While there is no clear regulatory body policing the cybersecurity standards of United States businesses, the Federal Trade Commission (FTC) has taken up enforcement responsibility on more than one occasion. This may seem like a win for consumers, but it’s not such great news for businesses.
Increasingly, companies that become the focus of FTC probes argue that the Commission doesn’t have the right to police them, as there are no official rules or guidelines on how to achieve compliance. In 2010 the FTC accused LabMD of leaking information on some 9,000 individuals; some of that data found its way to file sharing websites. The Commission slapped security overhaul requirements on LabMD and asked that the company reach out to previous customers about the possibility that their sensitive medical documents had been compromised. But LabMD has said that it was in compliance with data protection laws like the Health Information Privacy and Portability Act, and that the requirements set by the FTC were draconian. While LabMD has had suits pending for some months, the revelations about the economic impact of FTC actions are only coming to light now.