How Has FTC Data Security Enforcement Changed?Former FTC Attorney Julie O'Neill Sizes Up the Impact of LabMD Court Case
In the wake of a federal appeals court ruling last year vacating a Federal Trade Commission enforcement action against cancer testing laboratory LabMD, the FTC's data security consent orders are becoming far more detailed and rigorous, says former FTC attorney Julie O'Neill.
In June 2018, a U.S. appellate court ruled in favor of LabMD, vacating an FTC consent order that, among other things, required LabMD to establish a comprehensive information security program.
In its ruling, the appeals court wrote that the FTC's consent order against LabMD "does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD's data security program and says precious little about how this is to be accomplished."
The court ruled that the FTC's order was so vague that it was unenforceable, O'Neill explains in an interview with Information Security Media Group.
"The FTC has taken the ruling to heart ... and this year, has entered into a handful of consent orders that are much more specific about what companies need to do ... to settle charges that they have had inadequate security measures in place," she says. "The measures are not only stronger than they've been in the past, but more detailed."
For, example, the FTC has required that a senior officer at defendant companies certify compliance with the agency's data security orders annually for a 20-year period, she notes. FTC consent orders also now generally include calls for stricter requirements related to independent third-party security audits that must be performed, she adds.
In addition, the FTC's newer consent orders are also requiring specific safeguards, including mandating encryption for certain types of sensitive data, such as Social Security numbers and financial information, and requiring vulnerability and penetration testing, patch management and employee training, O'Neill points out.
In the interview (see audio link below photo), O'Neill discusses:
- Other trends emerging from FTC data security and privacy cases;
- Steps to take to help avoid enforcement action for violations of the FTC Act;
- Advice for staying informed about FTC enforcement action trends.
O'Neill, a former FTC staff attorney, is now a partner at Morrison & Foerster in the firm's Boston and Washington, D.C., offices. Her practice focuses on issues stemming from privacy and consumer protection laws.