The Impact of LabMD vs. FTC Appellate Court RulingHow Will the Decision Affect the Agency's Data Security Enforcement Activities?
What impact will an appellate court's ruling Wednesday that vacated the Federal Trade Commission's data security enforcement action against LabMD have on the agency's long-term enforcement activities? Regulatory experts are weighing in.
See Also: The Global State of Online Digital Trust
For example, attorney Julie O'Neill, a partner at the Washington office of the law firm Morrison & Foerster, predicts that as a result of the court's decision, defendants likely will challenge any FTC order that lacks specifics about the type of security remedies the agency wants a company to implement
"The FTC has historically shied away from specifying particular security measures a company should take to avoid running afoul of Section 5 [of the FTC Act], given how quickly technology changes," says O'Neill, a former FTC staff attorney. "The FTC may have to find a middle ground - that is, to impose relief with enough specificity that a company understands what it has to do without specifying precise measures."
The appeals court ruling on Wednesday vacated a 2013 FTC enforcement action against LabMD in a dispute about an alleged security incident dating back a decade ago.
In the ruling, the appeals court says: "Assuming [the argument] that LabMD's negligent failure to implement and maintain a reasonable data security program constituted an unfair act or practice [under Section 5 of the FTC Act], the commission's cease and desist order is nonetheless unenforceable."
The court adds that the FTC's consent order against LabMD "does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD's data security program and says precious little about how this is to be accomplished."
LabMD had requested that the appellate court vacate the FTC's final consent order, issued in July 2016 that, among other things, required the shuttered company to establish a comprehensive information security program and obtain periodic independent, third-party risk assessments over the next 20 years (see Appellate Court to Rule on FTC's Case vs LabMD).
So Who Actually Won?
Some observers see the court ruling as a victory for the FTC, rather than LabMD.
"I would argue that the 11th Circuit opinion is a win for FTC," says privacy attorney Iliana Peters of the law firm Polsinelli. She's a former enforcement and compliance official at the Department of Health and Human Services' Office for Civil Rights.
"First, the court acknowledges that LabMD had serious data security issues, and agrees that FTC has the authority to regulate the data security practices of entities under the FTC's jurisdiction, like LabMD. Second, the court has, by implication, given the FTC the authority to specifically dictate the terms of required security measures for entities as part of the FTC's consent orders, which is also a win for the FTC."
In the past, the FTC had attempted to allow entities to determine the best security programs for their business models, Peters says. "Going forward after a consent order, however, it seems now that entities will have to work more closely with the FTC on specific security measures that the entities must implement as part of these consent orders, which could, in fact, create more burdens on entities to come into compliance."
Peters says the message from the LabMD case, and from all of FTC's recent data security cases, is that entities must take data security seriously.
"It seems common sense to say, but case after case shows that entities do not prioritize basic security hygiene, and do not prioritize good security practices as part of their corporate culture, and it looks like, to the extent the FTC gets involved, entities will now be required to work intimately with the FTC on getting into compliance."
Peters predicts the appellate court ruling is not likely the end of the LabMD case.
"I expect that given the seriousness of LabMD's noncompliance, FTC will continue with the LabMD case, perhaps by issuing a new, and more detailed consent order."
Why Not HHS?
So, would the FTC's case against LabMD for the alleged security incident involving patient data been stronger had OCR pursued a HIPAA compliance investigation?
"FTC and HHS coordinate closely on cases that go to enforcement, such that federal government resources are used in the most efficient way to get the best result for taxpayers," Peters says. "As such, I do not expect that this case will change the way that FTC and HHS OCR coordinate on investigations, settlements, and penalty cases."
Cybersecurity and privacy attorney Timothy Blank of the law firm Dechert LLP offers a similar assessment.
"I don't think it would have been stronger if OCR was involved," he says. "The court did not question the FTC's authority, just its vague implementation of that authority. If OCR had been just as vague, the ruling would have been the same.
"I do not think this weakens the FTC's authority in general. In fact, one could argue that the ruling confirms the FTC's authority, at least to the extent the FTC is more specific in its consent decrees. However, since many of the existing FTC consent decrees are equally as vague and indefinite as the court found the LabMD consent decree to be, the FTC may encounter some difficulties in enforcement actions based on those decrees."
The FTC complaint against LabMD filed in August 2013 alleged that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, putting individuals at risk for identity theft and medical identity theft, the FTC contended. LabMD's allegedly unsecured spreadsheet was discovered by peer-to-peer security firm Tiversa, which reported the matter to the FTC.
During testimony at an FTC administrative hearing, however, LabMD CEO Michael Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after LabMD refused to buy Tiversa's remedial services. A former Tiversa employee also testified that it was a "common practice" of Tiversa's to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the Internet in an attempt to sell the company's security monitoring and remedial services (see Bombshell Testimony in FTC's LabMD Case).
Today 11th Circuit came down like a guillotine on #FTC. Only problem is @FTC destroyed a #LabMD. Dead is dead. DC establishment is Dead Men Walking, fine with it. Judge Duffy told FTC, "You may have cancer one day & now there is one less facility to do that." @realDonaldTrump— Michael J Daugherty (@DaughertyMJ) June 7, 2018
Nonetheless, the FTC in August 2013 proposed a consent order against LabMD designed to prevent future violations by requiring the company to implement a comprehensive information security program that an independent, certified security professional would evaluate every two years over the next 20 years. The order also would have required that LabMD provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies.
LabMD fought the FTC's proposed enforcement action, arguing the FTC had overstepped its authority related to the medical lab's data security.
The appellate court ruling noted the vagueness in what the FTC considers a "reasonably designed" security program.
"The commission's motion alleges that LabMD's program failed to implement 'x' and is therefore not 'reasonably designed'... The injunctive provision contains no mention of 'x' and is devoid of any meaningful standard informing the court of what constitutes a 'reasonably designed' data-security program. The court therefore has no choice but to conclude that the commission has not proven - and indeed cannot prove - LabMD's alleged violation by clear and convincing evidence."
Important Questions Raised
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says the LabMD case "has been smoldering since 2013 during which a number of important questions were raised about the FTC's authority to enforce data security standards, exactly what are those standards and what evidence of consumer harm is necessary to sustain a FTC finding of unfair trade practices."
The court's decision "focuses on something completely different by finding the lack of specificity in the remedy applied by the FTC as the straw that broke the camel's back," he notes.
O'Neill argues that the court's ruling doesn't weaken the FTC's authority to take enforcement actions on data security issues. "However, it will be under pressure to craft consent orders in a way tailored to remedy the challenged practice - or omission - and to thus withstand challenge. This could affect its decision whether to move forward with particular matters."
Blank notes: "The industry has been calling for more specific guidance about compliance for a long time. I envision future FTC investigations and enforcement actions will be more interactive, with a focus on fixing the actual problem at hand rather than just creating an ill-defined mandate for future conduct."
But Holtzman says the FTC already has been working toward more transparency when it comes to its data security expectations.
"The court's decision did not reach the issue of the authority of the FTC to enforce data security requirements or the adequacy of those standards," he says. "It is notable that in the five years since initiating its enforcement action involving LabMD, the FTC has made substantial efforts to describe what are the data security expectations for safeguarding sensitive consumer information through its 'Start With Security' guidance followed by its 'Stick With Security' series of publications and blog posts."
In a statement, Tech Freedom, a technology policy think tank, notes that the FTC could now ask the full Eleventh Circuit Court for an "en banc" review the decision issued by a three-member panel, or it could file a petition for review by the Supreme Court.
"While today's decision is technically binding only in the Eleventh Circuit (Georgia, Florida and Alabama), it calls into question the FTC's approach to data security nationwide and raises the possibility that many of the FTC's past data security consent decrees could be invalidated for effectively bypassing the safeguards put in place on rulemaking by a Democratic Congress and Democratic president in 1980 after the commission's abuses of its rulemaking powers in the late 1970s," Tech Freedom notes. The organization's president, attorney Berin Szóka, tells Information Security Media Group that the group has "no relationship" with LabMD, other than rooting for the company and filing "amicus briefs" with the FTC and the 11th Circuit.
Tech Freedom also notes that the FTC "could ask Congress to write legislation to clarify how data security should be regulated. Such legislation shouldn't be conceived as a way to overrule the decision, but rather a way to ensure that companies, especially small businesses, have the clarity about how to assess whether they're doing enough to secure consumers' data."
Blank says that if this opinion had come down a few years ago, "I think the FTC would have certainly pursued en banc. It is an important decision. It's really a matter of due process, as the court said in its opinion."
But the current political environment makes further appeal less certain, he points out. "The Trump administration has signaled its preference for a more business-friendly environment, and this decision is certainly more business-friendly," he adds.
In the meantime, other entities should learn from the LabMD/FTC dispute, Blank says. "It is important to have a clear and comprehensive data security policy ... and it is also important to actually monitor and enforce your own policies and practices."