Sara Merken reports: The Federal Trade Commission is issuing specific data security requirements to companies as part of agency settlements, policing businesses more aggressively than before, attorneys and former staff said. Proposed settlements reached this year with LightYear Dealer Technologies LLC, ClixSense.com, Unixiz Inc, and D-Link Systems Inc. show what the FTC is expecting in terms of corporate data security and responsibility, data security and privacy attorneys and former staff said. Read more on Bloomberg Law.
After providing some history the LabMD enforcement action by FTC, and the former’s appeal to the 11th Circuit, Tom Kulik of Scheef & Stone, LLP outlines what he considers the three biggest data security takeaways from the case. You can read his article on Above the Law.
F. Paul Greene and Daniel J. Altieri consider the landscape after the 11th Circuit’s decision in the LabMD case, noting the state-level Unfair and Deceptive Acts and Practices (“UDAP”) laws and The Nationwide Assurance of Voluntary Compliance may become more prominent as tools for data security enforcement actions. They write, in part: The Nationwide Assurance of Voluntary Compliance (“AOVC”), which is the state-law analog of the consent order used by the FTC in relation to FTC Act enforcement, goes both further than and not as far as the LabMD order struck down by the 11th Circuit. In doing so, it may become an example for future UDAP enforcement on the state-law level post-LabMD. To begin with, the Nationwide AOVC is far shorter in duration than the standard FTC order, which lasts for 20 years and is binding on successors and assigns of the settling party. Although not directly discussed in the 11th Circuit’s decision, the extreme length of the FTC form order could have added to the 11th Circuit’s reticence to leave an affected company’s obligations in relation to “reasonable” cyber security efforts so open-ended for so long. In this regard, the Nationwide AOVC, and any state-law UDAP order that follows its structure, may avoid harsher scrutiny by limiting its temporal scope. Read more on New York Law Journal.
Craig A. Newman of Patterson Belknap writes: Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise. That is a central question in Daugherty et al. v. Sheer et al., a case pending before the U.S. Court of Appeals for the D.C. Circuit. LabMD has asked the court to reconsider its decision that two Federal Trade Commission lawyers are immune from a lawsuit filed against them by LabMD, charging that its First Amendment rights were violated when the FTC lawyers engaged in a “deliberate and successful effort to cause the Commission to authorize an enforcement action” based on misrepresenting critical facts in the case. LabMD has charged that FTC lawyers Alain Sheer and Ruth Yodaiken recommended that the commission start an enforcement action that “was laced with lies.” Read more on Data Security Law Blog.
David Cohen, Douglas Meal, and Michelle Visser of Ropes and Gray, the firm that represented LabMD against the FTC, write: Representing LabMD in its successful petition to the U.S. Court of Appeals for the 11th Circuit has been a fascinating experience in a number of ways. One of those is what the case reinforced for us about how the state of cybersecurity regulation in the United States could be greatly improved. While there is more to this topic than can possibly be covered in a single column, we address two aspects here: First, this case highlights how the FTC’s “regulation by consent decree” approach is simply not working. Second, it shows how readily a false narrative can be created about a company’s security measures and the supposed ease of implementing additional measures, such that regulators end up seeking to address issues that either do not exist or have been greatly exaggerated, and then impose requirements that actually do more harm to consumers than good. There is no time like the present to fix these pressing issues with our country’s regulatory approach to cybersecurity, and it is our hope that a silver lining to this case will be a greater understanding of the costs and benefits of regulatory action in this space. Read more on IAPP.
Attorneys at Ropes & Gray, the law firm representing LabMD in LabMD vs. FTC, write: On June 6, 2018, at the urging of Ropes & Gray, the U.S. Court of Appeals for the Eleventh Circuit vacated an order that the Federal Trade Commission (the “FTC”) had imposed on LabMD, Inc. (“LabMD”) to overhaul the cancer detection laboratory’s data security program. The court ruled that the FTC’s order is unenforceable because, rather than enjoining a specific act or practice, it mandates a complete overhaul of LabMD’s data security program and says little about how this is to be accomplished, effectively charging a district court with managing the overhaul. The decision also recognizes important limitations on the agency’s authority even to declare an act “unfair” in the first place. The Eleventh Circuit’s rejection of the FTC’s action against LabMD has significant implications both for the FTC’s privacy and data security program and for other regulatory and private litigation contexts. Read more on Ropes & Gray. I realize that there are many privacy law scholars who are not happy with the 11th Circuit’s opinion and/or who feel that the court got it wrong, but as one of those people who felt that this was an absolutely outrageous case that never should have been brought, I am delighted for LabMD, Mike Daugherty, and kudos to his legal team. Well done! And if FTC doesn’t like what happens now, well, maybe they shouldn’t have been so over the top in starting an enforcement action where, despite the FTC’s claims, there was no harm to consumers and once the employee’s misstep was pointed out, no risk of a recurrence.
Alison Frankel writes about what she calls the less obvious takeaway from the 11th Circuit’s LabMD opinion: FTC enforcement actions for unfair practices cannot be based just on consumer injury, even “substantial” injury. This is going to get wonky, but, trust me, it’s what cybersecurity defense lawyers are already buzzing about. Read more on Reuters. And yes, that aspect of the ruling did not go unnoticed or uncommented upon on Twitter when the opinion was released. Consider, for example, this footnote from the opinion: 24 Section 5(n) now states, with regard to public policy, “In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution. So there’s a lot to discuss about this opinion, and I think this point is going to pose a major hurdle for the FTC going forward in data security cases. Where are they going to find statutory, common law, or constitutional bases for declaring specific acts or practices “unfair?” Will they start engaging in rule- or regulation-writing? I am guessing, based on their history of enforcement, that they will turn to common law, but I look forward to reading what scholars and litigators think.
The Court of Appeals for the Eleventh Circuit has vacated the Federal Trade Commission’s order: This is an enforcement action brought by the Federal Trade Commission (“FTC” or “Commission”) against LabMD, Inc., alleging that LabMD’s data- security program was inadequate and thus constituted an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act (the “FTC Act” or “Act”), 15 U.S.C. § 45(a).1 Following a trial before an administrative law judge (“ALJ”), the Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures. LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order. I haven’t had time to read it yet, but this is huge news. Here’s the opinion:
Craig A. Newman writes: It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security. The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action. Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information. Read more on Patterson Belknap Data Security Law Blog. I’m glad Craig wrote a column about this so that the public doesn’t forget about this case. As Craig indicates, this case has hugely important implications for future FTC data security enforcement actions. But if LabMD wins – and that would be somewhat like David slaying Goliath – let’s remember that LabMD still lost – and we all lost something – because the lab went out of business under the burden of fighting the FTC action. The conflict also took a significant toll on a former employee of Tiversa, Rick Wallace, whose mental health and reliability were questioned by former Tiversa CEO Bob Boback when it was made known that Wallace would provide whistleblower testimony both to the FTC’s administrative law judge and a congressional committee investigating the FTC. Although Boback and Tiversa attempted to discredit Wallace by attempting to file an “information” in the administrative hearing, ALJ Michael Chappell was having none of that. In fact, Tiversa separated itself from Boback after the FBI raided their offices. They also withdrew from litigation against Daugherty. That has not stopped Daugherty and Wallace from individually filing their own lawsuits against Boback and Tiversa, however. So in addition to the core litigation between FTC and LabMD, there’s a slew of other cases involving defamation and other issues that arose during the course of the investigation and enforcement action. Whether anyone at the FTC will ever suffer even 1/10th as much as LabMD or its CEO is questionable, even though LabMD’s CEO Michael Daugherty has sued FTC lawyers in a Bivens claim. But the first issue, of course, is what will the court rule on the all-important issue of what the harm prong actually means in terms of whether the FTC should be attempting to take enforcement action.
Jimmy Koo reports: The Federal Trade Commission’s data security enforcement standard came under fire June 22 from a panel of federal appeals court judges ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17 ). As predicted, the level of harm required for the FTC to act was “front and center” during the oral argument. Attorneys for the FTC and the now-defunct medical testing company LabMD Inc. squared off before the U.S. Court of Appeals for the Eleventh Circuit over what level of data breach injury is sufficient to allow the privacy regulator to take enforcement action. Read more on Bloomberg BNA. Actually, no. If you haven’t done so already, first listen to the oral arguments (about 40 minutes, search for Docket 16-16270, LabMD, Inc., Petitioner v. Federal Trade Commission. You may well think, “WHOA….” when you hear the judges give the FTC a difficult time. Then you can read the article.