LabMD, Inc. v. FTC
Ginger Pigott and Richard Tabura
Why It Made the List
Normally, neither an opinion from the Federal Trade Commission (FTC) nor a subsequent stay order from the Eleventh Circuit putting the FTC’s opinion on hold would “make the list” of this publication.1 It was expected that the Eleventh Circuit would have a final decision in this matter by the end of 2017; nonetheless, while a surprising delay has changed the focus, it is the importance of the FTC’s role in policing cybersecurity and the pending Eleventh Circuit decision from the appeal of this FTC opinion that pushes it and the pending decision onto the must-review and must-watch list of this publication.
These important preliminary decisions are worth discussion because they highlight a current battle between industry and the FTC. The Eleventh Circuit’s ruling will provide additional important guidance and may significantly impact the FTC’s ability to police cybersecurity practices in industries which use sensitive consumer information. Presently, the FTC has no explicit statutory or regulatory authority to combat data security breaches. If the Eleventh Circuit agrees with the FTC, the agency will be able to continue determining what an “unfair” act and a “reasonable” security measure are on an ad hoc basis, leaving businesses that handle sensitive consumer information with some uncertainty as to how to implement a data security policy and potentially exposed to monetary penalties with almost no notice. Technology is constantly evolving and hackers are becoming more sophisticated; what may have been considered a “reasonable” security measure a few years ago may no longer be adequate. The medical device and drug industries inherently involve sensitive consumer information, and therefore this decision will have many implications for these industries.
Framework for Discussion
Below we first provide you with a basic understanding of the authority the FTC has relied on to police the cybersecurity practices of businesses handling sensitive consumer information such as LabMD, Inc. We then turn to the complicated procedural history of this dispute between LabMD and the FTC, which has spanned several years. Then we discuss the oral arguments before the Eleventh Circuit Court of Appeals heard on June 21, 2017, and an assessment of how the Court might rule. Lastly, we discuss what impact the Eleventh Circuit’s decision will have in the area of data security in the food and drug industries.
FTC’s Authority: Section 5 of the Federal Trade Commission Act
At this time, despite various legislation efforts in Congress, there remains no specific statute or regulation authorizing the FTC to police data breaches.2 Instead, the FTC has relied on a broad interpretation of Section 5 of the Federal Trade Commission Act (Section 5), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Relying on Section 5, the FTC has indicated through its enforcement actions that private businesses must implement “reasonable” security measures and that the failure to do so can be an “unfair act or practice” under Section 5.3
The FTC has stated that the following considerations are touchstones in determining whether a business is implementing “reasonable” security measures: whether the data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds; the size and complexity of its business; and the cost of available tools to improve security and reduce vulnerabilities.4 The FTC has also stated that while there is no single solution for “reasonable” data security practices, such a program should follow these basic principles:
(1) companies should know what consumer information they have and what employees or third parties have access to it;
(2) companies should limit the information they collect and retain based on their legitimate business needs so that needless storage of data does not create unnecessary risks of unauthorized access to the data;
(3) businesses should protect the information they maintain by assessing risks and implementing protectives in certain key areas—physical security, electronic security, employee training, and oversight of service providers;
(4) companies should properly dispose of information they no longer need; and
(5) companies should have a plan in place to respond to security incidents, should they occur.5
Furthermore, in determining whether a company’s failure to protect against a data breach has violated Section 5, the FTC applies its “unfairness test.” The unfairness test applies the following factors in the context of data breaches: (1) whether the breach was likely to cause substantial injury to consumers; (2) whether the breach was not reasonably avoidable by consumers themselves; and (3) whether the breach was not outweighed by countervailing benefits to consumers or to competition.6 As discussed in more detail below, the first factor is the primary issue in the LabMD v. FTC matter. Since 2002, the FTC has policed data security breaches by filing administrative actions against companies and typically obtaining a consent decree. If after investigation the commission has determined that a company’s data security practices are “unreasonable,” the FTC files an administrative action against the company, with the company ultimately agreeing to a consent decree.7
LabMD, Inc. was a small Atlanta-based laboratory that performed cancer-detection testing services for doctors.8 These services included the collection of sensitive personal information such as test results, Social Security numbers, and insurance data.9 In 2008, an internet-security company named Tiversa informed LabMD that it had obtained sensitive patient information from LabMD.10 The FTC eventually learned about the breach11 and began an investigation of LabMD’s data-security practices.12 In July 2013, the FTC gave notice of its intent to file an administrative action against LabMD.13
In August 2013, the FTC filed its administrative complaint, alleging that LabMD violated Section 5 of the FTCA by failing to prevent unauthorized access to its patient information. The FTC’s complaint alleged that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The FTC asserted that the breach was an “unfair act or practice” within the meaning of Section 5.14 Rather than reaching a consent decree like most companies do in response to such administrative actions, LabMD challenged the FTC.15 LabMD’s motion to dismiss the administrative complaint argued that Section 5 did not apply to the specific context of data security breaches. The FTC denied LabMD’s motion to dismiss, asserting that Congress purposely delegated broad authority to the FTC to deem what is an “unfair practice.”16 In November 2015, an Administrative Law Judge (ALJ) dismissed the FTC’s complaint.17
The FTC appealed the decision and one year later the agency unanimously overruled its own ALJ.18 In so doing, the FTC found that the ALJ applied the wrong legal standard for unfairness and that LabMD’s security practices were “unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system” in violation of Section 5 of the FTCA.19 The FTC’s final order identified the following lapses in security: it did not maintain an automated intrusion detection system; it lacked file integrity monitoring software and penetration testing; it failed to monitor traffic coming across its firewalls; and it failed to provide its employees with data security training.20 The FTC cited to well-known and accepted standards such as regulations provided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that LabMD could have looked to for guidance in implementing its own data security policy.21 As a result of LabMD’s security practices (or lack thereof), sensitive medical information of 9,300 consumers were exposed. The FTC found that the exposure of these consumers’ sensitive medical information outweighed any countervailing benefits to LabMD’s lax security practice and was therefore an “unfair” practice.22
The FTC’s Final Order required LabMD to implement several data security measures. First, the FTC ordered that LabMD “establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security and confidentiality of consumers’ personal information.” Second, LabMD was ordered to “obtain initial and then biennial assessments and reports regarding its implementation of the information security program.” Third, LabMD is to notify individuals whose personal information had been exposed. Lastly, LabMD was ordered to comply with standard orders issued by the FTC which include record-keeping and compliance reporting requirements.23 LabMD immediately appealed the FTC’s Final Order to the Commission, asking for a stay of the Final Order pending review of an appeal to the Eleventh Circuit Court of Appeals to vacate the FTC’s Final Order.24 In its request for a stay of the FTC’s final order, LabMD argued that it was likely to succeed on the merits because the Final Order violated due process, was unsupported by substantial evidence, and was otherwise contrary to law. LabMD also argued that the FTC’s order would require LabMD to incur substantial compliance costs which LabMD had no ability to pay as a result of the FTC’s investigation. Further, LabMD argued that there was no risk of harm to any consumers and it was in the interest of the public to ensure the Commission’s order was constitutional.25 The FTC was not persuaded that LabMD would prevail for similar reasons addressed in its Final Order. Therefore, the FTC denied LabMD’s request for a stay on the Final Order.26
LabMD then turned to the Eleventh Circuit Court of Appeals for a stay from the FTC’s Final Order.27 LabMD made similar arguments to the Eleventh Circuit that it made to the FTC in LabMD’s Application for Stay of the Final Order. The Eleventh Circuit noted that this case would turn on whether the FTC’s interpretation of Section 5 of the FTCA is reasonable.28 In particular, it focused on whether LabMD’s practices “caused or is likely to cause substantial injury to consumers.”29 LabMD argued that the FTC failed to assess whether it “caused or is likely to cause substantial injury to consumers” because it could not identify any tangible harm such as identity theft or physical harm.30 The Eleventh Circuit indicated that it was not clear that a reasonable interpretation of Section 5 of the FTCA included intangible harms like those found by the FTC in LabMD’s case.31 The Eleventh Circuit also did not think it was clear that the FTC reasonably interpreted the “likely to cause” prong of the unfairness test. The FTC interpreted “likely to cause” to mean “significant risk.” LabMD interpreted “likely” to mean “a high probability of occurring.” The Court looked to the plain meaning of “likely” and did not believe that the FTC’s interpretation was a reasonable one.32 The Court agreed with the other arguments made by LabMD in support of its argument for a stay on the FTC’s Final Order. Ultimately, the Eleventh Circuit Court of Appeals agreed to the stay, suggesting the court might be sympathetic to LabMD’s plight.33
The Appeal: Oral Argument
The Eleventh Circuit Court of Appeals heard oral arguments in the LabMD, Inc. v. FTC matter on June 21, 2017.34 The Court focused the parties’ arguments on the following issues (1) whether any unauthorized access giving rise to any potential privacy harm constituted a “substantial injury” under Section 5’s unfairness test and (2) whether LabMD had sufficient notice that its data security practices ran afoul of the FTC’s rules.35
As to the first issue, LabMD argued that the legislative history of Section 5 was clear that the FTC should interpret “substantial injury” to be limited to tangible harm such as a financial loss as opposed to an intangible harm where the consumer is not even aware of the harm. The Court seemed to latch onto this argument as the FTC was forced to admit that no consumer affected by LabMD’s breach had filed a lawsuit, and as far as the FTC knew, no consumer was even aware that their personal information had been compromised. The Court characterized the injury involved in this action as a “tree fell and nobody heard it.”36 But the FTC argued that LabMD’s characterization of the injury at issue was unfair, and suggested that the unauthorized disclosure of healthcare information, in and of itself, was a “substantial injury.” Further, the FTC argued that the legislative history and enactment of Section 5 took into account a long history of FTC enforcement actions, and that this history supported the FTC’s position that Congress intended the FTC to have the discretion to initiate enforcement actions. The FTC further argued that the legislative history of Section 5 did not state that the “substantial injury” was limited to tangible harms.37
The Court then questioned the FTC at length regarding the Court’s concern that the FTC’s order did not provide LabMD with any notice of what it was doing wrong. LabMD suggested it was unaware of any insufficient data security practices at the time of the data breach. In response, the FTC argued that at the time of LabMD’s data breach in 2005-2008, all businesses knew they had a duty to have “reasonable” data security practices. The FTC drew comparisons to ordinary tort law which requires all businesses to act reasonably. On rebuttal, LabMD pointed out that where businesses are held to the reasonableness standard in tort law there are industry standards to inform what is reasonable. But here, a small company like LabMD did not have industry standards informing what was “reasonable” data security practices in 2005-2008. The Court responded that the “reasonable” data security practices standard was “about as nebulous as you can get.”38
The Court did express concern that they were limited to reviewing whether the underlying final decision by the FTC contained “substantial evidence.” Further, the FTC relied on Chevron Deference, an administrative law principle that requires courts to defer to interpretations of statutes made by those government agencies charged with enforcing them.39 LabMD countered that since the FTC misinterpreted the plain meaning of Section 5 in the first place, the Court could engage in a more thorough review of the FTC’s final order.
On one hand, the Court’s language in its order granting the stay on the FTC’s order seemed to doubt the FTC’s interpretation of Section 5 of the FTCA, suggesting it may side with LabMD. In addition, the Court appeared to side more with LabMD throughout oral argument. The Court took the matter under submission. However, the FTC’s ability to rely on Chevron Deference could upend LabMD’s arguments. To date, the Eleventh Circuit has not issued a ruling on the appeal.
Impact and Conclusion
The Eleventh Circuit’s ruling on the LabMD v. FTC matter will likely have far-reaching effects in the area of data security. This may be particularly true in the healthcare industry, which is susceptible to data breaches involving sensitive patient information. The number of data breaches has risen and may continue to rise, especially as healthcare providers move towards interconnected facilities, hospital equipment, and medical devices. In fact, there are nearly 400 cases, each involving breaches of protected health information affecting 500 or more individuals, currently being investigated by the U.S. Department of Health and Human Services.40
If the Court affirms the FTC’s final order, the FTC can be expected to continue filing administrative complaints under Section 5 for data breaches against companies unless and until federal data security legislation is passed. If the Court overrules the FTC’s final order, there may be more companies challenging the FTC instead of reaching consent decrees. Regardless of how the matter is decided, companies should look to industry norms for data security practices. Times have changed since the data breach giving rise to this case. While there may not have been industry standards a decade ago, many know from personal experience at their own offices that data security measures have increased substantially in just the past few years. As work, commerce, and healthcare continue to become increasingly interconnected through the internet, basic security measures should be put in place to prevent data breaches.
Ginger Pigott is Vice Chair of the Pharmaceutical, Medical Device & Health Care Litigation Practice at Greenberg Traurig LLP in Los Angeles. She focuses her practice on products liability litigation with an emphasis on the defense of complex medical device and pharmaceutical products.
Richard Tabura is an associate at Greenberg Traurig LLP in Los Angeles. He focuses his practice on pharmaceutical and medical device litigation.
- LabMD, Inc. v. FTC, TBD (11th Cir ___) [See In re LabMD, Inc., Docket No. 9357, Op. of the Comm’n and Final Order (FTC July 29, 2016), https://www.ftc.gov/system/files/documents/cases/160729labmd-opinion.pdf].
- Jaclyn K. Haughom, Who Are the Real Cyberbullies: Hackers or the FTC? The Fairness of the FTC’s Authority in the Data Security Context, 66 Cath. U. L. Rev. 881, 904 (2017).
- LawMD v. FTC: Tackling “Unfair” Data Security Practices in the Eleventh Circuit, Center for Democracy & Technology (June 20, 2017), https://cdt.org/insight/labmd-v-ftc-tackling-unfair-data-security-practices-in-the-eleventh-circuit/.
- Fed. Trade Comm’n, Commission Statement Marking the FTC’s 50th Data Security Settlement 1 (Jan. 31, 2014), http://ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.
- 15 U.S.C. § 45(n).
- See Houghman, supra note 1, at 888.
- LabMD no longer does business, but its counsel argued that it is a going concern in order to support its argument that the matter is not moot.
- Supra note 2.
- LabMD, Inc. v. F.T.C., 776 F.3d 1275, 1277 (2015).
- Tiversa’s forensic analysts obtained sensitive information from LabMD. Tiversa tried to leverage this information in an effort to obtain LabMD’s business. After LabMD refused Tiversa’s business, Tiversa informed the FTC that LabMD had data breaches which involved customers’ personal information. LabMD, Inc. v. FTC, No. 16-16270-D, Order Granting Stay (11th Cir. Nov. 10, 2016), http://f.datasrvr.com/fr1/016/73315/2016_1111.pdf.
- Supra note 9. LabMD’s CEO publicly criticized the FTC’s actions by publishing a book called “The Devil Inside the Beltway.” In the book, LabMD’s CEO attempts to expose corruption in the FTC. Shortly after an online trailer was posted about the book, the FTC filed its administrative proceeding against LabMD.
- Jimmy H. Koo, Still Waiting on ‘LabMD’ Ruling on FTC Data Security Power, Bloomberg Law (Dec. 13, 2017), https://www.bna.com/waiting-labmd-ruling-b73014473153/.
- Supra note 2.
- See In re LabMd, Inc., Docket No. 9357, ALJ’s Initial Decision (F.T.C. Nov. 13, 2015), https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
- See In re LabMD, Inc., Docket No. 9357, Op. of the Comm’n and Final Order (F.T.C. July 29, 2016), https://www.ftc.gov/system/files/documents/cases/160729labmd-opinion.pdf.
- See In re LabMD, Inc., Docket No. 9357, LabMD’s Application for Stay of Final Order Pending Review by a United States Court of Appeals (FTC August 30, 2016).
- See In re LabMD, Inc., Docket No. 9357, Commission Order Denying LabMD’s Application For Stay of Final Order Pending Review (FTC September 30, 2016).
- Supra note 10.
- Supra note 2.
- Oral Argument Recording, http://www.ca11.uscourts.gov/oral-argument-recordings?title=&field_oar_case_name_value=labmd&field_oral_argument_date_value%5Bvalue%5D%5Byear%5D=&field_oral_argument_date_value%5Bvalue%5D%5Bmonth%5D=&=Search.
- Chevron U.S.A., Inc. v. NRDC, 467 U.S. 837 (1984)
- Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, U.S. Department of Health and Human Services Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.