Skip to Content

Cybersecurity & Standards, Government Surveillance, Privacy & Data

LabMD v. FTC: Tackling “Unfair” Data Security Practices in the Eleventh Circuit

The latest skirmish in the nearly seven-year battle between diagnostic testing company LabMD and the Federal Trade Commission begins on Wednesday, June 21st, as oral arguments are held in the Eleventh Circuit Court of Appeals.[1] The case’s eventual outcome promises to have serious ramifications for the FTC’s much-needed ability to police industry data security practices. Thus far, the Eleventh Circuit has appeared skeptical of the FTC’s legal authority to address the precise data security lapses alleged against LabMD, and a decision against the FTC could limit its data security enforcement activities.

Data security needs robust enforcement. The number of data breaches and security incidents continues to grow at a rapid pace [2], and as recent headlines make clear, the healthcare industry is particularly susceptible to data security vulnerabilities. [3] Part of the challenge lies in both the inherent sensitivities of health data and evolving technologies such as interconnected devices. This combination raises the risk of systems intrusions via ransomware attacks [4] and a host of other cybersecurity vulnerabilities that healthcare entities have yet to address adequately.[5]  The FTC has repeatedly stated that companies must implement “reasonable” security measures and that the failure to do so can be an unfair act or practice under Section 5(a) of the FTC Act.

LabMD argues that the FTC has overstepped its regulatory authority, and if the Eleventh Circuit agrees, it may undermine fifteen years of data security enforcement activities by the Commission. Across over sixty different enforcement actions, the FTC has played an important role in establishing a data security baseline and providing significant guidance on the evolution of good data security. These actions were initially tied to misleading privacy policies or other public promises under the FTC’s authority to police deceptive statements [6], but beginning in 2005, the FTC began to argue that unreasonable data security measures were also unfair under Section 5 of the FTC Act, regardless of any public representation about a company’s security practices [7]. In order for a data security practice to be considered unfair, the FTC must determine whether the data security practices are (1) likely to cause substantial injury to consumers, (2) that this injury is not reasonably avoidable by consumers themselves, and (3) that the injury is not outweighed by countervailing benefits to consumers or to competition. [8]

How these unfairness criteria may map onto data security lapses is at the core of the tension in the LabMD case. Specifically, oral argument may elucidate thinking around two key questions,  previewed by the Third Circuit in another data security dispute between the FTC and Wyndham Worldwide Corporation [9]:  (1) What are the contours of a “substantial injury” when evaluating unfair data security practices and how should data security’s costs and benefits be evaluated? and (2) What constitutes fair notice and “ascertainable certainty” of the FTC’s expectations for “reasonable” data security?

 

[1] Oral Arguments Calendar, available at http://www.ca11.uscourts.gov/sites/default/files/oral_arguments/cal22_0.pdf.
[2] In 2012, California businesses reported 131 breaches, affecting 2.6 million records; in 2015, 178 breaches affecting 24 million records; and in 2016, there were 657 data breaches, affecting a total of over 49 million records. See California Data Breach Report 2016, https://oag.ca.gov/breachreport2016.
[3] See id.
[4] See e.g., How US healthcare spent the weekend protecting against WannaCry (May 2017), http://www.healthcareitnews.com/news/how-us-healthcare-spent-weekend-protecting-against-wannacry.
[5] See e.g., Abraham Gitterm & Neha Patel, Not Enough: FDA Finds Ongoing Cybersecurity Vulnerabilities with St. Jude Medical’s Implantable Cardiac Devices (April 2017), http://www.digitalhealthdownload.com/2017/04/not-enough-fda-finds-ongoing-cybersecurity-vulnerabilities-st-jude-medicals-implantable-cardiac-devices/.
[6] In 2002, the FTC brought its first data security enforcement case for the inadvertent disclosure of sensitive personal information when Eli Lilly revealed the email addresses of all Prozac users on a mailing list. Howard Beales, then director of the FTC’s Bureau of Consumer Protection, warned that “[e]ven the unintentional release of sensitive medical information is a serious breach of consumers’ trust. Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information.” Fed. Trade Comm’n, Press Release, Eli Lilly Settles FTC Charges Concerning Security Breach (Jan. 18, 2002), https://www.ftc.gov/news-events/press-releases/2002/01/eli-lilly-settles-ftc-charges-concerning-security-breach.
[7] BJ’s Wholesale Club, Inc., Case No. C-4148 (Sept. 20, 2005), http://www.ftc.gov/sites/default/files/documents/cases/2005/09/092305do0423160.pdf (decision and order).
[8] 15 U.S.C. § 45(n).
[9] FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).