Since the Federal Trade Commission began bringing data security enforcement actions in 2002, no court had ruled on the substantive merits of the FTC’s approach. A panel of three Eleventh Circuit judges decisively rejected the FTC’s use of broad, vague consent decrees, in the LabMD v Federal Trade Commission ruling that the Commission may only bar specific practices, and cannot require a company “to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.” We are joined by TechFreedom’s President Berin Szóka and Legal Fellow Graham Owens. They explain why this case is so crucial, what’s next for the FTC and what policy changes can be on the horizon.