FTC Must Disclose Its Cybersecurity Standard

Paul Rosenzweig
Wednesday, May 7, 2014, 4:53 PM
Those who have been following the debate know that the FTC recently won a pretty significant victory in its effort to enforce cybersecurity standards for organizations that hold consumer data.  A district court held that inadequate cybersecurity could be an "unfair business practice" within the regulatory ambit of the FTC. We are now at the start of a process where all the implications of that decision will get worked out.  One that had not occurred to me (but which seems inevitable in retrospect) is the idea that if the FTC is going to enf

Published by The Lawfare Institute
in Cooperation With
Brookings

Those who have been following the debate know that the FTC recently won a pretty significant victory in its effort to enforce cybersecurity standards for organizations that hold consumer data.  A district court held that inadequate cybersecurity could be an "unfair business practice" within the regulatory ambit of the FTC. We are now at the start of a process where all the implications of that decision will get worked out.  One that had not occurred to me (but which seems inevitable in retrospect) is the idea that if the FTC is going to enforce a cybersecurity standard then due process principles would require them to disclose what that standard is.  And that's what an ALJ has just recently decided.  Ruling in a long-running dispute between the FTC and LabMD, according to ComputerWorld:
LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place. The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company's data security practices are unfair or not under Section 5 (a) of the FTC Act. In a six-page ruling, the FTC's chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case. The judge held that while LabMD may not inquire about the FTC's legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC's Bureau of Consumer Protection "shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial," Chappell ruked.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare