The FTC Faces New Hurdles After Eleventh Circuit Decision

This post is authored by Kacey Jennings, a second-year law student at Villanova University’s Charles Widger School of Law. Ms. Jennings is a legal-intern with the XPAN Law Group.

When I was growing up, you couldn’t ask Alexa to play the newest album from your favorite artist. There was no Spotify or Apple Music in the early 2000’s. If you wanted to listen to the latest music, sacrifices had to be made–either you ponied up the cash to buy the CD or you risked infecting your computer with every virus known to man. Burning CDs from LimeWire was a favorite pastime of mine, so I relish the opportunity to discuss it today in reference to the Eleventh Circuit’s decision in LabMD, Inc v. F.T.C.

First, a little background on cybersecurity law in the United States. At this point, there is no comprehensive federal law which regulates cybersecurity or information privacy throughout the country, only laws tailored to specific industries (HIPAA, which applies to the healthcare industry; Gramm-Leach-Bliley Act, which applies to financial institutions; COPPA, which applies to websites and services directed at children, etc.). While Congress has attempted, on numerous occasions, to create comprehensive legislation to regulate cybersecurity and privacy, there is still no broadly applicable data protection regulation. Although many administrations recognized the need for cybersecurity reform in the US, to date we still have not seen any significant change. In this vacuum, states have recognized the need to protect consumers by implementing breach notification and other related laws, but many of these laws apply only to residents and leaves questions about enforcement against businesses operating in multiple states and internationally.

In spite of this lack of uniform policy from the federal government, the Federal Trade Commission (FTC) has championed consumer privacy regulation by investigating and lodging complaints against businesses they deem to have lax cybersecurity policies that result in breach of consumer data. They derive the authority to do so under Section 5 of the Federal Trade Commission Act (FTCA) which prohibits “[u]nfair acts or practices that cause or are likely to cause substantial injury to consumers.” (See FTC v. Wyndham Worldwide Corp, where the Third Circuit ruled the FTC has the authority to regulate data security).

Ultimately, many companies settle with the FTC when these findings are made including, among others, Uber (which, according to the FTC, failed to monitor employee access to consumer data), and VIZIO (which allegedly tracked and sold sensitive information to third parties). Settlements often amount to millions of dollars with the companies agreeing to implement privacy programs which include independent audits.

In 2013, the FTC filed an administrative complaint against LabMD, a laboratory that performed cancer-detection services, under Section 5 of the FTCA. The complaint was based on an incident where a LabMD employee uploaded company documents including sensitive patient information to LimeWire, a peer-to-peer file-sharing program. Tiversa, a third-party firm, used LimeWire to gain access to LabMD’s patient information which included names, social security numbers, copies of checks, and bank account information. Tiversa disclosed the breach to LabMD in an attempt to show the laboratory their vulnerability in order to get hired to improve their cybersecurity. When LabMD refused to hire Tiversa (big surprise, who wants to hire someone who just hacked them and proceeded to blackmail them?), Tiversa alerted the FTC which launched a three-year investigation. The result of the investigation was the FTC ordered LabMD to broadly cease and desist and install data-security policies that would comply with their reasonableness standard. The FTC based their complaint on a negligence theory.

In June 2018, the Eleventh Circuit decided that the FTC failed to determine which specific acts by LabMD were unfair under Section 5 and overruled their order. They also determined that the FTC’s cease and desist told LabMD to replace its data-security program without clarifying what a reasonable policy would look like. As mentioned before, the FTC argued their claim under a negligence theory, but the Eleventh Circuit refuted that too. In a footnote, the court cited Section 5(n) which says “In determining whether an act of practice is unfair, the Commission may consider established public polices as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” The court went on to say that the act alleged by the FTC must be unfair “under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.”

This holding raises many interesting questions about the future for regulating cybersecurity and privacy by the FTC. If they need to point to a specific statute, will they have to exclusively rely on state law? The segmented and complicated federal legislation in place will give the FTC a run for their money. Will the Eleventh Circuit’s decision strong-arm Congress into making a comprehensive cybersecurity and privacy law? Did the Eleventh Circuit take the teeth away from one of the only entities in the US which was protecting consumers from poor corporate practices? It will be interesting to see future litigation, especially whether this decision will persuade lower courts not bound to follow the Eleventh Circuit, and whether the Supreme Court will decide to take a crack at LabMD.