Judges Question FTC Data Security Standard at LabMD Argument

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The Federal Trade Commission’s data security enforcement standard came under fire June 22 from a panel of federal appeals court judges ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17 ).

As predicted, the level of harm required for the FTC to act was “front and center” during the oral argument. Attorneys for the FTC and the now-defunct medical testing company LabMD Inc. squared off before the U.S. Court of Appeals for the Eleventh Circuit over what level of data breach injury is sufficient to allow the privacy regulator to take enforcement action.

Companies subject to the FTC’s data security enforcement authority, will be strongly affected by the court’s ruling on whether to uphold the FTC’s enforcement standard.

In the absence of direct data security statutory or regulatory authority, the commission has relied on FTC Act’s Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions. The FTC requires reasonable data security safeguards for sensitive information and takes action against companies it deems to have lax security that improperly exposed data causing a substantial risk to affected individuals. A wide variety of companies, from social media giant Twitter Inc. to identity theft services company Lifelock Inc., have faced FTC enforcement action over their alleged insufficient data security.

Douglas H. Meal, litigation partner at Ropes & Gray in Boston and counsel for LabMD, argued that the court shouldn’t accept the FTC’s “purely conceptual” argument that there is “substantial injury” sufficient to act against a company over alleged lax data security based only on “any unauthorized access to any personal medical information” rather than evidence of “tangible injury.”

The FTC’s “subjective harm” standard isn’t authorized by Congress or established in regulations, and it gives the FTC too much enforcement discretion, Meal said.

A commission attorney told the court that nothing in the FTC Act’s text or legislative history says that “intangible injuries are off limits.”

FTC Standard Criticized

According to an audio recording of the oral argument, the bench questioned the “outer limits” of the FTC’s enforcement authority and asked the FTC’s counsel why the commission doesn’t engage in rulemaking to define reasonable security.

Rulemaking isn’t effective and there are too many variables, as standards are always changing, the FTC’s counsel said.

The court, however, questioned how companies are supposed to know “that they’re violating what they’re violating,” if there are no rules.

The FTC said that it is “entitled to proceed in a case-by-case” manner and that companies have “duty to act reasonably under the circumstances.”

Judge Gerald Bard Tjoflat responded that such a standard is “as nebulous as you can get.”

The FTC’s counsel said that data security threats and new technologies are constantly changing, and therefore, it makes more sense to say “you have to act reasonably” than to have specific rules. The court criticized this approach, saying that this unclear standard of “reasonableness,” determined by the commissioners, isn’t “good public policy.”

Judges Charles R. Wilson and Eduardo C. Robreno also sat on the bench for the oral argument.

Rulemaking Possibilities

Meal said there are instances of successful rulemaking in other agencies, citing Health Insurance Portability and Accountability Act regulations by the Department of Health an Human Services. “What about payment card security rulemaking? It’s not impossible,” Meal said.

If the FTC wishes to change the standard for actionable injury, the commission should “go to congress,” Meal said. Just because the commissioners want to change the standard, it doesn’t mean you can change it, he told the court.

Meal, who has been the lead outside lawyer for numerous companies facing claims from data security breaches, including Target Corp., Neiman Marcus Group LLC, The Home Depot Corp., and Wyndham Worldwide Corp, told Bloomberg BNA that “we greatly appreciate the time and attention the court is giving to LabMD’s arguments.”

The FTC declined to comment.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full audio recording of the oral argument is available at http://www.ca11.uscourts.gov/oral-argument-recordings.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security