F. Paul Greene and Daniel J. Altieri consider the landscape after the 11th Circuit’s decision in the LabMD case, noting the state-level Unfair and Deceptive Acts and Practices (“UDAP”) laws and The Nationwide Assurance of Voluntary Compliance may become more prominent as tools for data security enforcement actions.
They write, in part:
The Nationwide Assurance of Voluntary Compliance (“AOVC”), which is the state-law analog of the consent order used by the FTC in relation to FTC Act enforcement, goes both further than and not as far as the LabMD order struck down by the 11th Circuit. In doing so, it may become an example for future UDAP enforcement on the state-law level post-LabMD. To begin with, the Nationwide AOVC is far shorter in duration than the standard FTC order, which lasts for 20 years and is binding on successors and assigns of the settling party. Although not directly discussed in the 11th Circuit’s decision, the extreme length of the FTC form order could have added to the 11th Circuit’s reticence to leave an affected company’s obligations in relation to “reasonable” cyber security efforts so open-ended for so long. In this regard, the Nationwide AOVC, and any state-law UDAP order that follows its structure, may avoid harsher scrutiny by limiting its temporal scope.
Read more on New York Law Journal.