LabMD – FTC Face-Off Continues Over FTC’s Data Privacy Authority

by | Jul 11, 2017

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The U.S. Court of Appeals for the Eleventh Circuit recently heard oral arguments in LabMD, Inc. v. Federal Trade Commission, the long-running dispute over the FTC’s authority to impose liability for data security breaches even in the absence of actual consumer injury. The Court’s decision, which is expected in the coming months, will have widespread implications on companies’ potential liability for lax security practices.

The LabMD dispute dates back to 2013 when the FTC filed an administrative complaint against LabMD, alleging that it failed to reasonably protect the security of consumers’ personal data, including protected health information. The FTC maintained that LabMD’s data security practices caused or were likely to cause substantial consumer injury, and thus constituted an unfair business practice under Section 5 of the FTC Act (the “Act”). Rather than settling the complaint with the FTC, LabMD became the second company to challenge the FTC’s authority over companies’ data security practices.

In 2015, an Administrative Law Judge (“ALJ”) dismissed the case after finding that the FTC had not met its burden of proof for demonstrating that LabMD had engaged in unfair practices in violation of the Act. Section 5 of the Act provides that a business practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The ALJ found that the FTC failed to prove that LabMD’s data security practices were likely to cause” substantial consumer injury” as required by the Act, and cited the lack of evidence that anyone actually misused consumers’ data. The ALJ stated “[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

The FTC later reversed the ALJ’s decision and maintained that the ALJ did not apply the correct legal standard in making its determination. The FTC stated: “contrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” According to the FTC, it need not wait for consumers to suffer actual harm before exercising its enforcement authority under Section 5 of the Act.

In November 2016, the Eleventh Circuit Court of Appeals granted a stay of enforcement of the FTC’s Final Order until the pending appeal is resolved, stating that “there are compelling reasons why the FTC’s interpretation may not be reasonable.” The Court questioned whether the Act covers intangible harms such as those at issue in the LabMD case, and also whether the FTC was correct that the phrase “likely to cause” substantial injury to consumers should be interpreted to mean “significant risk” rather than “probable” risk. The Court noted that it did not interpret “the word ‘likely’ to include something that has a low likelihood,” thus finding that the FTC’s interpretation was not reasonable.

In the oral arguments before the Eleventh Circuit on June 21, 2017, LabMD argued that the Court should reject the FTC’s argument that “purely conceptual privacy harm that the FTC found to exist, whenever there is any unauthorized access to any personal medical information, constitutes substantial injury within the meaning of Section 5 under the FTC Act.” In addition, LabMD urged the Court to consider the legislative history of the Act, and pointed to a policy statement on which Congress relied when enacting the Act. According to LabMD, Congressional intent was to expressly exclude subjective injuries and as a result, the Court should not accept the FTC’s position that “likely injury” under Section 5 of the Act includes low-likelihood harm.

In the oral arguments, the FTC maintained that there is nothing in the Act or the Act’s legislative history that limits substantial injury to tangible injury, and that companies have an obligation to act reasonably under the circumstances. The Court questioned whether there is an outer limit to the FTC’s enforcement approach or anything would be beyond the power of the Commission to reach, however the FTC did not provide a direct answer to this question. When asked by the Court why the FTC did not use rulemaking to enact regulations that would address data privacy and security issues, the FTC replied that rule-making is not an effective way to proceed in the cybersecurity context due to the ever-evolving nature of technology and cybersecurity threats. The FTC went on to argue that it is much more sensible to say that a company must act reasonably than rely on rulemaking. The Court pressed for an explanation as to how a company could ever know with certainty what it means to act reasonably, however, the FTC maintained that failure to act reasonably under the circumstance is not a nebulous standard, and stressed that it does not act by using hindsight but rather, considers what is reasonable at the time the security breach occurs.

As the oral arguments made clear, the Court’s decision is likely to significantly impact the FTC’s data security enforcement authority. If the Eleventh Circuit agrees with LabMD’s position that the FTC must demonstrate concrete consumer harm or injury in order to bring an enforcement action under Section 5 of the Act, speculative injury may no longer be a sufficient basis for liability. If, however, the Court finds in favor of the FTC, companies may face liability for data security breaches if the FTC is able to show a “significant” risk of consumer injury, even if such injury is not probable and has not actually occurred.

 

OTHER THOUGHT LEADERSHIP POSTS:

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, I wrote an article outlining the growing body of state legislation designed to address and mitigate emerging privacy concerns over facial recognition technologies.  It now appears that...

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security...

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I of this series can be found here. Over the past 15 years, the Federal Trade Commission (FTC) has...

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at...

Data Scraping, Bots and First Amendment Rights

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below A recent case involving a small workforce analytics startup fighting for its right to extract data from the largest professional networking site on the Internet may set a precedent for applying...

When 2017 Becomes 1984: Facial Recognition Technologies – Face a Growing Legal Landscape

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, Stanford University professor and researcher Michal Kosinski caused a stir of epic proportions and conjured up visions of George Orwell’s 1984 in the artificial intelligence (AI)...

PMI – An Insider’s Guide – Part 3: What to do When You’re Asked to Assist in a Potential Acquisition – Post-Integration Run Phase and the Wheels Have Come Off

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. This is the third in a series of three articles on post-merger...

PMI – An Insider’s Guide – Part 2: What to do When You’re Asked to Assist in a Potential Acquisition – Between Signed and Closed Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. Your day starts with headlines screaming across the Internet –...

PMI – An Insider’s Guide – Part 1: What to do When You’re Asked to Assist with a Potential Acquisition – Due Diligence Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. The Internet is jammed with articles reporting that most merger...

Just Push the Button! Instagram’s Response to Influencers, Hashtags and Disclosures

By Farah Cook See all of Our JDSupra Posts by Clicking the Badge Below In April, the Federal Trade Commission (“FTC”), after reviewing Instagram posts by celebrities, athletes, and social media influencers, issued 90 letters reminding influencers and marketers about...