FTC Must Disclose Its Cybersecurity Standard

Those who have been following the debate know that the FTC recently won a pretty significant victory in its effort to enforce cybersecurity standards for organizations that hold consumer data.  A district court held that inadequate cybersecurity could be an "unfair business practice" within the regulatory ambit of the FTC. We are now at the start of a process where all the implications of that decision will get worked out.  One that had not occurred to me (but which seems inevitable in retrospect) is the idea that if the FTC is going to enforce a cybersecurity standard then due process principles would require them to disclose what that standard is.  And that's what an ALJ has just recently decided.  Ruling in a long-running dispute between the FTC and LabMD, according to ComputerWorld:

LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place. The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company's data security practices are unfair or not under Section 5 (a) of the FTC Act. In a six-page ruling, the FTC's chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case. The judge held that while LabMD may not inquire about the FTC's legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC's Bureau of Consumer Protection "shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial," Chappell ruked.