses to
determine whether a company has reasonable security measures in place.

The FTC argued that it should not be required to disclose the legal or
other standards it uses to determine whether a company's data security
practices are unfair or not under Section 5 (a) of the FTC Act.

In a six-page ruling, the FTC's chief administrative law judge, Michael
Chappell, nixed that argument and held that the Commission can indeed be
compelled to disclose the information in the LabMD case.

The judge held that while LabMD may not inquire about the FTC's legal
standards or rationale, it has every right to know what data security
standards the commission uses when pursuing enforcement action. The FTC's
Bureau of Consumer Protection "shall provide deposition testimony as to
what data security standards, if any, have been published by the FTC or the
Bureau upon which [it] intends to rely on at trial," Chappell ruked.

The decision is a victory for the many groups that are opposed to the FTC's
pursuit of companies that have suffered data breaches in recent years.

Groups like the Chamber of Commerce, TechFreedom, the American Hotel and
Lodging Association, the National Federation of Independent Businesses, the
International Franchise Association and Cause of Action all filed motions
supporting LabMD.

The groups have accused the FTC of overstepping its authority in forcing
costly consent decrees and settlements from companies that have suffered
data breaches in recent years. They have claimed that the FTC's prosecution
of breached entities under the unfair trade practices provision of the FTC
Act is both unauthorized and illegal.

LabMD is one of two companies that have challenged the FTC lawsuits so far.
The company shut down operations a few months ago, citing the cost involved
in fighting the FTC complaint. The only other company to challenge the FTC
in similar fashion is Wyndham Hotels.

Reed Rubinstein, senior vice president for litigation at Cause of Action,
welcomed Thursday's ruling.

"It means we will have an opportunity to speak on the record with the
witness from the FTC about the standards they believe were in place" at the
time LabMD information was allegedly leaked.

"They have been extremely reticent about disclosing what they believe LabMD
did wrong at any particular moment in time. This is an opportunity to
obtain a little more specificity" about the FTC's complaint, Reed said.

The FTC did not immediately respond to a request for comment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!