Senior Communications Manager
Kirk Nahra Comments on FTC’s Decision to Overturn Dismissal of Data Security Case
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted by Healthcare Info Security, Law360, and Bloomberg BNA about the Federal Trade Commission’s (FTC) decision to overturn the dismissal of its long-standing data security enforcement case against a medical testing laboratory. The case had been dismissed last fall by an FTC administrative law judge.
“I am not at all surprised by the ruling,” Mr. Nahra said. “The FTC overturned the surprising administrative law judge decision, which had seemed out of line with the previous FTC enforcement activity. This means that the FTC—until a court or Congress tells them otherwise—will continue to exercise its authority to take enforcement action against what it views … as unreasonable security practices, even in the absence of a specific measurable consumer harm.”
The case also “confirms that the FTC can decide to bring cases against health care entities, but there is nothing specific in this decision—or in any other FTC actions since the initial decision—to indicate that the FTC intends to go after the health care industry broadly,” Mr. Nahra said.
“Also, it is important to understand that there are large segments of the health care industry—mainly health insurers and nonprofits—where the FTC does not actually have jurisdiction at all,” he noted. “So, the message for the health care industry is that the FTC is definitely out there, but the Department of Health and Human Services is still the big enforcement concern. This ruling mainly impacts ‘everyone else,’ where the FTC reaffirms its overall approach to information security enforcement.”