In Case You Missed It: The Federal Trade Commission issued an opinion in the LabMD case, overturning an ALJ’s November 2015 decision holding that the FTC failed to meet its burden to prove that LabMD’s data security practices caused or were likely to cause substantial consumer injury. (See this blog’s previous coverage of that decision here.) The FTC’s complaint against the company concerned two different data privacy incidents that allegedly affected over 10,000 consumers. Notably, in overturning the ALJ’s decision, the Commissioners were clear in their view that the FTC’s power to enforce its Section 5 authority (over “unfair or deceptive acts or practices in or affecting commerce”) in data privacy and cybersecurity cases is broad. In the LabMD case, the Commissioners wrote that there was both actual harm affecting consumers in what it termed “privacy harm” — that is, the mere act of the disclosure of certain private information — and the substantial risk of harm (even without actual harm). On this latter point, the FTC’s view of its own power might be broader than even what the Third Circuit stated last year in FTC v. Wyndham. (See my comments to Law360 about this case here.)
News of Note: Cybersecurity continues to play a role in this election cycle. Evidence appears to suggest that computer systems used by the Clinton campaign were hacked by Russians. The hack could have a connection to the Russian military intelligence service. An open policy question now is whether and how the Obama administration will respond to the attack, a question made more difficult by the lack of certainty (as of this writing) regarding the perpetrator(s).
Practice Tip of the Week: Are your policies “reasonable”? As the FTC opinion in the LabMD case noted, the agency’s “touchstone” for assessing whether (and how) to utilize its broad powers with regard to data privacy is “reasonableness.” This means, as a practical matter, that cookie-cutter checklists might not do the trick in escaping liability in the event of a breach. What is reasonableness? FTC guidance can help in this respect. Generally, understanding your own risks, updating your company’s software (leaving software outdated can make your company more susceptible to a hack, either from Russian military intelligence or a fraudster down the street), having clear policies that specifically address the data you keep and how you will handle a breach, all can help.