Jaikumar Vijayan reports:
The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday.
The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010.
LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place.
Read more on Computerworld.
In a statement to PHIprivacy.net, Michael Daugherty, CEO of LabMD, writes:
LabMD, a medical facility, is cautiously optimistic that the FTC will be forced to step into an era of fairness and transparency in notifying the business community, both large and small, what their data security standards are. LabMD still strongly objects to the FTC’s overreach into the medical regulatory environment overseen by HHS via HIPAA.
Note: The FTC’s complaint alleges that the file-sharing exposure occurred in May 2008 (not 2010, as Jai reports). The date is important when one considers whether the FTC had published any guidances or data security standards for businesses prior to the incident resulting in the complaint.
Update: I’ve uploaded the ruling here (pdf). I’ve also uploaded a second ruling that denies an FTC motion in limine to strike the Deputy Director of Bureau of Consumer Protection as a trial witness.