What does this ruling mean with respect to your company (or your client)?
Extract from an article by Tom Kulik
There is an adage that has become all too common when dealing with a potential data breach: it’s not a matter of if, but when. Sad, but ultimately true. When it comes to cybersecurity for your (or your client’s) business, you can never be too careful. Engaging in a risk assessment for the business is essential to understand an appropriate risk threshold and implementing an incident response plan should a data breach occur. A data security program is absolutely essential, and must be reasonable and adequate. This is a lesson the now defunct LabMD discovered the hard way in its enforcement dance with the FTC, but perhaps for all the wrong reasons.
Here are the three biggest takeaways from the case:
1. The FTC Still Has Authority Over Data Security Compliance under Section 5 of the FTC Act. Whether you like it or not, the FTC’s authority under Section 5 of the FTC Act to protect consumers against “unfair acts or practices” still applies to data security programs.
2. Future FTC Enforcement Will Need to Be a Lot More Specific. Broad-brush, vague orders requiring “reasonable” data security standards will no longer suffice, so the FTC will need to be more targeted in the future.
3. “Reasonable and Appropriate Security Measures” Will Need to Be Specific, Too. If a company implements a reasonable and appropriate security program and can prove-up its compliance with such a program, the potential for an FTC investigation and subsequent enforcement order will be minimized. You can’t avoid FTC jurisdiction, but you can avoid being on their radar.
Read the complete article at The 3 Biggest Data Security Takeaways From The 11th Circuit Decision In FTC v. LabMD