InfoSec Public Communications

Legal compliance with information security law is often hard to measure.  Technology is hard to understand, and legal standards are open to interpretation.  In addition, the facts of any given case can be subject to debate.

Explaining Security to the Public

Therefore at the SANS Institute, I teach that good legal compliance includes good public communications.  In my course titled “Law of Data Security and Investigations,” I argue the outcome of a lawsuit or investigation can turn as much on how an enterprise explains itself to the public as it does on the technical facts of the case.

A small medical laboratory, LabMD, is engaged in an epic struggle with the Federal Trade Commission over whether LabMD violated consumer protection law when an unwelcome security company acquired a patient file from LabMD.

For years, the FTC has pursued LabMD on the theory that the file got out because LabMD lacked legally-required security.  The parties passionately dispute the facts and the law in the case.

Defending Against the Federal Trade Commission

A remarkable aspect of the case is the public communications campaign LabMD has mounted to defend itself.  The president of LabMD is publishing a book (The Devil Inside the Beltway) telling his side of the story.  He tirelessly spreads his message,
Public Image
talking to media and public conferences.  He will be appearing with me at SANS Institute’s Network Security 2013 conference in Las Vegas later this week.

What’s more, LabMD’s president has garnered public allies.  Public interest groups TechFreedom and Cause of Action have come to LabMD’s aid, decrying FTC’s behavior as misguided government regulation.

Influencing What Customers Think

Whether LabMD’s publicity will enable it to prevail over the FTC I don’t know.

But one effect of the publicity could be to reassure LabMD’s customers that the FTC’s prosecution is not as bad as it might seem.  FTC basically claims LabMD damaged its customers and violated their privacy.  But customers see LabMD argue with fervor and third-party support that it performed reasonably and responsibly at the time in question.

Regardless of the merits of the case, LabMD demonstrates a lesson.  InfoSec law is about the telling of stories.  Those who are ineffective at telling their stories (TJX) come off like villains.

But those who are able to make their case can fare better in the court of public opinion.  They may also position themselves for a better overall outcome in legal proceedings.

–Benjamin Wright

Disclosure:  Mr. Wright has provided advice to LabMD. (Click link for more information about publicity connected with LabMD.)

Update July 2014: The epic struggle described above continues. LabMD's public communications campaign has attracted substantial attention from the US House of Representatives Committee on Oversight and Government Reform. The Committee is investigating alleged irregularities in FTC's probe of LabMD. Remarkably, the Chairman of the Committee has called for the FTC's Inspector General to investigate the performance of FTC staff in FTC's enforcement action against LabMD.

Update August 2014: Former employee of Infosec company pleads 5th Amendment in connection with FTC's investigation of LabMD.

Update: November 2014, in administrative law court, LabMD wins landmark decision against FTC,.