David Cohen, Douglas Meal, and Michelle Visser of Ropes and Gray, the firm that represented LabMD against the FTC, write:
Representing LabMD in its successful petition to the U.S. Court of Appeals for the 11th Circuit has been a fascinating experience in a number of ways. One of those is what the case reinforced for us about how the state of cybersecurity regulation in the United States could be greatly improved.
While there is more to this topic than can possibly be covered in a single column, we address two aspects here: First, this case highlights how the FTC’s “regulation by consent decree” approach is simply not working. Second, it shows how readily a false narrative can be created about a company’s security measures and the supposed ease of implementing additional measures, such that regulators end up seeking to address issues that either do not exist or have been greatly exaggerated, and then impose requirements that actually do more harm to consumers than good. There is no time like the present to fix these pressing issues with our country’s regulatory approach to cybersecurity, and it is our hope that a silver lining to this case will be a greater understanding of the costs and benefits of regulatory action in this space.
Read more on IAPP.