ALJ Orders FTC To Provide Testimony On Data Security Standards

In its ongoing battle with the Federal Trade Commission (FTC), LabMD won  an important victory on May 1, when the ALJ for the case ordered the FTC to provide deposition testimony regarding the data security standards, if any, that have been published by the FTC or Bureau of Consumer Protection (BCP) and will be relied upon by the FTC to demonstrate LabMD’s data security practices were not reasonable and appropriate.

This information could prove helpful for other health care providers struggling to understand what standards the FTC is using in its investigation and prosecution of health care providers regarding data security.   As noted in our February 12, 2014 blog on the LabMD case, the FTC in addition to the Office of Civil Rights (OCR) and state Attorneys General can investigate complaints related to data breaches.  However, the FTC does not have specific regulations or guidance for compliance.  The FTC is pursuing cases, not only against health care providers, which allege the entities failed to maintain “reasonable and appropriate” data security and are thus liable under Section 5(a) of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices affecting commerce.

This order for deposition testimony is particularly interesting given a recent federal district court case in which the Judge found that the FTC could proceed in its lawsuit against Wyndham Hotels for unfair practices related to data security breaches.  First the Judge ruled the FTC does have authority to pursue unfairness claims in the data-security context.  Second, the Judge held that “precedent instructs that agencies like the FTC need not formally issue regulations” and therefore regulations were not required for the FTC to bring its claim against Wyndham.   Wyndham argued in its Motion to Dismiss that because the FTC did not publish rules, regulations or guidelines explaining what data security practices the FTC believed Section 5 to forbid or require it violated fair notice and due process. In response the FTC argued “reasonableness” was the standard; that the FTC business brochure and consent orders provided guidance; and that Wyndham should utilize industry guidance on data security.


Speak Your Mind