Still Waiting on ‘LabMD’ Ruling on FTC Data Security Power


Companies are still waiting for clarity on the extent of the Federal Trade Commission’s data security authority 14 months after an important appeal—much longer than the federal appeals court handling the case usually takes to decide cases. 

In the absence of direct data security statutory or regulatory authority, the commission relies on FTC Act Section 5, a catch-all prohibition against unfair and deceptive trade practices. Medical testing company LabMD Inc. challenged the commission’s interpretation of this provision, arguing that no actual harm to consumers resulted from alleged lax data security, and therefore the FTC shouldn’t be allowed to take action based on general consumer protection standards.

The median period from the filing of a notice of appeal to disposition of a case for the U.S. Court of Appeals for the Eleventh Circuit was 4.4 months for the year from October 2015 to August 2016 and 8.4 months for October 2016 to September 2017, according to the Administrative Office of the U.S. Courts. LabMD Inc. filed its appeal Sept. 29, 2016.

"We anticipated an opinion months ago," Joseph Jerome, privacy and data policy counsel at the advocacy group the Center for Democracy & Technology in Washington, told Bloomberg Law.

The parties have asked the appeals court to define the scope of FTC's enforcement authority, and "that's a tall order, regardless of which side you are on," Craig A. Newman, chair of the data security practice at Patterson Belknap Webb & Tyler LLP in New York, told Bloomberg Law.

What an ultimate ruling in favor of the FTC's authority would mean for future data security enforcement action isn't certain.

“A decision affirming the FTC’s position would put more wind in the agency’s sails and further validate its position as the top federal enforcer in matters of data security, even in instances when the likelihood of consumer harm isn’t great," Newman said.

But not all think a new enforcement push would come from a ruling in the FTC's favor.

A pro-FTC opinion would simply maintain things as they were, and even if the Eleventh Circuit ruled for LabMD, it would most likely do so narrowly, Jerome said. But a ruling for the company would "certainly boost industry challenges that are trying to limit the scope of the FTC's authority to police corporate data practices."

The long running saga in LabMD Inc. v. FTC began in 2013 when the commission filed an administrative complaint against the Atlanta-based company for allegedly insecurely storing patient information on a peer-to-peer network. Rather than settling as most charged companies do, LabMD argued that no actual harm to consumers resulted from the alleged lax data security and, therefore, the FTC shouldn’t be allowed to take action based on general consumer protection standards.

An FTC administrative law judge ruled that the commission failed to show that LabMD's data security practices either caused or were likely to cause substantial injury to consumers. But in July 2016, the commission reversed, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. 

The company appealed and the Eleventh Circuit stayed the FTC's order until the court rules, saying it isn't clear whether a reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”

During June 21 oral argument, the appeals court asked how far the FTC’s enforcement authority might extend. The FTC responded that it can proceed on a case-by-case basis and that companies have a duty to act reasonably under the circumstances. The court criticized this approach, saying that this unclear standard of “reasonableness,” determined by the commissioners, isn’t “good public policy."

LabMD's counsel and the FTC declined Bloomberg Law's requests for comment.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg Law Privacy and Security Update.