On Data-Security Regulation, a Narrower Path for the FTC?
Ellis & Winters
As we’ve discussed, after a company experiences a data breach, government regulators can be a key source of privacy and data-security litigation.
The Federal Trade Commission, for instance, often uses its authority under Section 5 of the FTC Act to sue companies for privacy and data-security failures. One common theory? Failing to implement appropriate security measures is an “unfair” business practice.
Most companies settle when the FTC comes calling. They agree to broad consent orders that often require them to establish and maintain comprehensive privacy and data-security programs. These orders also often subject companies to ongoing assessments and monitoring for up to 20 years.
But sometimes companies fight back, like the victor in LabMD v. Federal Trade Commission, a decision that the Eleventh Circuit issued last week. This post studies that decision.
An employee shares music, videos, and patients’ sensitive personal data
LabMD was a medical laboratory that conducted cancer testing.
The case arose from the conduct of the company’s billing manager. In 2005, that manager installed LimeWire—a peer-to-peer file-sharing application often used to share music and videos over the internet—on her work computer. That installation violated the company’s data-security policies.
It gets worse. The billing manager configured LimeWire to share a folder containing a spreadsheet with personal information of 9,300 patients. This meant that those patients’ names, social security numbers, laboratory test codes, and health insurance information became openly available to other LimeWire users.
A data-security company called Tiversa discovered and downloaded the spreadsheet. It then approached LabMD to offer its security remediation services. When LabMD declined, Tiversa sent the spreadsheet to the FTC.
An unfairness finding leads to broad injunctive relief
After an extensive investigation, the FTC issued an administrative complaint against LabMD. The complaint alleged that LabMD committed an “unfair” practice under Section 5 by failing to provide reasonable security for personal information on its computer networks.
The complaint set out a list of data-security practices that LabMD didn’t implement. According to the FTC, those failures allowed the billing manager to install LimeWire and expose the spreadsheet to the internet.
The FTC ultimately concluded that LabMD’s data-security failures were an unfair practice under Section 5. The FTC then issued a cease-and-desist order requiring LabMD to implement a “comprehensive information security program” reasonably designed to protect consumers’ personal information.
The order didn’t specify the security measures that LabMD’s program must include. And it said nothing about preventing the installation or use of unauthorized applications like LimeWire. Instead the order listed—at a high level—the elements of any good data-security program, including conducting risk assessments and implementing “reasonable safeguards” to control the identified risks.
LabMD petitioned the Eleventh Circuit to vacate the order.
Data-security regulation under Section 5: specificity or flexibility?
LabMD argued that the FTC exceeded its authority under Section 5 in finding that LabMD’s conduct amounted to an unfair practice. LabMD also argued that the order was impermissibly vague. To that end, argued LabMD, the order didn’t specify the measures its security program must include to satisfy the requirement of “reasonable” data security.
For its part, the FTC argued that it properly applied Section 5 in finding that LabMD committed an unfair practice in disclosing its patients’ personal information. And as for the enforceability of the order, the FTC argued that its lack of specificity benefited LabMD: the order “spelled out the standards for LabMD to craft a reasonable security program,” but gave LabMD “the flexibility to tailor its compliance to fit its business operations as they evolve.”
The Eleventh Circuit’s Decision
The court sided with LabMD.
The court assumed—without deciding—that LabMD’s failure to maintain a reasonable data-security program was an unfair practice for Section 5 purposes.
Turning to the enforceability of the FTC’s order, however, the court concluded the order’s mandate was not specific enough. The order did not instruct LabMD to stop committing a specific act or practice. Instead, it required “a completed overhaul of LabMD’s data-security program,” but said “precious little about how this is to be accomplished.”
The problem with this approach, explained the court, would be evident if the FTC later sought to enforce the order. In that case, a federal district court would have to decide whether LabMD’s failure to implement a particular security measure violated the order, but would have only the FTC’s undefined concept of “reasonable security” to guide that decision. The district court would thus be put in the position of “managing LabMD’s business in accordance with the FTC’s wishes.”
This micromanagement, concluded the Eleventh Circuit, was beyond the scope of court oversight contemplated by the law. The court therefore vacated the FTC’s order.
The FTC and data security enforcement: a narrower road going forward?
The LabMD court sidestepped the question of whether and to what extent the FTC has the authority to regulate data-security under its Section 5 unfairness authority. But the decision could nonetheless have important implications for how the FTC exercises that authority.
First, the case calls into question the FTC’s use of discrete security failures as an entry point to regulate companies’ data-security operations as a whole. As the court explained, the FTC could have focused on the specific conduct that led to the breach at issue—installation of an unauthorized program on company computers. In that case, the FTC could have issued a “narrowly drawn and easily enforceable order” that required LabMD to prevent that specific conduct in the future. Going beyond that conduct ultimately led to the FTC’s defeat—a point that will not be lost on the FTC going forward.
Second, the case may embolden more companies to challenge the FTC in its data-security enforcement efforts. At a minimum, the decision gives companies leverage to argue against fuzzy, standards-based data-security requirements when negotiating with—or litigating against—the FTC in data-security cases.
Author: Alex Pearce