Main Menu
LabMD and the Future of FTC Data Privacy Regulation
Posted in Litigation

The 11th Circuit recently released its long-awaited opinion in FTC v. LabMD. Anyone monitoring data privacy regulation in America has been waiting for this opinion to help corporations understand their obligations under US privacy regulation. 

Unfortunately for those of us looking for clear guidance to pass along to our clients, the Court did not address many of the issues before it.

Background

LabMD was once a small company which analyzed medical specimens for the purpose of cancer diagnoses. In 2007, a peer-to-peer file-sharing application, called Limewire, was installed on an employee's computer. The folder selected for downloads within LimeWire makes any file within that folder available to others on the network. In 2008, an employee of the IT Security company Tiversa used Limewire to download a file containing names, addresses, birthdates, Social Security Numbers, insurance information, and laboratory test codes for 9,300 LabMD patients. Tiversa then offered its services to LabMD to investigate the purported breach, which LabMD refused. Ultimately, Tiversa alerted the Federal Trade Commission to the disclosure.

Authority & Enforcement Actions

The FTC roots its authority to regulate cybersecurity practices of organizations in the FTC ACT of 1914 which directs the commission to prevent organizations from using “unfair and deceptive” practices in commerce. Practically, this gives the FTC two different tests for an organization’s data privacy and cybersecurity practices.  The FTC has brought numerous enforcement actions related to data privacy under the “deceptive” prong of their authority. If an organization holds itself out as having implemented a certain data privacy practice, whether in a privacy policy or elsewhere, acting outside that data privacy practice has been considered “deceptive” by the FTC. The “unfair” prong of their authority has been used to bring actions against entities with known data breaches. Lax cybersecurity, the argument goes, is an unfair method of competition. This logic has allowed the FTC to bring actions against organizations which unreasonably risk unauthorized access to consumer information. Notably, the statute restricts what the FTC can deem as unfair, stating “The Commission shall have no authority. . .to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves. . .” (15 USC §45(n)).

Typically, when an organization receives a Complaint from the FTC they choose to negotiate toward a settlement. Fighting the complaint will usually involve arguing before an Administrative Law Judge (“ALJ”). Should an organization win before the ALJ, the FTC appeals to the FTC commissioners - the very commissioners that direct the FTC to take these actions in the first place. Needless to say, the FTC’s record in getting the FTC to agree its actions are appropriate is pretty strong. The next level of appeal is to the Federal Court of Appeals. To “win” in the Court of Appeals is often to have the case remanded to a lower level to resume the litigation. These legal battles are costly and time-consuming. Indeed, the FTC issued its complaint against LabMD in August, 2013, the decision from the 11th Circuit was released in June 2018. In the meantime, LabMD went out of business. Losing at any level will result in the issuance of a coercive order, either an injunction or cease and desist order, which outlines what an organization subject to the order may not do.

LabMD’s Challenge

LabMD asserted, among other arguments, that the FTC did not have the authority to find LabMD’s practices unfair based on the facts, that the FTC’s regulation of organizations also subject to HIPAA was “reprehensible,” and that the coercive order was inappropriate. 

Whether the FTC has the authority to regulate cybersecurity as an unfair business practice:

In 2014, the 3rd Circuit tackled substantially similar issues in FTC v. Wyndham Worldwide Corp. In Wyndham, the defendants argued that they had no notice of the specific cybersecurity practices which must be implemented to avoid liability. The Court found that the defendant was “entitled to a relatively low level of statutory notice” and that numerous FTC publications on best practices easily satisfied the notice requirement.

The FTC repeatedly cited to Wyndham in their brief in LabMD (and interestingly, the Court in Wyndham referenced a previous ruling in the LabMD saga) to support its legal authority for its actions. The 11th Circuit did not reference Wyndham in its opinion in LabMD, and wrote its opinion such that it didn’t have to. The Court never analyzed the FTC’s authority to regulate cybersecurity practices as unfair business practices, but appeared slightly skeptical.  Sidestepping the authority issue, the 11th Circuit instead focused solely on the coercive order.

Whether the FTC can regulate issues covered by HIPAA:

LabMD argued that the Health Insurance Portability and Accountability Act (“HIPAA”) gives the Department of Health and Human Services the exclusive right to regulate data security standards for the healthcare industry. Since LabMD was governed by HIPAA, the FTC could not also provide overlapping or conflicting regulation.

If LabMD were successful on this issue this opinion would be more significant. Indeed, the FTC has brought enforcement actions against Rite Aid (https://www.ftc.gov/enforcement/cases-proceedings/072-3121/rite-aid-corporation-matter), PaymentsMD (https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmd-llc-matter), Accretive Health (https://www.ftc.gov/enforcement/cases-proceedings/122-3077/accretive-health-inc-matter), and others covered under HIPAA. In its brief, FTC borrows a phrase from FTC v. Ken Roberts Co. saying that HHS and the FTC have “overlapping and concurring regulatory jurisdiction.”

The Court in this case did not address this issue or even mention the argument in its opinion. It did, however, say the following in its statement of the facts of the case, “LabMD was subject to data-security regulations issued under the Health Insurance Portability and Accountability Act of 1996, known colloquially as HIPAA.” The Court could have easily added that LabMD was subject to FTC rules as well, but did not. While not addressing the issue, the 11th Circuit has kept the door open on a challenge to the FTC’s authority to regulate healthcare entities already subject to HHS regulation through HIPAA.  

Whether the Injunction was appropriate:

 The Court in LabMD ruled that the coercive order is unenforceable based on the facts in this case. LabMD’s problem stemmed from an employee unknowingly sharing private information, however the order did not merely prohibit LabMD from allowing peer-to-peer software on its network, the order instead required LabMD to implement a reasonable data security program. This reasonable standard, according to the Court, is indeterminable. The Court was very concerned about having to enforce such orders, and imagined a battle of expert witnesses arguing what reasonable data security programs look like, and then having to determine if an organization was violating its coercive order.

The Future of FTC Regulation

The FTC has several options to consider related to the LabMD decision. They may appeal the 11th Circuit’s Decision to the US Supreme Court, which could elect to hear the case or not. If this opinion stands, the FTC could limit their injunctions to specific, affirmative acts, which they are enjoining. Perhaps requiring a more definite data security standard, such as one published by an industry organization, would solve the problems the court raised with the “reasonable” standard. The FTC could conceivably bring a similar action in a different circuit and hope for a circuit split. Alternatively, the FTC could reevaluate its role in enforcing data security issues altogether.

The FTC appears inclined to take up that last option. On June 20, the FTC announced hearings on what they refer to as “Competition and Consumer Protection in the 21st Century.” (https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces-hearings-competition-consumer-protection-21st) Running from September 2018 through January 2019, these are a time for “serious reflection and evaluation” where the FTC will listen to affected parties on a range of issues, including:

  • Competition and consumer protection issues in communication, information, and media technology networks;
  • The intersection between privacy, big data, and competition;
  • The Commission’s remedial authority to deter unfair and deceptive conduct in privacy and data security matters;
  • The role of intellectual property and competition policy in promoting innovation;
  • The agency’s investigation, enforcement, and remedial processes; and more.

Ultimately, the LabMD opinion does little to help companies unsure of the regulatory standard by which they must comply. The typical practice of having a court enter a coercive order mandating reasonable security practices is no longer acceptable, but the court never said the FTC could not bring enforcement actions related to data security under the unfairness prong at all. Future actions will likely be informed by the upcoming public hearings, and the ongoing, slow-moving, litigation of the few companies with the desire to challenge such actions instead of quickly settling.

  • Partner

    John McCauley maintains a diverse commercial litigation and trial practice in state and federal courts throughout the United States. He has represented regional and national clients, as well as clients in Europe and Asia. John has ...

  • Associate

    Kyle is an associate in the firm’s Litigation department in Louisville. Kyle represents clients in general business litigation and advises businesses on issues of law and technology. He counsels clients on software license ...

RSS RSS Feed

Subscribe

Recent Posts

Categories

Contributors

Archives

Back to Page