When companies like Henry Schein Practice Solutions, Inc. make promises regarding data security and then don't live up their expectations, it's no different from Reebok or Luminosity engaging in unfair or deceptive practices under the Federal Trade Commission (FCT) Act, Lesley Fair, senior attorney at the FTC's Bureau of Consumer Protection, said Saturday at the Association of American Law School conference in New York.
“Lumosity preyed on consumers' fears about age-related cognitive decline, suggesting their games could stave off memory loss, dementia, and even Alzheimer's disease,” said Jessica Rich, director of the FTC's Bureau of Consumer Protection, in a press release announcing that Lumos Labs would pay $2.2 million in redress in a settlement reached with the FTC over the deceptive claims about its brain training program. “But Lumosity simply did not have the science to back up its ads.”
Fair noted that the FTC has used the act more recently to pursue companies that it feels like has put consumers at risk through their sloppy security practices—to date, the commission has settled 55 such cases. Schein was the most recent to feel the FTC's slap, agreeing to a $250,000 fine, among other concessions, for falsely advertising the level of encryption it used to safeguard patient data.
The FTC has seen its authority questioned by those who've felt its sting, with the Wyndham hotel chain taking the agency to court. But the third circuit court ruled against the hotel and upheld the commission's authority. Some have called for the commission to promulgate rules so that company's would know the requirements that they must meet to stay clear of the FTC's enforcement action. Except in a very specific area “the FTC doesn't have the legal authority to promulgate rules,” said Fair, who noted that it's not just rules that make up what has sometimes been referred to as the “common law of the FTC.” Fair said the commission has laid out it guidelines and practices very publicly in a series of publications and events designed to educate companies and consumers.
Panelists in the session “Once More Unto the Breach: The Law & Policy of Data Breaches,” discussed how the law should and can respond to breaches that have grown more prevalent from every quarter. David Thaw, assistant professor of law and information sciences at the University of Pittsburgh and an affiliated fellow of the Information Society Project at Yale Law School, said a patchwork of data breach laws from 47 states has driven cybersecurity practices in organizations toward a checklist and encryption approach rather than implement a comprehensive security plan or carefully assess risk.
“The ship has already sailed on data breach laws,” he told an audience mostly made up of law professors. “But there are other areas where we can contribute.”
The panel said it expects to see more legal activity around the Internet of Things (IoT) and international laws such as Safe Harbor.