In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.
Judge Gerald B. Tjoflat, writing for the three-judge panel in a 31-page ruling, found that the commission could only bar specific practices and can’t require a company to “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”
Yesterday’s ruling is a hard-fought but pyrrhic victory for LabMD since it has been a casualty of the litigation, closing its doors years ago. But for other businesses under the FTC’s jurisdiction, the ruling raises potentially far-reaching questions about the agency’s authority to bring future data enforcement actions based on practices it deems unreasonable without pointing to specific facts and circumstances, data security flaws or vulnerabilities as well as the statutory or legal basis for such a finding.
The ruling also potentially opens the door to a challenge of past consent decrees entered into by the FTC concerning data security since all of them contain almost identical language about a general reasonableness standard without specifics.
And perhaps even more significant, the decision seems to circumscribe the agency’s general enforcement authority under the “unfairness” prong of Section 5 of the FTC Act. The agency possesses the authority under Section 5 of the Act to prohibit and prosecute unfair acts or practices harmful to consumers. But the court held that the “Commission must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes or the common law.” The FTC’s ruling did not cite the source of the standard of unfairness it used in holding that LabMD’s data security practices were unreasonable. The court side-stepped further analysis of this issue and assumed arguendo that the Commission was correct and that LabMD was negligent.
The FTC has two options if it wants to challenge the ruling. It can either petition for rehearing before the entire Eleventh Circuit or could ask the U.S. Supreme Court to review the case. The former is a more likely path.
Background.The LabMD case began in 2010 when the FTC commenced an investigation into the company’s data security practices. After several years of contentious back-and-forth, the agency in 2013 filed an Administrative Complaint alleging that LabMD failed to adequately protect patient medical data in violation of Section 5 of the FTC Act. Section 5 – the agency’s primary enforcement authority – prohibits “unfair” acts or practices that affect commerce. An act or practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The case initially focused on two data security incidents. It’s difficult to call them “data breaches,” in the traditional sense, because there's no evidence of an actual breach or misuse of the information at issue.
The first incident concerns an allegation that an internal LabMD report with names, dates of birth, social security numbers and other information for some 9,000 patients was compromised. But the back story is complicated. A cybersecurity firm, Tiversa, Inc., apparently “discovered” the report on a peer-to-peer file sharing program that had been installed on one computer in the accounting department at LabMD. There’s been no evidence that the document was shared with anyone other than the FTC, or that any identity theft or other harm occurred.
The second incident concerns a document with sensitive information of 500 additional patients that ended up in the possession of apparent identity thieves in California. Again, the record is devoid of any evidence of identity theft or misuse of the document or information. The second incident eventually dropped out of the case.
ALJ’s Decision. In a sharply worded ruling, Chief Administrative Law Judge D. Michael Chappell initially threw out the FTC’s case against LabMD, calling the agency’s testimony and evidence unreliable and untrustworthy. Chappell also concluded that the agency failed to show any proof of actual consumer injury and rejected the theory that a hypothetical risk of future harm met the requirements of Section 5.
He concluded that, “[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”
FTC Appeal. The agency’s staff appealed to the full Commission. In its Opinion and Final Order, the Commission reinstated the case, holding that the ALJ applied the “wrong” legal standard and that the pertinent inquiry was whether the act or practice poses a “significant risk” of injury to consumers. “[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action. It also found LabMD’s security practices unreasonable and “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system….”
As readers of this blog know, the Eleventh Circuit’s ruling yesterday is only the most recent chapter in a long-running legal battle waged by LabMD. It is the only company subject to an FTC data security enforcement action that has refused to settle with the agency. Nearly 60 other companies have entered into consent decrees with the agency since 2000 concerning agency findings of unreasonable data security practices.
We’ll look at the practical implications of the Eleventh Circuit’s ruling in a future blog post.
