The Federal Trade Commission’s (FTC’s) chief administrative law judge ruled earlier this month that the agency can be compelled to disclose the data security standards it uses “to pursue enforcement action against companies that suffer data breaches.”
The decision was issued in response to a motion filed by LabMD, a medical laboratory that the FTC charged with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010, reported Computerworld.
LabMD, which is now defunct, accused the FTC of holding it to security standards that don’t officially exist at the federal level. Hence the motion to require the FTC to disclose the standards it uses to determine if a company has reasonable security measures in place. The judge agreed, ruling that the FTC’s Bureau of Consumer Protection “shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial.”
Several business groups, including the Chamber of Commerce, TechFreedom, and the National Federation of Independent Businesses, filed motions in support of LabMD. They have accused the FTC of overstepping its authority by forcing costly fines and settlements on companies that have suffered data breaches. LabMD is the second company to challenge FTC’s authority in court. Wyndham Hotels is the other.