Case Update: In Consumer Data Breach Case, Eleventh Circuit Indicates Concern over Scope of FTC’s Enforcement Actions
On June 21, 2017, the Eleventh Circuit Court of Appeals heard oral argument in LabMD, Inc. v. FTC, Case No. 16-16270, a case that is being carefully watched to see if it will clarify the limits of the Federal Trade Commission’s (“FTC”) authority to bring enforcement actions for consumer data security breaches under Section 5 of the FTC Act. Questioning from the three-judge panel (Circuit Judges Gerald Bard Tjoflat and Charles R. Wilson, and U.S. District Judge Eduardo C. Robreno) during the 40-minute oral argument raised particular concerns over the FTC’s inclination to act on a case-by-case basis, rather than to provide adequate notice of its interpretation of Section 5 through rulemaking.
The case has important implications. The Third Circuit has already ruled that the FTC has the ability to regulate the data security practices of companies under its jurisdiction (see FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). A ruling in the FTC’s favor in the LabMD case will empower it to initiate Section 5 data security enforcement actions without showing substantial injury. By contrast, if the Court sides with LabMD, then the FTC will need to demonstrate more than the mere potential injury to bring such actions.
The instant case arose from LabMD’s appeal of a July 2016 decision by three FTC commissioners finding that LabMD’s data security measures were unreasonable and caused substantial injury to consumers. The commissioners vacated an earlier decision by an FTC administrative law judge, which had rejected the FTC’s action due to its failure to meet its burden of proof on the question of injury.
At oral argument, LabMD first focused on why the Court should not accept the FTC’s interpretation that the “purely conceptual privacy harm” at issue amounted to a “substantial injury” under Section 5 of the FTC Act. LabMD pointed out that the FTC’s 1980 policy statement excluded subjective injuries such as those harms alleged by the FTC in this case, and that Congress enacted Section 5 with the intent of preventing the FTC from abandoning the principles in the policy statement in the future. LabMD contended that Section 5(n) was “intended to be prophylactic to lock in the interpretation of ‘substantial injury.’”
LabMD also stressed that the Court “should not accept the FTC’s interpretation that likely injury for purposes of Section 5(n) includes low likelihood harm where there is a significant risk of injury and the injury would be large.” LabMD contended that the plain language of “substantial” and “likely” in the FTC Act made the FTC’s interpretations unreasonable.
LabMD then cited to USLIFE Credit Corp. v. FTC, 599 F.2d 1387 (5th Cir. 1979), in arguing that the FTC cannot use the courts to make a change to the policy statement, but must instead go to Congress.
In response, the FTC argued that a substantial injury existed in this case even if it did not cause any economic or physical harm, noting that the FTC was not enforcing tort law; instead, it was looking to “common law principles to help define substantial injury.” The FTC indicated that it had chosen not to engage in rulemaking for prophylactic measures of future conduct because it was not effective in this area. The FTC argued that the rules would not apply to every business, and that they would be obsolete within six months of issuance due to changing technology. Thus, the FTC determined that requiring an entity to act “reasonably” was a more sensible approach. LabMD countered that rulemaking was in fact possible because other regulators had done so, citing rulemaking under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
The Court zeroed in on the FTC’s argument that it could act on a case-by-case basis without rulemaking. The Court noted that the FTC’s approach would require businesses to attempt to determine what the FTC means by requiring companies to act “reasonably.” This approach provided the FTC with what amounted to an “unlimited license” to determine whether actions are reasonable. Judge Robreno stated that he did not think such an approach was a good public policy objective. The FTC stressed that what the commissioners did in this case was not based on hindsight but on what was reasonable at the time, noting that what was reasonable today may not be so tomorrow. The Court, however, continued to question whether the FTC could apply its “reasonableness” standard on a case-by-case basis, and whether the FTC’s approach provided adequate notice to companies. Judge Tjoflat remarked that the FTC effectively “conceded” that it was taking the position that it did not need to give notice to the industry of its view of reasonableness, and that he did not see an industry standard that companies could apply to determine reasonableness. The FTC countered by pointing to the commissioners’ decision in this case, referred to NIST and CMS, and cited an expert report in the record so as to establish an industry standard.
LabMD, however, contended that it did not have fair notice as to what the FTC considered reasonable, particularly given the FTC’s position that it has the authority under Supreme Court precedent to establish rules on an ad hoc basis. LabMD also countered that a few examples of company practices do not establish an industry standard, particularly for a small healthcare company like LabMD.
The case was ably argued by both sides, and the Court’s analysis on the FTC Act, including the interpretation of the terms “substantial” and “likely” injury, and the issue of notice, will be forthcoming.