FTC Data Security Enforcement ‘Repugnant,’ LabMD Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The Federal Trade Commission’s data security enforcement action against now-defunct medical testing company LabMD Inc. is “repugnant to comprehensive healthcare regulation,” the company said in a March 9 court filing ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, reply brief filed 3/9/17 ).

LabMD also challenged the commission’s interpretation of its enforcement authority under the FTC Act, telling the U.S. Court of Appeals for the Eleventh Circuit that the FTC’s interpretation of the statute “is directly at odds with Congress’s clear intent and is, in any event, unreasonable.”

Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable.

In the absence of direct data security statutory or regulatory authority, the FTC has relied on the act’s Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.

In its reply brief, LabMD said the commission failed to provide “ascertainable certainty of its interpretation” of “reasonable security” under Section 5. The commission hasn’t provided “meaningful guidance as to what specific security measures or approaches it believes” are required under Section 5, it said.

The company also reasserted its challenge against the FTC’s interpretation of “likely” and “substantial injury.” Likely doesn’t include low probability events, it said. The FTC, without any basis for assertion, equates “substantial injury” with the standard for “legally cognizable injury” required to sue in federal court, also known as Article III standing, LabMD said. If Congress wanted to equate substantial injury with legally cognizable injury, “it would have expressly adopted that test,” it said.

An FTC spokeswoman told Bloomberg BNA March 10 that the commission doesn’t “comment on pending litigation.”

Ropes & Gray LLP is representing LabMD.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security