The Federal Trade Commission (FTC) has taken a more active role in policing data privacy and protection in recent years, bringing enforcement actions over data breaches. One of the most noteworthy—or notorious, depending on one’s perspective—has been its enforcement action against the now-defunct cancer screening company, LabMD.
In a pair of federal appellate court decisions this month in the LabMD matter, the commission won one and lost one.
In the FTC victory, the U.S. Court of Appeals for the District of Columbia Circuit held in Daugherty v. Sheer that even if FTC attorneys sought to retaliate against a citizen or organization for public criticism of their agency and/or themselves, they were still entitled to qualified immunity. In the FTC’s loss—one that could have continuing ramifications for FTC data breach enforcement actions—the U.S. Court of Appeals for the Eleventh Circuit in LabMD, Inc. v. FTC vacated a cease and desist order against LabMD.
To set the stage for these two circuit showdowns, some background on the LabMD saga may be helpful. Moral of the story: your employees may enjoy listening to music at the office, but if they load a file-sharing service on company equipment, it could get you in a world of hurt.
LimeWire at LabMD
Peer-to-peer file-sharing networks have been a panacea to many music fans, but the bane of many music copyright holders.
Of course, peer-to-peer file-sharing networks can also be a security issue, and LabMB found out the hard way.
LabMD is a now-defunct medical laboratory that provided cancer diagnostic testing. In 2005—and contrary to LabMD corporate policy—LimeWire, a file-sharing service, was installed on a LabMD billing manager’s computer.
LimeWire connected the LabMD device to the Gnutella file-sharing network, which had between two and five million users logged in at any given time.
Unfortunately for LabMD and the patients whose medical records it possessed, the billing manager designated the contents of her “My Documents” folder for sharing. Among those documents was a 1,718-page file with the personal information of 9,300 patients, including their names, dates of birth, Social Security numbers, laboratory test codes, and for some, health insurance information.
In 2008, data security firm Tiversa Holding Corporation downloaded the file with the personal information from LimeWire. Tiversa began contacting LabMD, offering to sell LabMD its data remediation services.
LabMD refused Tiversa’s offer and removed LimeWire from the billing manager’s machine. However, the damage was done. Tiversa had the file, and now was sending it somewhere else: to the Federal Trade Commission.
After conducting an investigation, the FTC issued an administrative complaint against LabMD in August 2013. The FTC alleged the company had committed an “unfair act or practice” in violation of Section 5(a) of the Federal Trade Commission Act of 1914 by engaging in a number of practices that, taken together, “failed to provide reasonable and appropriate security for personal information on its computer networks.”
In answering the complaint, not only did LabMD argue it had not engaged in the alleged conduct, but also that the FTC lacked authority under Section 5 of the FTC Act to regulate the handling of the personal information on its computer networks.
At this point, it’s probably worth taking a moment to examine the legal framework for the FTC’s claim of authority over data protection.
The FTC and Data Protection
Section 5(a) of the FTC Act, 15 U.S.C. §45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has maintained that the act gives it the authority to sanction companies where data breaches occur, arguing the failure to protect customer data in certain circumstances is an unfair and/or deceptive trade practice under the act.
Section 5 has two prongs argued in data beach cases: the “Unfairness” prong [Sections 5(a) and 5(n)] and the “Deception” prong [Section 5(a)(1)].
The Unfairness prong is a three-part test, requiring a substantial or likely substantial injury to consumers, that is not reasonably avoidable by consumers, and that is not outweighed by benefit to consumers or to competition.
The Deception prong requires a deceptive act in or affecting commerce, and courts have followed a three-pronged test for establishing liability: 1) a representation, 2) that was likely to mislead consumers acting reasonably under the circumstances, and 3) that was material. See FTC v. Tashman, 318 F.3d 1273 (11th Cir. 2003).
In 2005, the FTC began bringing administrative actions against companies it alleged had insufficient data security that failed to protect consumer data from hackers. Most of the cases have ended in settlements, including the well-publicized matters of Ruby Corporation (AshleyMadison.com) and Uber.
Wyndham and the FTC’s Authority
As the LabMD matter was winding its way through the administrative law process, the FTC was also pursuing an enforcement action that became the precedent-setting case against Wyndham Worldwide.
Hackers breached Wyndham’s computer system, accessing personal and financial information of hundreds of thousands of customers, resulting in approximately $10.6 million in fraudulent charges.
In an August 2015 decision, the Third U.S. Circuit Court of Appeals held in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), that the FTC did have enforcement authority over data breaches. It rejected Wyndham’s argument that the FTC lacked authority to bring an unfairness action over data breaches and the company’s argument that it did not have proper notice that its conduct fell within the parameters of the FTC Act.
The Third Circuit’s decision in Wyndham was a case of first impression, affirming the FTC’s authority to regulate cybersecurity, and it set the stage for the Eleventh Circuit’s consideration of LabMD.
A Win and a Loss for the FTC
The first of the two appellate decisions this month, Daugherty v. Sheer, No. 17-5128 (D.C. Cir. June 1, 2018), came about after LabMD CEO Michael Daugherty gave an interview to the Atlanta Business Chronicle, where he described the FTC’s investigation as a “fishing expedition” and said the FTC was “beating up on small business.” In addition, Daugherty wrote a book about his experiences with the FTC, entitled The Devil Inside the Beltway.
LabMD and Daugherty sued the FTC, FTC attorneys Alain Sheer and Ruth Yodaiken, and others, alleging the FTC and its attorneys retaliated against LabMD in the investigation because of Daugherty’s public comments, in violation of his First Amendment right to criticize the government without fear of government retaliation.
A federal district court granted a motion to dismiss on other grounds, but denied the motion to dismiss on the First Amendment retaliation claim. However, the Third Circuit reversed.
“Because the FTC enforcement action against LabMD had an alternative cause—the undisputed data security breach by which the 1718 File was publicly available from a LabMD computer—the alleged actions by Sheer and Yodaiken did not violate Daugherty’s or LabMD’s clearly established rights, even assuming retaliatory motive,” the court held.
Meanwhile, in the Eleventh Circuit decision, LabMD v. FTC, No. 16-16270 (11th Cir. June 6, 2018), the appellate court vacated the FTC’s cease and desist order to LabMD.
The FTC had filed the administrative complaint against LabMD in August 2013, alleging the company failed to properly protect the consumer data on its networks in the LimeWire-enabled data breach.
An administrative law judge (ALJ) dismissed the FTC’s complaint, ruling the FTC failed to prove that LabMD’s alleged failure to employ reasonable data security caused or was likely to cause substantial injury to consumers. There was no evidence that anyone other than Tiversa had accessed the LabMD patient data on LimeWire. Thus, the ALJ concluded, “Because there was no substantial injury or likelihood thereof, there could be no unfair act or practice.”
However, the FTC got another bite at the apple because—under 16 C.F.R. § 3.52—it was allowed to bring an appeal to the full commission for review. This appeal reversed the ALJ.
The FTC then entered a cease and desist order vacating the ALJ’s decision and enjoining LabMD to install a data security program that comported with the FTC’s standard of reasonableness. The order was to terminate on either July 28, 2036 or 20 years from the most recent date the FTC filed a complaint alleging a violation of the order, whichever came later.
LabMD petitioned the Eleventh Circuit for review of the FTC’s decision, and in 2016, the court stayed enforcement of the FTC’s cease and desist order, pending review.
In its June 6, 2018 decision, the Eleventh Circuit vacated the FTC’s cease and desist order.
“Assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data security program constituted an unfair act or practice under Section 5(a), the Commission’s cease and desist order is nonetheless unenforceable. It does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned,” the court said.
Why LabMD Matters
Although the FTC won one and lost one in June 2018 appellate court decisions on its data breach enforcement moves, it’s the loss at the Eleventh Circuit that may have the most long-lasting impact.
It doesn’t come as much of a surprise that the D.C. Circuit held the FTC lawyers had qualified immunity.
However, the Eleventh Circuit decision could present challenges for the FTC in future enforcement actions over data breaches. Although the court did not issue the ruling LabMD sought—namely that the FTC lacked enforcement authority over data breaches—by throwing out the commission’s cease and desist order, it did throw a wrench in the commission’s data breach enforcement efforts.
“The cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable,” the court said.
If that command is unenforceable, what is the future for the FTC in data breach enforcement?
In these data breach cases, companies and their supporters in the business community argue the hacked companies are victims, not culprits, but the FTC argues that failure to protect customer data can be an unfair or deceptive trade practice, depending on the facts of the situation. A comprehensive, national data privacy and protection law could be the answer.
When the Eleventh Circuit lamented what it believed was the FTC expecting the district court to overhaul LabMD’s data security procedures, it could just as easily be the court lamenting the lack of comprehensive data protection and data privacy laws in the United States, which could include harmonizing the data breach laws of the various states.
With disparate constituencies and competing priorities, one probably shouldn’t bet on Congress addressing comprehensive data protection and privacy legislation. Then again, most people didn’t think they’d pass the CLOUD Act.