The Federal Trade Commission (FTC), the federal consumer protection agency created in 1914 to break up large, anticompetitive monopolies, has recently focused its efforts in regulating consumer privacy and data protection. Although some specific kinds of data are subject to various federal legal requirements—such as medical information under HIPAA—and states have their own laws governing privacy and protection of data, the United States, in contrast to Europe, does not have a specific federal statute governing protection of data. Since the 1990s, the FTC has viewed itself as the federal agency tasked with the general enforcement of digital privacy and data security issues in commerce.
Unlike many other federal agencies, the FTC does not emphasize rulemaking through the promulgation of formal administrative regulations, particularly when it comes to cybersecurity. Instead, the FTC views itself primarily as an enforcement agency to bring enforcement actions (i.e., civil lawsuits) against individual companies alleged to have violated industry security standards.
On January 25, 2017, soon after taking office, President Donald Trump designated Maureen Ohlhausen, one of the existing five commissioners of the FTC, to serve as acting chairman of the agency. She takes over the FTC amid an important case that could have a significant effect on the future of the agency’s enforcement efforts.
The case in question – LabMD v. FTC – deals with whether the FTC has authority to fine companies for substandard security practices in the absence of an actual data breach. In this case, an employee of a clinical laboratory accidentally shared a document containing confidential patient information (including social security numbers and medical and insurance information) while using a peer-to-peer file-sharing service. There was no evidence that anyone actually downloaded the file, except one security firm that discovered the vulnerability and then reported it to the FTC after LabMD refused to pay the firm a “consulting fee.” The FTC launched an investigation into LabMD’s security practices, and ultimately filed a complaint against the company.
LabMD ceased operations in early 2014, in large part due to the expense of fighting the FTC’s charges. Since that time, it has been almost completely defunct, except in a very limited capacity in responding to occasional requests for patient data, which it is required to keep by law and which data exists solely on an unplugged computer.
The FTC alleged in its complaint that LabMD violated the federal law against unfair and deceptive business practices, even though the harm occasioned by this alleged violation was minimal at best, and potentially speculative. The FTC, nevertheless, argued that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Therefore, the FTC concluded that the harm to consumers resulting from LabMD’s unauthorized disclosure of sensitive health information was “in and of itself a substantial injury.” LabMD challenged this ruling and the case is currently on appeal at the U.S. Court of Appeals for the Eleventh Circuit.
Although a final decision on the merits of the appeal has not yet been issued, a recent ruling by the Eleventh Circuit on a request by LabMD for a stay pending appeal—granted upon a showing of a likelihood of success—foreshadows a likely sea change in the enforcement processes that the FTC will be able to utilize on a prospective basis. In granting the requested stay from enforcement of the underlying judgment in favor of the FTC to LabMD, the Court questioned whether the FTC’s interpretation of the law is reasonable in light of the speculative and intangible nature of the consumer harm allegedly caused by LabMD’s actions, perhaps signaling that the FTC may not be able to initiate enforcement actions as aggressively as it has in the past.
Incoming FTC acting chairman Maureen Ohlhausen has long advocated for a light touch in crafting government regulations, which she has criticized as one-size-fits-all solutions not flexible enough to adapt to changes in technology and business models. While she has stated she does not want the FTC to prospectively dictate the level and type of security mechanisms that businesses must use, she remains a staunch supporter of the FTC’s aggressive enforcement campaigns against individual businesses, to address actual privacy practices on a case-by-case basis in light of prevailing industry standards. Notwithstanding this position, the FTC may or may not be able to continue to pursue companies before customer data is actually stolen, depending on how the Eleventh Circuit ultimately rules in the LabMD case.
There is no question that businesses should want to avoid FTC scrutiny into their cybersecurity practices in the first place, to the greatest extent possible. If a data breach occurs, the expense and time needed to respond to and to defend against an FTC investigation can itself destroy a business, even without considering the severe penalties the FTC can impose on a company in the course of settling the case through a consent agreement. Moreover, the potential civil penalties and costs associated with an investigation do not take into consideration the other costs and loss of reputation that are likely to plague a business confronted with a data breach.
Data security incidents are becoming more and more prevalent, and so for many companies, the question is not whether business data will be breached, but when. Companies, therefore, need to ensure they establish adequate policies and procedures for handling customer data and what to do in the event a data breach occurs.
For a more detailed discussion of the LabMD decision, please download the attached PDF. LabMD Article