Computerworld reports on a case concerning the Federal Trade Commission and privacy and security of data:
The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday.
The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010. […]
The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company’s data security practices are unfair or not under Section 5 (a) of the FTC Act.
In a six-page ruling, the FTC’s chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case.
The judge held that while LabMD may not inquire about the FTC’s legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC’s Bureau of Consumer Protection “shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial,” Chappell ruked.
The decision is a victory for the many groups that are opposed to the FTC’s pursuit of companies that have suffered data breaches in recent years.