The Eleventh Circuit Avoids Opining on the FTC’s Authority to Police Negligent Data Security Practices in Healthcare

By Jennifer M. Thomas

On June 6, the Eleventh Circuit vacated the Federal Trade Commission’s (“FTC’s”) data security-related cease and desist order against LabMD, Inc. (“LabMD”), a diagnostic testing company. The decision was less than satisfactory for many amici who had called on the Court to opine – one way or the other – on the FTC’s authority to police companies’ data security practices.  Instead, the Court focused narrowly on the FTC complaint and order’s lack of specificity, and left open the question of whether mere negligent failure to implement certain security measures (without tangible consumer injury) constitutes an “unfair act” cognizable under Section 5 of the FTC Act.

The FTC filed an administrative complaint against LabMD in August, 2013, accusing the company of failing to maintain reasonable data security measures.  The FTC alleged that LabMD’s security lapses amounted to an “unfair act or practice” within the meaning of Section 5 of the FTC Act.  Issuance of the compliant followed a lengthy investigation by Commission staff into data security practices at LabMD, begun after Tiversa Holding Company (“Tiversa”) informed the FTC that it had obtained a LabMD file containing 9,300 patients’ personal and health information.  A LabMD employee had inadvertently shared the file through a peer-to-peer data file-sharing network called LimeWire.  Four FTC Commissioners voted unanimously to file the complaint against LabMD. See FTC Press Release:  FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy.

LabMD moved to dismiss the FTC’s administrative complaint. Consistent with the FTC’s Rules of Practice as amended in 2009, the Commission itself ruled on LabMD’s motion to dismiss.   See 16 C.F.R. § 3.22(a).  Predictably, the Commissioners declined to dismiss a complaint that they had only three months earlier voted to issue based on “reason to believe” that LabMD violated the FTC Act.  The Commission also denied a further motion to dismiss, and a motion for summary decision.. See In re LabMD, Inc., 2014 FTC LEXIS 2, 2014-1 Trade Cas. (CCH) P78,784 (January 16, 2014), ; In re LabMD, Inc., 2015 FTC LEXIS 215, at *4-6 (Sept. 14, 2015); In re LabMD, Inc., 2014 FTC LEXIS 126, *1-2, 2014-1 Trade Cas. (CCH) P78,785 (F.T.C. May 19, 2014).  During the course of the administrative proceedings that followed, it came out that Tiversa — the entity that informed on LabMD to the FTC – had regularly engaged in the practice of “monetize[ing]” documents it downloaded from peer-to-peer networks by “using those documents to sell data security remediation services to the affected businesses, including by representing to the affected business that the business’ information had ‘spread’ across the Internet . . . when such was not necessarily the case . . .” See In re LabMd, Inc., Docket No. 9357, ALJ’s Initial Decision at 9 (F.T.C. Nov. 13, 2015).  Tiversa reported its discovery of the LabMD file to the FTC in retaliation for LabMD’s failure to purchase Tiversa’s security remediation services, and inflated the scope of “spread” of the LabMD file. Id. at 9-10.

On November 13, 2015, ALJ D. Michael Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD.  The ALJ cited Section 5(n) of the FTC Act (15 U.S.C. § 45(n)), which states that the FTC cannot declare an act or practice to be “unfair,” and therefore unlawful, unless (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition. Id. at 13 (citing 15 U.S.C. § 45(n)).  The ALJ held that the FTC had failed the first prong of this test, because it did not adequately prove that LabMD’s “unreasonable” data security practices caused, or were likely to cause, substantial injury to consumers.  Intangible emotional harm was not cognizable as a substantial injury under the FTC Act.

The FTC Staff appealed the ALJ’s ruling to the full Commission, and on January 29, 2016, the Commission – again predictably – reversed the ALJ in favor of its Staff.   The Commission held that the ALJ had applied the wrong legal standard for unfairness, and that LabMD’s lax security practices did constitute an “unfair act or practice within the meaning of Section 5 of the FTC Act.” In re LabMd, Inc., Docket No. 9357, Op. of the Comm’n at 1 (F.T.C. Jan. 29, 2016).  The Commission issued a cease and desist order against LabMD, requiring that the company implement an information security program and submit to biennual assessments and monitoring by the FTC.  LabMD appealed the FTC ruling and order to the Eleventh Circuit.

In its appeal to the Eleventh Circuit LabMD argued, among other things, that the FTC erred in finding that LabMD’s alleged security failure “causes or is likely to cause substantial injury” as required to deem an act “unfair” under FTC Act Section 5(n), because the only injury that could have possibly occurred was intangible and even conjectural, and could only have incurred in the past. LabMD further argued that a finding of “unfairness” necessitates a showing that goes beyond negligence.  The act in question must be “deceptive or reckless,” which the FTC did not adequately demonstrate in LabMD’s case.  LabMD argued that the FTC’s order was impermissibly vague because it did not specify how LabMD should meet the requirement to establish a “reasonably designed” information security program.

The Eleventh Circuit ultimately decided to vacate the FTC’s cease and order based on LabMD’s last argument: The order was not enforceable because it, and the accompanying FTC complaint, were insufficiently specific. See LabMD, Inc. v. FTC, No. 16-16270, 2018 U.S. App. LEXIS 15229, at *26 (11th Cir. June 6, 2018).  The Court held that a lack of specific prohibitions would put a future court in the position of weighing the opinions of various experts about what is, and isn’t “reasonable” in terms of an information security program – in other words “managing LabMD’s business in accordance with the Commission’s wishes.”  The Court determined that “this micromanaging is beyond the scope of court oversight contemplated by injunction law.” Id. at 32.  Lack of specificity and its counterweight, regulatory overreach, are perennial issues in the context of FTC orders, and the Court’s predictions regarding a potential battle of the experts are well-founded. See, e.g., Basic Research, LLC v. FTC, No. 09-cv-779 (D. Utah, Jun. 1, 2012), United States v. Bayer Corp., 2015 U.S. Dist. LEXIS 74118 (D.N.J. June 8, 2015), POM Wonderful, LLC v. FTC, 777 F.3d 478, 490 (D.C. Cir. 2015).

The Court’s ruling likely will result in the FTC pursuing more specific data security measures in administrative orders and injunctions going forward.   However, the fact that the Eleventh Circuit did not conclusively address the FTC’s authority over negligent information security practices could also provide some protection to companies facing FTC action where tangible injury is lacking. At the very least, despite the increasing focus on privacy and data security, this decision should make the Commission more circumspect about the details behind its next data security-related complaint.

The Commission has stated that it is still evaluating next steps after the Eleventh Circuit’s ruling. It has 45 days after the entry of judgment to petition for rehearing or rehearing en banc (see Fed. R. App. P. 40), and 90 days to petition the Supreme Court for review (more, if it first seeks a rehearing) (see S. Ct. R. 13).