Eleventh Circuit Decision for LabMD Reshapes “Reasonable Data Security”
Written by Joseph Jerome
Yesterday the Eleventh Circuit vacated an FTC cease and desist order against LabMD for the medical testing firm’s security lapses. For over a decade, the Federal Trade Commission has asked businesses to deploy reasonable security measures to protect user data. Failure to implement protections “appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities” has been viewed by the FTC as an unfair business practice. Under Section 5 of the FTC Act, it brought over sixty enforcement actions against companies. Frequently, these actions resulted in consent decrees requiring the companies to establish comprehensive information security programs and face fines for any subsequent failure to comply. Over time, this process allowed the FTC to develop de facto security standards and practices via its orders.
That process may well have ended with the Eleventh Circuit’s decision yesterday. While companies have endeavored to chip away at the FTC’s “unfairness” authority for years, the Eleventh Circuit sidestepped whether poor data security is an unfair practice. It assumed for the sake of the argument that it is. Instead, according to the court, the problem is not that the bad security is unfair but rather that the FTC must identify specific unfair acts and practices engaged in by LabMD.
Ultimately, the LabMD decision accelerates the need for Congress to grant the FTC better rulemaking authority with respect to data security.
What is not in dispute is that a LabMD employee shared access to a computer folder on the LimeWire peer-to-peer sharing platform, leading to the exposure of sensitive medical information. “Had the [FTC’s] complaint stopped there, a narrowly drawn and easily enforceable order might have followed, commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers,” the court explained. Instead, the FTC argued that installation of LimeWire and the subsequent data breach were evidence that LabMD’s data security measures were “deficient as a whole.” The FTC’s proposed order would have established a designated employee lead, required the identification of internal and external security risks, and documented safeguards to address those risks.
The problem, the court explained, is that this requires LabMD to implement data security protections that meet an “indeterminable standard of reasonableness.” Without specific prohibitions, FTC cease and desist orders and court injunctions are unenforceable.
Conservative administrative law experts are celebrating this decision as a victory for the due process rights of companies, but make no mistake, this decision drastically limits the ability of the FTC to police inadequate data security — a problem that promises to only get worse. Because of limitations in the FTC’s Section 5 authority, it is limited in its ability to extract monetary penalties and it uses its consent orders to get companies on the hook for future bad behavior. In the case of LabMD, the FTC would be reduced to prohibiting only the exact problematic practice – the downloading and inappropriate use of LimeWire – without any further requirements. If LabMD were to have a second security lapse for a different reason, the FTC would have to begin enforcement at square one.
Moving forward, the FTC will need to provide much more detail into exactly what constitutes unacceptable data security practices. The likely vehicle for doing this will be to look to existing industry standards as a baseline, encourage companies to be more explicit in what steps they actually take to protect information, and then use the FTC’s ability to police deceptive statements as an enforcement tool. Industry players have sought flexibility to create voluntary privacy and security rules to which companies can then subscribe. While not an ideal situation, general data security enforcement will likely now require companies to publicly declare much more than that they merely take “reasonable steps to protect information.” Advocates and policymakers will need to demand more explicit security disclosures.
Ultimately, the LabMD decision accelerates the need for Congress to grant the FTC better rulemaking authority with respect to data security. Data and device security threats, as well as best practices, are constantly evolving, which is why companies have been reluctant to endorse government regulation of security. However, industry self-regulation in this area has tended to come far too late or not at all. In the end this case may be one more spur for congressional action on data security and privacy.