In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information.
The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information. A federal appeals court has now cast doubt on the viability of such orders. In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance.
Click here to continue reading on the Cleary Cybersecurity and Privacy Watch blog.