FTC’s Data Security Authority, Apple’s WWDC, Software Transparency, VPNFilter, HCCIC

TLP White
We have another big week for you, folks.  We start with a big decision coming out of the Eleventh Circuit which raises some doubt about the FTC’s data security authority and then discuss some highlights from Apple’s WWDC.  We also address a recently announced multi-stakeholder effort on software transparency and then shed some light on VPNFilter.  We conclude with addressing some drama on Capitol Hill regarding the Healthcare Cybersecurity and Communications Integration Center.  Welcome back to Hacking Healthcare:
Hot Links –

  1. A Jab to The FTC’s Authority. The Eleventh Circuit vacated a Federal Trade Commission (“FTC” or “Commission”) order that required LabMD, a medical testing company, to improve its data security practices.  The court reasoned that the FTC’s order “does not enjoin a specific act or practice…[but instead] mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”[1]

 

The FTC has broad authority under Section 5 of the FTC Act to bring actions against companies that participate in “unfair…acts or practices” – i.e., a practice that is “likely to cause [consumers] substantial injury…”[2]  In 2013, under this authority, the Commission asserted that LabMD’s security practices in 2008 were inadequate and exposed sensitive personal and health information of about 9,300 consumers onto LimeWire, a peer-to-peer network.[3]
According to the FTC, the exposure – which included names, dates of birth, social security numbers, lab test codes, and health insurance information – caused consumers substantial injury.  LabMD challenged the FTC’s authority, however, claiming that the order was “unenforceable because it does not direct LabMD to cease committing an unfair act or practice…”[4]  The Eleventh Circuit agreed.  A spokeswoman from the FTC, responding to the ruling, said that “[a]lthough we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy… [and] are evaluating our next steps in response to this decision.”

[1] https://www.reuters.com/article/us-ftc-datasecurity-labmd/u-s-agency-loses-appeal-over-alleged-labmd-data-security-lapses-idUSKCN1J22XD

[2] https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority

[3] https://www.reuters.com/article/us-ftc-datasecurity-labmd/u-s-agency-loses-appeal-over-alleged-labmd-data-security-lapses-idUSKCN1J22XD

[4] https://www.bna.com/bellwether-data-security-n73014476288/

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

Hacking-Healthcare-6.12.2018-TLP-White-1