The headlines prove that even large companies struggle with data security. But with fewer resources, small businesses are especially vulnerable to online security threats. Yet NFIB maintains that lawmakers shouldn’t punish a small business that gets hacked.
Unfortunately, that’s precisely what the Federal Trade Commission has sought to do in recent cases. For example, FTC brought an action against LabMd for failing to maintain proper data security measures, notwithstanding the fact that no one had been injured by the breach in that case. But the curious thing about FTC prosecuting businesses for failing to abide by data security measures is that FTC has never promulgated any regulation dictating what measures a business should (or should not) implement. We’ve even questioned whether FTC has authority to regulate data security standards at all.
The good news is that we recently scored a victory for small business in FTC v. LabMD. In our amicus brief, we argued that it’s unfair to expect businesses comply with an evolving and unarticulated regulatory standard. And while not explicitly referencing our amicus brief, it appears that the Eleventh Circuit Court of Appeals embraced our argument in holding that FTC does not have a roving authority to require businesses to implement its preferred data security practices.
As the Court emphasized, FTC improperly issued a cease and desist letter without identifying any specific act or practice that the company needed to stop: “Instead, [FTC] mandate[d] a complete overhaul of LabMD’s data-security program and [said] precious little about how this [was] to be accomplished.” FTC’s approach would make judges responsible for managing the company’s data security policies without any regulatory framework in place—a result that “Congress could not have envisioned.”
While this marks a victory, we can expect to see similar issues in the future, so long as FTC continues to bring unfair business practice claims over perceived data security failures. Given that the Third Circuit Court of Appeals previously sided with FTC in a similar case, the U.S. Supreme Court may ultimately decide the scope of FTC’s authority. But at the end of the day, NFIB believes that Congress—not the courts, and certainly not FTC—decides whether and to what extent data security protocol should be regulated.