Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.
One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa, Tiversa reported LabMD’s vulnerability to the FTC.
The FTC began an investigation and ultimately sued LabMD. After many years of acrimonious litigation, which included involved a congressional investigation, the FTC issued a final order in July 2016 finding that LabMD’s conduct constituted an unfair business practice. The order overruled the prior order by the commission’s chief administrative law judge, who had previously rejected the FTC’s claims against LabMD holding, among other things, that the mere possibility of harm alleged by the commission was too speculative to support a finding that LabMD’s security practices were “likely to cause substantial injury to consumers.”
LabMD is effectively out of business. The computer on which it resides is turned off and not connected to the Internet, and is maintained only because the data consists of patient records that need to be made available from time to time to the patients’ doctors. Notwithstanding that fact, the FTC’s order required LabMD to secure its computers at a cost estimated by LabMD to total $250,000.
LabMD brought suit in the 11th Circuit Court of Appeals to challenge the FTC’s order, and it asked the FTC to stay the requirements of the order pending that appeal. Just before Thanksgiving, the Court issued an order staying enforcement of the FTC’s order.
Key to the Court’s decision was their determination that, contrary to the FTC’s conclusion, LabMD would be irreparably harmed if required to comply with the FTC’s order, and staying that order would not substantially harm others. Moreover, the Court determined that LabMD would probably prevail against the FTC because the FTC was unlike to show that LabMD’s actions were “likely to cause” substantial consumer injury.
The Court’s decision is notable for two reasons. First, it reinforces a key element in litigation involving data breaches: courts are unwilling to hold a company liable for damages where the plaintiff cannot show that it suffered damages (for example, in Spokeo, Inc. v. Robins, the United States Supreme Court found that an online search engine’s failure to accurately collect and report an individual’s personal information was insufficient to establish standing, holding that a mere technical violation of a consumer protection statute without any further alleged harm to the plaintiff failed to constitute an injury that was both “concrete and particularized” and “actual or imminent.” Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016)).
In addition, other courts have also expressed concern about the FTC’s efforts to appoint itself as the nation’s top cop for cybersecurity. To date, six circuit court judges, two district court judges, and the FTC’s Chief ALJ have all taken issue with the FTC’s decisions and legal interpretations. In an age of increased suspicion of governmental action, the FTC may find it increasingly difficult to maintain its position as the practical regulator of cybersecurity.
If more courts adopt the 11th Circuit’s position in LabMD, it could signal a significant shift in the federal overview of cybersecurity, and leave a void in federal regulation of cybersecurity practices. The FTC stepped in to regulate cybersecurity because while the states have been active in regulating cybersecurity, no other federal agency has taken ownership of the issue, and the conflicting state laws has created a void in consistent regulation. It may take congressional action to resolve the issue – and if the past is any predictor of the future, that action may be long in coming.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.