A Blog About FTC regulations and happenings
Eleventh Circuit Assumes FTC’s Data Security Enforcement Authority, But Mandates Specificity for FTC Orders
On June 6, 2018, the United States Court of Appeals for the Eleventh Circuit issued a landmark ruling in LabMD v. Federal Trade Commission. While the Eleventh Circuit impliedly held that the Federal Trade Commission (“FTC”) has authority to take enforcement action against companies whose unfair practices lead to data security incidents that pose substantial injury to consumers, it severely curtailed the FTC’s ability to issue orders to remediate such practices.
The Eleventh Circuit’s decision is the latest chapter in a lengthy saga. The court’s decision originates from LabMD’s 2013 challenge to the FTC’s allegations that LabMD violated the unfairness prong of Section 5(a) of the FTC Act by failing to institute and follow reasonable data security measures in its medical diagnostic business. The case began in 2008, when personal information for over 9,000 consumers was found on a peer-to-peer file-sharing network that a LabMD employee installed on her computer. In 2012 LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.
The FTC’s complaint alleged that LabMD had committed an “unfair act or practice” prohibited by Section 5(a) by “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” Rather than allege specific acts or practices that LabMD engaged in, however, the FTC’s complaint set forth a number of data-security measures that LabMD failed to perform, including, among other things, that LabMD did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information; did not adequately train employees to safeguard personal information; and did not maintain and update operating systems of computers and other devices on its networks.
In its challenge, the now-defunct LabMD became the second company, following Wyndham Worldwide Corporation, to challenge the FTC’s Section 5(a) authority. Section 5(a) declares unlawful “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” It empowers and directs the Commission “to prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” Section 5(n) of the FTC Act states, as a prerequisite for an act or practice to be unfair, “the act or practice  causes or is likely to cause substantial injury to consumers  which is not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.”
In 2016, an administrative law judge (“ALJ”) dismissed the FTC’s complaint against LabMD and found that the FTC had failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security practices constitutes an unfair practice. Further, the ALJ held that the FTC did not prove that the practices either caused or were likely to cause substantial consumer injury.
The FTC commissioners unanimously voted to reverse the ALJ’s decision. The FTC found that LabMD “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network.” Therefore, the FTC commissioners concluded, LabMD’s “data security practices were unfair under Section 5.” Further, the FTC found that this failure violated the unfairness prong because it caused “substantial” harm to consumers. Finally, as part of their decision, the FTC commissioners issued a cease-and-desist order that obligates LabMD to implement and maintain a comprehensive data security program. The order required the program to include, among other things, the designation of an employee to coordinate and be accountable for the program, reasonable safeguards to control identified risks, and the development of vendor oversight processes. In addition, the FTC ordered LabMD to submit to initial and biennial assessments by an independent third party, and to provide notice to all consumers affected by the data protection lapse and their health insurance companies.
In response, LabMD petitioned the Eleventh Circuit to vacate the order, arguing that the order is unenforceable because it does not address an unfair act or practice within the meaning of Section 5(a). Last week, the Eleventh Circuit issued its long-awaited decision on LabMD’s petition. In that decision, the court vacated the FTC’s cease-and-desist order against LabMD for lack of specificity. Perhaps more importantly, however, the court recognized, at least impliedly, that the FTC has the authority to regulate the data security practices of entities under the FTC’s jurisdiction. Specifically, the appellate court stated, “We will assume arguendo that the Commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data-security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”
The point regarding the FTC’s authority is a crucial one. LabMD’s lawyers, along with amici including the United States Chamber of Commerce and the National Federation of Independent Business, had argued that the FTC’s enforcement authority over unfair practices does not extend to data security. Indeed, there is some merit to this argument. The European General Data Protection Regulation of 2018 contains over 55,000 words setting forth its enforcement authority on the subject of data protection. By comparison, Section 5(a) of the FTC Act, which dates back to 1914 and was amended in 1938, contains a mere 14 words (“unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful”). Those 14 words, drafted decades before the issue of data privacy arose, arguably do not encompass enforcement authority as contemplated in the LabMD cease-and-desist order.
The courts that have taken up the issue disagree – either explicitly or implicitly. While the Third Circuit Court of Appeals in the Wyndham case rejected the argument that data security falls outside the FTC’s enforcement mandate over unfair practices, the Eleventh Circuit sidestepped the issue. It simply assumed arguendo that this authority exists and is grounded in “consumers’ right to privacy.” The 14 words of Section 5(a), however, do not mention consumers’ right to privacy.
The import of the Eleventh Circuit’s holding cannot be overstated. To contextualize this holding, if the appellate court had held that the enforcement action against LabMD was beyond the FTC’s authority, the Supreme Court may have had to take up the issue on a further appeal because of a direct conflict with the holding in the Wyndham decision. Further, a decision denying FTC authority could have spurred Congress to enact national data security legislation, which it has considered without passage. The FTC in its Wyndham and LabMD enforcement actions has faced the question of what constitutes “reasonable” data security measures in an ad hoc fashion. If the FTC’s data security enforcement authority were stripped away, it would fall to Congress, if not other agencies, to take up the charge of what constitutes reasonable data security measures.
As for the effect of the Eleventh Circuit’s holding on the FTC and businesses, targeted companies likely will challenge any order addressing data security mechanisms that lacks specificity. The FTC has avoided specificity in its orders due to the rapidly changing nature of technologies. However, the agency now faces further scrutiny as it issues orders giving specific conditions without specifying the means to meet those conditions. The Eleventh Circuit’s ruling could also encourage the newly-reconstituted FTC to promulgate actual rules setting forth data security standards, rather than piecemeal case-by-case rulings. While rules would have to adapt to changes in technology, they would at least provide clear guidance to organizations and be created through a public notice and comment rulemaking process through which a wide range of relevant stakeholders could participate, instead of the more insulated FTC enforcement to date.