The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.
As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.