Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
Business and technology groups and other interested parties are adding their voices in support of federal appeals court arguments that the FTC exceeded its data security enforcement action authority ( LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, amicus briefs filed 1/3/17 ).
Companies would welcome limitations on the commission’s authority or at least clarification about what constitutes reasonable data security. Some, including the now-defunct medical testing company LabMD Inc. in this case, have challenged the legality of the Federal Trade Commission’s actions when there are no regulations establishing such standards.
Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable. In the absence of direct data security statutory or regulatory authority, the FTC has relied on Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.
LabMD and its supporters have urged the U.S. Court of Appeals for the Eleventh Circuit to vacate an enforcement order based on the lab’s alleged lax data security preceding a data breach.
The FTC’s order finding that “‘substantial’ injury can include intangible injury and even purely conceptual injury, that ‘likely’ injury can include improbable injury, and that a long-since discontinued practice nonetheless ‘is likely’ to cause injury” contravenes the “clear meaning” of Section 5 of the FTC Act, LabMD argued in its Dec. 27 brief.
Other interested parties, including the U.S. Chamber of Commerce, nonprofit groups TechFreedom and the International Center for Law & Economics, a cybersecurity specialist and medical doctors filed friend of the court briefs challenging the FTC’s authority to regulate cybersecurity and to bring administrative actions against companies.
However, according to Katherine E. Armstrong, counsel at Drinker Biddle & Reath LLP in Washington, “the arguments set forth in the briefs are really nothing new.” They were largely addressed throughout the lengthy proceeding and in the Third Circuit’s opinion in FTC v. Wyndham Worldwide Corp., “which affirmed the Commission’s authority under the FTC Act to challenge data security failures,” said Armstrong, who served as an FTC attorney for over 30 years.
In Wyndham, the hotelier challenged the FTC’s data security authority under the unfairness prong of Section 5 to take enforcement action against companies over allegedly lax data security practices. Wyndham ended up settling with the FTC in 2015 after the U.S. Court of Appeals for the Third Circuit ruled the agency didn’t have to provide a specific reasonable data security standard.
“Congress intended to delegate broad legal authority to the FTC under Section 5 rather than enumerate particular practices that are unfair,” Armstrong told Bloomberg BNA Jan. 5. “The FTC’s authority is not limitless which is why it has sought legislation to strengthen its existing data security authority and has requested civil penalty authority, jurisdiction over non-profits, and general rulemaking authority,” she said.
Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York and chair of the firm’s privacy and data security group, told Bloomberg BNA Jan. 5 that “however decided by the Eleventh Circuit, the LabMD case will have sweeping implications for every organization under the FTC’s watch.”
“At its core, the appeal focuses on a question of statutory interpretation—whether an act or practice ‘causes or is likely to cause substantial injury to consumers,’” Newman said.
“The Eleventh Circuit will need to consider what sort of consumer injury is sufficient to satisfy this standard. In a preliminary ruling, the court has already signaled that it is looking for more than hypothetical harm,” Newman said.
“What’s striking about this appeal is that LabMD—as a medical testing lab—was already subject to specific data security oversight by the Department of Health and Human Services. At the same time, the FTC was making very different demands on LabMD,” Newman told Bloomberg BNA.
Privacy and security attorneys have previously told Bloomberg BNA that there need to be clear cut benchmarks for what constitutes reasonable security. Nathan A. Kottkamp, health privacy partner at McGuireWoods LLP in Richmond, Va., likened complying with FTC data security standards under Section 5 to playing a game with rules that change as it is being played.
The FTC “has increasingly wielded its enforcement authority to extract settlements from businesses that have been victimized by data-security breaches and that had no formal notice of the standards the FTC accuses them of violating,” Chamber of Commerce said in its Jan. 3 brief.
“Although the FTC plays an important role in protecting consumers, its ‘unfairness’ authority does not include setting and enforcing—whether through litigation or consent orders—general data-security policy,” it said.
In their brief, International Center for Law & Economics and TechFreedom argued that the FTC has “failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively.”
Further, cybersecurity specialist Gary Milifsky argued that the commission isn’t a “good candidate to undertake to guarantee the security of computer networks” and that its “statutory warrant” for such an authority isn’t clear.
The FTC told Bloomberg BNA that it had no comment on the briefs. The FTC’s reply brief in the case is due Jan. 26.
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)