Several weeks ago, a panel of the Eleventh Circuit erased the FTC’s enforcement action against LabMD Inc. for failing to protect patients’ personal information, on the grounds that it was overly vague, requiring the company to “meet an indeterminable standard of reasonableness.” FTC has since elected not to ask for the full court for a review. But FTC chair Joe Simons said recently that “privacy and data security will continue to be an enforcement priority.” At a recent hearing before a House subcommittee, he called for data security legislation that would allow the agency to seek civil penalties and also give it authority to issue rules under the Administrative Procedure Act.
The current ruling could have broad implications. For example, Equifax has cited it in its defense against a class action over its infamous data breach, arguing that the standards the company is being held to are “far too broad and nonspecific.”