Appellate Court Decision Raises Issues With FTC Data Security Enforcement

Author: 
Coverage Type: 

A decision by the three-judge panel of the US Court of Appeals for the Eleventh Circuit could make it harder for the Federal Trade Commission to enforce online data security, or that is certainly the conclusion of Sen Richard Blumenthal (D-CT). Though, it is narrowly tailored to apply to a specific FTC enforcement tool. The court ruled that the FTC could not issue a cease and desist order directing a medical lab to take a variety of actions to protect sensitive medical information online. It concluded that such orders must identify a specific harm the order is prohibiting, and the FTC failed to do so. "Rather, [the cease and desist order] commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness," the court panel concluded. "This command is unenforceable." That is the case even if the lab's alleged negligence in "[failing] to implement and maintain a reasonable data-security program" does constitute an unfair or deceptive practice. While the decision was narrow, it troubled Sen Blumenthal, the author of the Data Breach Accountability and Enforcement Act, which would give the FTC new power to enforce data security. Sen Blumenthal suggested the decision should fire up Congress to pass his bill. "Until this damaging ruling, the FTC could at least set expectations and require data security programs to prevent future breaches after finding a failure to adequately protect consumers’ data,” he said. “In undermining the FTC’s ability to impose data security standards, the Court of Appeals has hamstrung our sole cop on the beat protecting consumer privacy." 


Appellate Court Decision Raises Issues With FTC Data Security Enforcement