On The Case

There’s a big problem for the FTC lurking in 11th Circuit’s LabMD data-security ruling

(Reuters) - The obvious takeaway from the 11th U.S. Circuit Court of Appeals’ milestone ruling Wednesday in LabMD v. Federal Trade Commission is that the FTC is probably going to have to tailor the conditions it imposes on companies it has accused of failing to safeguard consumer data. The 11th Circuit said the FTC’s cease and desist order against LabMD, a cancer-screening company that went out of business in the course of litigating against the commission, was unenforceable because it required the company to meet a vague standard of reasonableness. If the ruling stands, the FTC will have to set specific data security benchmarks for corporate defendants.

The less-obvious takeaway is that the 11th Circuit did not strip the FTC of authority to police data security. LabMD’s lawyers at Ropes & Gray, as well as business-friendly amici including the U.S. Chamber of Commerce and the National Federation of Independent Business, argued that data security falls outside of the FTC’s enforcement mandate over unfair practices. The 3rd Circuit rejected that argument in 2015’s FTC v. Wyndham Worldwide; the 11th Circuit panel in LabMD – Judges Gerald Tjoflat and Charles Wilson and U.S. District Judge Eduardo Robreno of Philadelphia, sitting by designation – sidestepped the issue. Judge Tjoflat’s opinion homed in on the enforceability of the cease and desist order, assuming for the sake of argument that a corporation’s failure to implement tight data security “invaded consumers’ right of privacy and thus constituted an unfair act or practice.”

I’m here to tell you about the opinion’s even less obvious – but potentially more significant – holding in the 11th Circuit opinion: FTC enforcement actions for unfair practices cannot be based just on consumer injury, even “substantial” injury.

This is going to get wonky, but, trust me, it’s what cybersecurity defense lawyers are already buzzing about. The 11th Circuit said in LabMD that the FTC must show the allegedly unfair practice at the heart of its enforcement action was unconstitutional or violated a specific statute or common law principle. As the court explained in a footnote destined for citation in future corporate briefs: “The act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the constitution.” Ropes & Gray’s client alert on the opinion said the 11th Circuit had explicitly “rejected the FTC’s recent position” that it can sue purely on the basis of substantial consumer injury.

The FTC proposed an alternative basis in LabMD briefing at the 11th Circuit. The commission contended that its enforcement action was grounded in the common law of negligence because LabMD unintentionally allowed the invasion of its customers’ privacy. The 11th Circuit didn’t decide whether the FTC’s negligence theory holds up, choosing instead, as I mentioned, to assume the FTC’s authority to bring the case and focus on the vagueness of the remedy.

But future FTC defendants will surely pick up on arguments by LabMD’s lawyers that common-law negligence can’t be the basis of an FTC enforcement action stemming from an accidental breach of customer data. Negligence, according to LabMD, requires a showing of intent, and LabMD didn’t mean for its customers’ information to be compromised. (The crazy backstory: A LabMD billing manager installed the file-sharing application LimeWire on her office computer, in violation of company policy. A cybersecurity firm, Tiversa, exploited that vulnerability to obtain patient records. Tiversa told LabMD about the breach in the hope it would be hired to improve LabMD’s cybersecurity. When LabMD refused to hire Tiversa, Tiversa reported the breach to the FTC.)

So according to cybersecurity lawyers Craig Newman of Patterson Belknap Webb & Tyler and Alfred Saikali of Shook Hardy & Bacon, the 11th Circuit ruling puts a new obstacle in the FTC’s way in ordinary data breach cases that don’t involve specific statutes such as the federal law safeguarding healthcare information. The FTC has entered into consent decrees with more than 50 companies accused of lax data security since 2008.

“This is potentially a very big deal,” Newman said. “The court is saying the FTC can’t just have a vague reason to bring an action. It not only has to find a specific fact or circumstance that is unreasonable but the act also has to be tied to the Constitution, statute or common law. That could potentially constrain future enforcement actions and eliminate general data security claims.”

The hurdle for the FTC, added Saikali, “will be fairly substantial.”

Both Newman and Saikali said we’ll have to see how the 11th Circuit opinion is received in lower courts that aren’t bound by its holding that FTC enforcement actions must be rooted in a “well-established legal standard,” not just an inadvertent compromise of customer privacy. We’ll also have to wait for the FTC to decide whether to seek en banc or U.S. Supreme Court review of the LabMD case.

The FTC told my Reuters colleague Diane Bartz that it is weighing its options and “will continue to do everything we can to protect consumer privacy.” An FTC spokeswoman declined to respond to my specific question about the impact of the 11th Circuit’s “well established legal standard” holding.