There’s a big problem for the FTC lurking in 11th Circuit’s LabMD data-security ruling
Alison Frankel writes about what she calls the less obvious takeaway from the 11th Circuit’s LabMD opinion:
FTC enforcement actions for unfair practices cannot be based just on consumer injury, even “substantial” injury.
This is going to get wonky, but, trust me, it’s what cybersecurity defense lawyers are already buzzing about.
Read more on Reuters. And yes, that aspect of the ruling did not go unnoticed or uncommented upon on Twitter when the opinion was released. Consider, for example, this footnote from the opinion:
24 Section 5(n) now states, with regard to public policy, “In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.
So there’s a lot to discuss about this opinion, and I think this point is going to pose a major hurdle for the FTC going forward in data security cases. Where are they going to find statutory, common law, or constitutional bases for declaring specific acts or practices “unfair?” Will they start engaging in rule- or regulation-writing? I am guessing, based on their history of enforcement, that they will turn to common law, but I look forward to reading what scholars and litigators think.