Scott Delacourt Discusses Potential Impact of FTC Case on Cybersecurity Enforcement

October 11, 2016

Scott D. Delacourt, partner in Wiley Rein’s Telecom, Media & Technology Practice and chair of the firm’s Federal Trade Commission (FTC) Practice, was quoted in an October 3 Legaltech News article regarding the FTC’s investigation of medical testing company LabMD for the inadvertent leak of sensitive data impacting over 9,000 patients. According to the FTC, LabMD’s failure to secure patient data is a violation of Section 5 of the FTC Act’s Unfairness Standard.  Section 5 grants the FTC the power to regulate any act or practice that is “likely to cause substantial injury to consumers.”  Many experts in the field believe this broad interpretation of the FTC’s unfairness standard could have far-reaching implications for how the agency regulates potential cybersecurity threats, even when no breach or harm to consumers has occurred, and that it may not be the best instrument for cybersecurity enforcement.

“The focus on creating an intangible harm that results from a data breach or lax cybersecurity seems to point out in some ways that Section 5 isn't a good fit for cybersecurity, and maybe that wasn't what Congress intended for the FTC to be doing when it adopted the statute,” said Mr. Delacourt.

Mr. Delacourt explained that the agency may be retroactively seeking oversight in an area that is better suited to being governed by a legislative body.  “It seems that if our goal is to incentivize companies to provide cybersecurity, that the more direct way would be for Congress to pass a law placing an obligation on companies to provide a certain level of cybersecurity, rather than manufacturing harm where harm is not readily apparent for the purpose of creating that incentive,” Mr. Delacourt added. 

To read the full article, please click here (subscription required to access).