Risk of Injury as Standard for InfoSec Compliance

See November 2015 ruling by Administrative Law Judge Michael Chappell, FTC v. LabMD: Federal Trade Commission may not bring an enforcement action against a medical laboratory for failing to have reasonable computer security for consumer data. The reason is that the Commission lacked evidence to show that the laboratory's gaps in security posed a substantial risk of injury to consumers. The judge concluded that the Commission had only shown the possibility of injury, and that was not enough.

Originally, the Commission had believed the laboratory had suffered a breach of data security. However, the evidence showed there was no breach. Although the laboratory's security may not have been perfect, the evidence did not show that shortcomings in security posed a substantial risk of injury to consumers.

#databreach  
Shared publiclyView activity