FTC Security Cases to Continue in '17 Amid Uncertainty

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

  • Companies should expect continuing data security enforcement action from FTC in 2017
  • Commission needs to clarify its FTC Act-based data security standards, attorneys say

By Jimmy H. Koo

Dec. 6 — Policing U.S. companies' data security practices should remain a Federal Trade Commission priority in 2017, even as agency-watchers await a ruling that promises to shed light on the FTC's data security enforcement authority.

Companies under the FTC's jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD Inc.—have struggled with what level of data security they must provide to convince the nation's main data security and privacy enforcement agency that their efforts to protect personal data are reasonable.

The FTC shows no signs of slowing its security enforcement pace in 2017, despite gripes from some practitioners that the agency hasn't provided a sufficiently clear data security standard for companies to follow.

It remains unclear who President-elect Donald Trump (R) will nominate as Federal Trade Commissioners, or what impact the new administration could have on FTC policy.

Presently, the five-member commission is down to three: Chairwoman Edith Ramirez (D), who has continued as a holdover appointment; Maureen K. Ohlhausen (R), whose term expires Sept. 25, 2018; and Terrell McSweeny (D), who is confirmed as a commissioner through Sept. 25, 2017.

D. Reed Freeman, partner at Wilmer Cutler Pickering Hale and Dorr LLP in Washington, has told Bloomberg BNA that Ramirez “hasn't given any indication of her intentions to stay on the FTC,” but she has been on the commission since 2010 and may seek to return to California. If Ramirez leaves the FTC without a replacement, don't expect the commission to miss a step, he said.

Freeman said the field of future FTC appointees is “wide open.” It is expected that Trump would pick at least “one commissioner that is a well-known antitrust lawyer” and one with a “background in consumer protection issues,” he said.

Stephanie A. Martz, public policy principal at Monument Policy Group in Washington, has told Bloomberg BNA that commission appointees usually “are willing to defer to the preferences of the incoming president.”

On Horizon in 2017

A top data security case to watch in 2017 is a challenge in the U.S. Court of Appeals for the Eleventh Circuit that could have far-ranging ramifications for U.S. businesses ( LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, petition filed 9/29/16 ).

It started with FTC allegations in 2013 that Atlanta-based LabMD was storing patient information insecurely, on a peer-to-peer network.

The now-defunct medical testing company countered that the agency hadn't issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.

LabMD objected to the FTC's longtime use of Section 5 of the Federal Trade Commission Act, which the agency relies on in privacy and data security enforcement actions. The catch-all provision bars unfair and deceptive trade practices, which the FTC says include lax corporate security and broken company privacy promises.

Circuit Split in Offing?

Since the FTC first began enforcing privacy and data security, virtually all targeted companies have elected not to challenge the FTC's enforcement authority, instead entering no-fault consent orders with the commission.

There have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp. and Snapchat Inc. are among the companies that have settled with the agency.

An exception is Hotelier Wyndham Worldwide Corp., which challenged the FTC's data security authority under the unfairness prong of Section 5 to take enforcement action against companies over allegedly lax data security practices.

Wyndham ended up settling with the FTC in 2015 after the U.S. Court of Appeals for the Third Circuit ruled the agency didn't have to provide a specific reasonable data security standard.

Chris Jay Hoofnagle, a technology, privacy and law professor at the University of California, Berkeley, said if LabMD is victorious at the Eleventh Circuit, it could create a circuit split with an opinion by the U.S. Court of Appeals for the Third Circuit in Wyndham.

Game With Ever-Changing Rules?

Nathan A. Kottkamp, health privacy partner at McGuireWoods LLP in Richmond, Va., likened complying with FTC data security standards under Section 5 to playing a game with rules that change as it is being played.

He said there need to be clear cut benchmarks for what constitutes reasonable security.

For its part, the FTC has long said its data security standard is not lacking. The agency tells companies that the data security standard can be parsed by looking at the lessons learned from numerous FTC consent decrees with alleged Section 5 violators, as well as agency guidance.

Ramirez recently told senators in a letter that Section 5 “supplies constitutionally adequate notice of its requirements.” What a reasonable data security standard is depends on “the size of the company, the sensitivity and volume of the data,” she said.

Reasonable Interpretation

Following numerous twists and turns in the LabMD case, the FTC in June decided that LabMD’s data security practices were unreasonable. LabMD sought a stay, which the FTC denied, and the lab appealed to the Eleventh Circuit.

The Eleventh Circuit Nov. 10 stayed the FTC's enforcement order against LabMD. The commission had found that the disclosure of sensitive personal and health information was enough to establish consumer harm under Section 5. LabMD's brief is due by Dec. 27.

20 billion

The appeals court held that the case depended on whether the FTC's interpretation of its enforcement authority was reasonable. The court concluded that there are “compelling reasons” why the commission’s interpretation may not be reasonable.

Janis C. Kestenbaum, a privacy partner at Perkins Coie LLP in Washington, told Bloomberg BNA that the Eleventh Circuit's decision “suggests that the FTC’s ruling in LabMD is in jeopardy.”

A reversal of the FTC by the Eleventh Circuit “would likely limit the application of the FTC’s Section 5 unfairness authority where there is no evidence that monetary or physical injury from a data breach is probable—a ‘significant risk' of such injury would not suffice,” she said.

“That limitation—which the Eleventh Circuit seems ready to adopt—could come to bear where there has been a security incident without any evidence of subsequent misuse of the data, particularly where there was no criminal intrusion,” Kestenbaum said.

Regardless of the outcome, the LabMD challenge has influenced the FTC to “hang much more meat on security guidance,” Hoofnagle told Bloomberg BNA. The commission is starting to provide more information, through blog posts and guidance documents, about what level of security is required to avoid being the target of an enforcement action, he said.

Evolving Data Security Standards

Despite the possible clarification of the data security standard in the future by the Eleventh Circuit, the commission's stance remains unclear, practitioners told Bloomberg BNA.

Although Hoofnagle agreed that there should be more explicit guidance as to what is reasonable, he said data security by its nature is tricky, in that “the rule is constantly changing.”

Douglas Henkin, a trial and appellate practice partner at Baker Botts LLP in New York, told Bloomberg BNA that even without specific guidance, companies should address data security broadly to enable them to think in ways to please all regulators, not just the FTC.

There is no such thing as perfect security, but “make sure to take security seriously by design,” Henkin said.

Katherine E. Armstrong, counsel at Drinker Biddle & Reath LLP in Washington, said LabMD might “spur Congress to give FTC rulemaking authority.”

On Tap for 2017: Internet of Things

The new year also brings the likelihood that the FTC will turn its attention to data security cases involving the wildly growing internet of things (IoT), or connected devices, privacy and security attorneys told Bloomberg BNA.

Regardless of the challenges to the FTC's enforcement authority, the commission will be compelled to continue aggressive data security enforcement activity to address the ever-expanding IoT, attorneys said.

“The commission must think about IoT security—that's where the economy is going,” Kottkamp said.

The number of connected devices is expected to skyrocket. Some have predicted that by 2020 more than 20 billion devices will be connected, up from more than 6 billion in 2016.

Armstrong told Bloomberg BNA that the workshops and events that the FTC organizes are good indicators of the agency's areas of future interest. Recent FTC events have covered IoT, drones and ransomware.

Hoofnagle said that the commission will want to pursue cases that “create new privacy and security law.” Recent distributed denial-of-service attacks that paralyzed internet services for the U.S. East Coast show that IoT security is “very important,” he said.

“IoT begins and ends with security,” Hoofnagle said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security