Last month, a US court heard testimony regarding the fallout of what may or may not have happened after a potentially massive data breach. That’s right, it was LabMD, Inc vs. the Federal Trade Commission.
At the heart of the case is the question of whether the Federal Trade Commission (FTC) overstepped its authority when it initiated enforcement against LabMD, a now-defunct medical testing lab. LabMD was allegedly responsible for a data breach in which certain patient records were misappropriated, but no data fell into the wrong hands and no patient became the victim of identity theft.
LabMD claims that section 5 of the FTC Act, on which the punishment was based, is not applicable, while the FTC argues that LabMD failed to do enough to protect its patients’ data.
How much power does the FTC have?
This case has a long history, dating back to the FTC filing a complaint against LabMD in 2013. The case was dismissed in 2015, making it the first time a company won a challenge against the FTC based on unreasonable information security. However, that was only the start of an ongoing legal debate that has gone back and forth. It’s now in court again following intervention from the United States Court of Appeals for the Eleventh Circuit, which ruled that, in cases of a security breach, emotional harm and other acts causing a low likelihood of harm might not meet the FTC Act’s definition of ‘unfairness’, on which the FTC’s argument is predicated.
As the IAPP writes, there is a lot at stake here, as the court’s decision could help define the scope of the FTC’s power to enforce section 5 of FTC Act in matters of cybersecurity and privacy. That law views the disconnect between cybersecurity policies and procedures and their implementation as unfair trade practices.
In 2015, a court ruled in favor of the FTC when it enforced its section 5 authority on Wyndham Hotels. In that incident, hackers stole more than 600,000 customers’ data from the company’s computer systems.
Following the court’s decision, Electronic Privacy Information Center attorney Alan Butler said: “This is a huge victory for the FTC, but also for American consumers. We see services and companies being hacked on an almost daily basis now. Having the FTC out there, bringing actions against companies that fail to protect consumers’ data is a critical tool.”
Berkeley Law professor Chris Hoofnagle said the ruling established a precedent for the legal consequences of a data breach. “Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security,” he said.
However, the ongoing LabMD case has now muddied that certainty. LabMD believes that the court shouldn’t accept the FTC’s interpretation that “purely conceptual privacy harm that the FTC found to exist, whenever there is any unauthorized access to any personal medical information, constitutes substantial injury within the meaning of Section 5 under the FTC Act.” However, the FTC believes that the fact that no patient was actually injured by the breach doesn’t affect the FTC’s decision.
A ruling on the case is expected by this fall.
Meet regulatory requirements with ISO 27001
This case shows how important it is to maintain effective information security. All companies should keep an eye on the case, and in the meantime evaluate or implement their information security management system (ISMS).
The international standard ISO 27001 sets out a best-practice approach to information security that can be adopted by all organizations. Certification to ISO 27001 enables organizations to meet critical legislative requirements related to information security, including state data breach notification laws, federal regulations such as FISMA, the GLBA, HIPAA, and SOX, and cybersecurity standards, such as the PCI DSS and the NYDFS.
By implementing an ISO 27001-compliant ISMS, you can mitigate the risk of cyber attacks and join over 30,000 companies that are already certified.