While there is no clear regulatory body policing the cybersecurity standards of United States businesses, the Federal Trade Commission (FTC) has taken up enforcement responsibility on more than one occasion. This may seem like a win for consumers, but it’s not such great news for businesses.
Increasingly, companies that become the focus of FTC probes argue that the Commission doesn’t have the right to police them, as there are no official rules or guidelines on how to achieve compliance. In 2010 the FTC accused LabMD of leaking information on some 9,000 individuals; some of that data found its way to file sharing websites. The Commission slapped security overhaul requirements on LabMD and asked that the company reach out to previous customers about the possibility that their sensitive medical documents had been compromised. But LabMD has said that it was in compliance with data protection laws like the Health Information Privacy and Portability Act, and that the requirements set by the FTC were draconian. While LabMD has had suits pending for some months, the revelations about the economic impact of FTC actions are only coming to light now.
“This action is in large part due to the conduct of the Federal Trade Commission,” President and Chief Executive Michael J. Daugherty wrote in the letter. “The FTC has subjected LabMD to years of debilitating investigation and litigation regarding alleged patient-information data-security vulnerability.”
In December LabMD filed a protective order against the FTC and in November the nonprofit group Cause of Action, filed another suit on behalf of LabMD. Cause of Action said in a press release “Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time.” The complaint seeks to halt the requirements imposed on LabMD.
For more on cybersecurity check out these stories: