Alan L. Friel and Gerald J. Ferguson of BakerHostetler provide their interpretation of recent rulings:
Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, the FTC’s body of data security consent orders – basically private settlements of uncontested and unadjudicated cases (most of which also include deception claims), where the remedies include “fencing in” that goes beyond what the law requires – are merely indications of best practices and not some sort of “common law” as some have contended. Indeed, to treat consent orders as precedential would fly in the face of Congress’ purposeful curtailment of the FTC’s rulemaking authority under Mag Moss, as compared to the APA standards applicable to other federal agencies. Finally, the decisions suggest that the application of Section 5 unfairness authority to consumer privacy, especially in the context of interest-based advertising, is limited.
Read more on Data Privacy Monitor.