FTC maintains it has authority to police enterprise cybersecurity failures
- The Federal Trade Commission last week reversed an administrative law judge's decision from last November that had dismissed FTC charges against LabMD, according to an FTC announcement.
- The FTC began investigating LabMD two years ago for allegedly failing to protect thousands of patient records because of lacking cybersecurity practices.
- Last November, administrative law judge D. Michael Chappell threw out the FTC’s charges, saying that the agency had overstepped its authority.
Over the past decade the FTC has established itself as the government’s chief cybersecurity enforcer, suing LabMD and several other entities, including Wyndham Hotels, on similar grounds. But LabMD challenged the FTC’s authority to police cybersecurity shortcomings. LabMD's CEO and others had said Congress did not give explicit directions for the agency to go after companies with weak cybersecurity.
The FTC’s reversal concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act, and further cements the fact that the FTC can act to protect consumers from data mismanagement.
LabMD had collected more than 750,000 sensitive patient records between 2001 and 2014 and then failed to sufficiently protect them.
"The company’s negligence resulted in installation of file-sharing software that exposed sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users," the agency said. The data was left exposed for 11 months.