FTC Overstepped Data Security Authority: Appeal Briefs

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Business and technology groups and other interested parties are adding their voices in support of federal appeals court arguments that the FTC exceeded its data security enforcement action authority ( LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, amicus briefs filed 1/3/17 ).

Companies would welcome limitations on the commission’s authority or at least clarification about what constitutes reasonable data security. Some, including the now-defunct medical testing company LabMD Inc. in this case, have challenged the legality of the Federal Trade Commission’s actions when there are no regulations establishing such standards.

Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable. In the absence of direct data security statutory or regulatory authority, the FTC has relied on Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.

LabMD and its supporters have urged the U.S. Court of Appeals for the Eleventh Circuit to vacate an enforcement order based on the lab’s alleged lax data security preceding a data breach.

The FTC’s order finding that “‘substantial’ injury can include intangible injury and even purely conceptual injury, that ‘likely’ injury can include improbable injury, and that a long-since discontinued practice nonetheless ‘is likely’ to cause injury” contravenes the “clear meaning” of Section 5 of the FTC Act, LabMD argued in its Dec. 27 brief.

Other interested parties, including the U.S. Chamber of Commerce, nonprofit groups TechFreedom and the International Center for Law & Economics, a cybersecurity specialist and medical doctors filed friend of the court briefs challenging the FTC’s authority to regulate cybersecurity and to bring administrative actions against companies.

However, according to Katherine E. Armstrong, counsel at Drinker Biddle & Reath LLP in Washington, “the arguments set forth in the briefs are really nothing new.” They were largely addressed throughout the lengthy proceeding and in the Third Circuit’s opinion in FTC v. Wyndham Worldwide Corp., “which affirmed the Commission’s authority under the FTC Act to challenge data security failures,” said Armstrong, who served as an FTC attorney for over 30 years.

In Wyndham, the hotelier challenged the FTC’s data security authority under the unfairness prong of Section 5 to take enforcement action against companies over allegedly lax data security practices. Wyndham ended up settling with the FTC in 2015 after the U.S. Court of Appeals for the Third Circuit ruled the agency didn’t have to provide a specific reasonable data security standard.

“Congress intended to delegate broad legal authority to the FTC under Section 5 rather than enumerate particular practices that are unfair,” Armstrong told Bloomberg BNA Jan. 5. “The FTC’s authority is not limitless which is why it has sought legislation to strengthen its existing data security authority and has requested civil penalty authority, jurisdiction over non-profits, and general rulemaking authority,” she said.

‘Sweeping Implications’

Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York and chair of the firm’s privacy and data security group, told Bloomberg BNA Jan. 5 that “however decided by the Eleventh Circuit, the LabMD case will have sweeping implications for every organization under the FTC’s watch.”

“At its core, the appeal focuses on a question of statutory interpretation—whether an act or practice ‘causes or is likely to cause substantial injury to consumers,’” Newman said.

“The Eleventh Circuit will need to consider what sort of consumer injury is sufficient to satisfy this standard. In a preliminary ruling, the court has already signaled that it is looking for more than hypothetical harm,” Newman said.

“What’s striking about this appeal is that LabMD—as a medical testing lab—was already subject to specific data security oversight by the Department of Health and Human Services. At the same time, the FTC was making very different demands on LabMD,” Newman told Bloomberg BNA.

Unclear Standards, Authority

Privacy and security attorneys have previously told Bloomberg BNA that there need to be clear cut benchmarks for what constitutes reasonable security. Nathan A. Kottkamp, health privacy partner at McGuireWoods LLP in Richmond, Va., likened complying with FTC data security standards under Section 5 to playing a game with rules that change as it is being played.

The FTC “has increasingly wielded its enforcement authority to extract settlements from businesses that have been victimized by data-security breaches and that had no formal notice of the standards the FTC accuses them of violating,” Chamber of Commerce said in its Jan. 3 brief.

“Although the FTC plays an important role in protecting consumers, its ‘unfairness’ authority does not include setting and enforcing—whether through litigation or consent orders—general data-security policy,” it said.

In their brief, International Center for Law & Economics and TechFreedom argued that the FTC has “failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively.”

Further, cybersecurity specialist Gary Milifsky argued that the commission isn’t a “good candidate to undertake to guarantee the security of computer networks” and that its “statutory warrant” for such an authority isn’t clear.

The FTC told Bloomberg BNA that it had no comment on the briefs. The FTC’s reply brief in the case is due Jan. 26.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security