Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.
One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.
The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.
Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.
The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.
Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.
Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.
To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.
The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.
LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.
The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”
The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.
Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.
LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.
LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.
To contact the reporter on this story: Jimmy H. Koo in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)