Judge ruling questions what signifies as a Data Breach

  • US Court Ruling to do with Data Breaches
  • Clarity on what a Data Breach is
  • Why policies are so Important
  • Find out what this ruling means for other Data Breach Rulings


Original Author: Assent Risk Management
Original Links: N/A


US Court Ruling

The ruling [made by D. Michael Chappell], the chief administrative law judge for the U.S. Federal Trade Commission (FTC), cast out an FTC objection against a cancer research lab called LabMD. The problem involved a LabMD employee, who violated company policies and downloaded P2P software, unintentionally exposing sensitive patient information on a file-sharing network. The breach nonetheless was identified and shut down before anyone on the outside saw that information, and no one ever accessed the sensitive data.


What is a Data Breach?

According to Google ‘A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.’

However, the Judge in this case has got another view, we believe this view is related to the fact that the breach was shut down before anyone saw or accessed the confidential data, therefore no one was affected by it.


Why Policies Are Extremely Important:

The company in this case had been diligent, implementing information governance policies, which showed the employee had violated company policy. However, it is likely that organisations who are shown to be negligent of their duties to protect personal identifiable information (PII) would incur sanctions from the court.

Implementing policies is only one step in managing information security risks and should be backed up by monitoring and auditing processes to determine if they are effectively complied with.


What can We take from this Ruling?

Some people may see this ruling as common sense, while others may disagree because of the potential threat. What are your views on this ruling?

If you detect a breach and close it before data is actually seen by anyone, you should avoid FTC penalties.

Given the respect federal judges tend to give to the opinions of other federal judges, this could have consequences far beyond FTC rulings.


Protect your Organisation

This is a good opportunity to review your approach to information governance, particularly in light of the increasing focus from public sector bodies.

In America, HIPAA (Health Insurance Portability and Accountability Act) makes companies responsible for keeping Patient Health Information (PHI) private, while the UK NHS has developed the NHS IG Toolkit that suppliers must comply with.

Assent Risk Management can help you implement a structure framework for information security management, such as ISO 27001, which will mitigate these risks.

You can also try out FREE NHS IG to ISO 27001 mapping tool: http://www.assentriskmanagement.co.uk/healthcare/


Find out more here: