A ruling by the 11th U.S. Circuit Court of Appeals in LabMD v. FTC clarified that the FTC cannot use its section 5 authority to impose vague cybersecurity standards on the private sector. As Daniel Castro writes in Morning Consult, the FTC should use the ruling as an opportunity to recalibrate its strategy for promoting strong cybersecurity practices among businesses. Its best option is to outline a specific set of criteria for how it defines reasonable cybersecurity and order companies where data breaches cause unfair consumer injury to meet these requirements. This would give companies concrete guidance on how to improve cybersecurity and address the 11th Circuit Court’s critique that its order was insufficiently specific.
