Companies are still waiting for clarity on the extent of the Federal Trade Commission’s data security authority 14 months after an important appeal—much longer than the federal appeals court handling the case usually takes to decide cases.
In the absence of direct data security statutory or regulatory authority, the commission relies on FTC Act Section 5, a catch-all prohibition against unfair and deceptive trade practices. Medical testing company LabMD Inc. challenged the commission’s interpretation of this provision, arguing that no actual harm to consumers resulted from alleged lax data security, and therefore the FTC shouldn’t be allowed to take action based on general consumer protection standards.
The median period from the filing of a notice of appeal to disposition of a case for the U.S. Court of Appeals for the Eleventh Circuit was 4.4 months for the year from October 2015 to August 2016 and 8.4 months for October 2016 to September 2017, according to the Administrative Office of the U.S. Courts. LabMD Inc. filed its appeal Sept. 29, 2016.
"We anticipated an opinion months ago," Joseph Jerome, privacy and data policy counsel at the advocacy group the Center for Democracy & Technology in Washington, told Bloomberg Law.
The parties have asked the appeals court to define the scope of FTC's enforcement authority, and "that's a tall order, regardless of which side you are on," Craig A. Newman, chair of the data security practice at Patterson Belknap Webb & Tyler LLP in New York, told Bloomberg Law.
What an ultimate ruling in favor of the FTC's authority would mean for future data security enforcement action isn't certain.
“A decision affirming the FTC’s position would put more wind in the agency’s sails and further validate its position as the top federal enforcer in matters of data security, even in instances when the likelihood of consumer harm isn’t great," Newman said.
But not all think a new enforcement push would come from a ruling in the FTC's favor.
A pro-FTC opinion would simply maintain things as they were, and even if the Eleventh Circuit ruled for LabMD, it would most likely do so narrowly, Jerome said. But a ruling for the company would "certainly boost industry challenges that are trying to limit the scope of the FTC's authority to police corporate data practices."
The long running saga in LabMD Inc. v. FTC began in 2013 when the commission filed an administrative complaint against the Atlanta-based company for allegedly insecurely storing patient information on a peer-to-peer network. Rather than settling as most charged companies do, LabMD argued that no actual harm to consumers resulted from the alleged lax data security and, therefore, the FTC shouldn’t be allowed to take action based on general consumer protection standards.
An FTC administrative law judge ruled that the commission failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers. But in July 2016, the commission reversed, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5.
The company appealed and the Eleventh Circuit stayed the FTC's order until the court rules, saying it isn't clear whether a reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”
During June 21 oral argument, the appeals court asked how far the FTC’s enforcement authority might extend. The FTC responded that it can proceed on a case-by-case basis and that companies have a duty to act reasonably under the circumstances. The court criticized this approach, saying that this unclear standard of “reasonableness,” determined by the commissioners, isn’t “good public policy."
LabMD's counsel and the FTC declined Bloomberg Law's requests for comment.
To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg Law Privacy and Security Update.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)