iIn the 11th Circuit's highly anticipated decision in LabMD, Inc., v. FTC, the court declined to reach the most contentious issue in the case: the scope of the Federal Trade Commission's ("FTC") authority to regulate data privacy and security practices as an unfair act or practice under Section 5(n) of the FTC Act absent evidence of demonstrable harm resulting from a data breach or from identity theft. However, and importantly, the 11th Circuit chastened the FTC for issuing an order that the court deemed to be unreasonably broad and ill-defined.
This case began in August of 2013, when the Federal Trade Commission filed an administrative complaint against the now-defunct medical laboratory, LabMD, for its alleged failure to provide "reasonable and appropriate" protection for consumers' private information in violation of section 5(a) of the FTC Act. The FTC based its allegations on an incident in which LabMD's billing manager inadvertently made a 1718 page file ("the 1718 file") containing the personal information of 9,300 consumers available for download on a peer-to-peer file-sharing application called "LimeWire." LabMD was subsequently approached by Tiversa Holding Company ("Tiversa"), a data security company, which, in an effort to market its remediation services, notified LabMD that its 1718 file had been shared online and presented it with falsified reports that the file had been accessed by known identity thieves. When LabMD refused to purchase Tiversa's remediation services, Tiversa sent both the 1718 file and the falsified reports to the FTC in retaliation. Based on this information, the FTC filed a complaint against LabMD.
During the 2015 evidentiary hearing before Chief Administrative Law Judge Michael Chappell, it became clear that the 1718 file was never in the possession of identity thieves, or anyone else for that matter, and that Tiversa had manipulated the reports to make it appear that the file had been downloaded from multiple IP addresses. Without this key evidence from Tiversa, the FTC's case was "based only on an unspecified and theoretical ‘risk' of future data breach and identity theft injury." Accordingly, Judge Chappell held that counsel for the FTC failed to make the requisite showing under Section 5(n) of the Act, that LabMD's conduct had "cause[d] or [was] likely to cause substantial injury to consumers."[1] On appeal, the FTC overturned the administrative law judge's decision, finding that the FTC had shown that the release and exposure of the 1718 file on LimeWire caused an intangible privacy-harm and was likely to cause substantial injury. Therefore, the FTC issued a cease and desist order requiring LabMD to institute a number of compliance measures.
LabMD appealed the FTC's decision to the 11th Circuit Court of Appeals and moved to stay the cease and desist order while the appeal was pending. Unsurprisingly, the FTC denied the motion to stay. On appeal of that denial, the 11th Circuit identified the key issue in the case as whether the FTC had correctly interpreted section 5(n) of the act when it held that LabMD's actions were "unfair" without identifying "any tangible harm to any consumer." The court sided with LabMD, granting the motion to stay on the basis that LabMD "made a strong showing that the FTC's factual findings and legal interpretations" were not reasonable. Based on this language, many were anticipating that the decision from the 11th Circuit regarding the cease and desist order to address what the FTC is required to prove to regulate data privacy and security practices on the grounds that they are "unfair." However, the court declined to reach this issue and instead decided the case on narrower grounds, assuming for the sake of argument, only, that LabMD's actions were "unfair" so as to give rise to the FTC's enforcement authority.
Although the 11th Circuit did not reach the substantial injury issue, its opinion is likely to have an important impact on the FTC's ability to regulate data privacy and security. The court held that coercive orders issued by the FTC must be specific, reasoning that because the violation of such an order can result in fines up to $41,484 per day or being held in contempt, to impose such severe penalties pursuant to an insufficiently specific order would constitute a denial of due process. With regard to the cease and desist order at issue, the court held that the order was unenforceable because the FTC cannot "command LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness." Enforcing this order would effectively require the district court to manage LabMD's business until it achieves compliance with the FTC's unarticulated concept of "reasonableness," which the court reasoned that "Congress could not have envisioned." Moreover, while the court did not terminate the FTC's ability to regulate data privacy and security per se, it did clarify that for an order from the FTC to be enforceable, it must contain specific prohibitions on a particular act or practice. The FTC cannot simply command that a company overhaul its systems. Significantly, many of the FTC's extant consent decrees addressing alleged "unfair" data security practices of businesses are drafted in the same broad mold as the order roundly criticized in the 11th Circuit's opinion.
It remains to be seen whether companies, emboldened by LabMD's victory, will begin to challenge the FTC's authority to regulate their data privacy practices more frequently. Officials at the FTC will need to determine whether to appeal the 11th Circuit's opinion to the United States Supreme Court within 90 days from the entry of the 11th Circuit's judgment. If they choose to do so, however, it will be at the risk that the Supreme Court could reach the issue of the substantial injury requirement and strip the FTC of its ability to practice data security enforcement, or at least limit such authority in a significant manner. Finally, in light of the LabMD decision, it will fascinating to observe whether members of Congress seek adoption of specific federal data breach/data security legislation that may serve to ameliorate the need for the FTC to further test its unfairness authority in the area of data privacy.
[1] Under Section 5(n) of the FTC Act (codified at 15 U.S.C. § 45(n)), the FTC has authority to declare an act or practice unlawful on the grounds that it is unfair only if: (1) the practice causes or is likely to cause substantial injury to consumers (2) which is not reasonably avoidable by consumers themselves and (3) is not outweighed by countervailing benefits to consumers or competition.
