One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard. The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices. Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?