As anticipated, things are getting even more exciting with the case previously covered in Password Protected. Specifically, LabMD is appealing the landmark data security case between it and the Federal Trade Commission (“FTC”) that examines an alleged data breach, despite the absence of identifiable harm. The case is poised to become a major driver of data security practices because it reveals the FTC’s expectations regarding reasonable data security practices and, if upheld, would solidify the FTC’s authority to enforce such actions.
Prior to the appeal, the FTC overturned the ALJ decision and found that an enforcement action was appropriate even though there was no evidence that any consumers were actually harmed. The decision was notable for two reasons; first it illustrated the seriousness with which the FTC takes data security and, secondly, it confirmed the FTC’s broad data security enforcement authority.
Unsurprisingly, LabMD has appealed the decision and asked the U.S. Court of Appeals for a Stay of the FTC Final Order pending review of the substantive appeal. LabMD maintains there are several unresolved legal issues including whether or not the FTC can enforce data security standards as it did in LabMD’s case, particularly in the absence of identifiable harm, and whether the FTC may exercise jurisdiction under Section 5 of the FTC Act over a HIPAA-covered data security entity. The FTC, in its Opposition to the Stay, reiterates that consumers continue to suffer harm until the Final Order is implemented.
The outcome of the appeal carries several future implications for data security practices. If the FTC wins, businesses will be expected to maintain extensive and robust security procedures. The appeal also sets precedent for the FTC to maintain its current level of enforcement in consumer protection data privacy cases. In other words, a win for the FTC paves the way for the agency to continue exercising its expansive enforcement authority over data security issues.
This case is far from over. In the meantime, the fact remains that when it comes to the FTC there is no excuse for lax data security – either protect your data now, or pay the price later.