FTC Authority is Checked in Cybersecurity Actions

Commission's order for LabMD to clean up data practices gets tossed due to vagueness

Following a federal appeals decision, the Federal Trade Commission’s ability to police companies over cybersecurity remains intact, except that it must be specific on what it commands those companies to do.

On June 6, the 11th Circuit Court of Appeals vacated an order the FTC issued to a medical diagnostics lab that it implement a data security program that meets the commission’s standards. While the court didn’t discount the FTC’s authority to act against LabMD, which had experienced a data breach, it ruled the FTC’s order to be unenforceable because it didn’t direct the company to stop committing an “unfair” practice under the Federal Trade Commission Act. With a dearth of case law outlining how far federal agencies can go in enforcing cybersecurity standards, the long-awaited LabMD decision is significant even if it muddies the waters of data security regulation.

To read this story and other complete articles featured in the June 18, 2018 print edition of Law Week Colorado, copies are available for purchase online.