Law360, New York (February 2, 2017, 6:53 PM EST) — Ropes & Gray’s work on what’s sure to be one of the most important privacy decisions coming down the pipe in 2017 — LabMD’s appeal against the Federal Trade Commission over its data security practices — makes the firm’s privacy team one of Law360’s Practice Groups of the Year.
Ropes & Gray defended some of the biggest privacy cases of the year, including taking on the role of lead counsel in the LabMD appeal against the FTC, which will serve as an important test deciding whether the Federal Trade Commission has authority to bring cases on intangible consumer injuries.
LabMD tapped the firm in August to bring the case to the Eleventh Circuit, part of a sprawling grudge match with cybersecurity company Tiversa that started with the alleged theft of a patient data file.
The FTC began its investigation into LabMD’s data security practices in early 2010 after cybersecurity firm Tiversa Holding Corp. allegedly stole medical data from the company’s systems. The commission then opened an administrative complaint against the lab in August 2014, saying the company violated the FTC Act’s prohibition on unfair acts and practices on the basis that its security measures didn’t provide reasonable security against theft.
In that case, Ropes & Gray attempts to portray an FTC that has too rigorously flexed its regulatory muscle. The firm argues that an order issued by the commission against the cancer-testing company in July, which requires that LabMD take measures like setting up an information security program and obtaining biennial assessments by an outside auditor — would “effectuate a breathtaking expansion of the FTC’s authority that the legal community and members of Congress have already called into serious question” if allowed to stand.
”What the FTC did here was so egregious in so many different ways,” co-chair Doug Meal said about the case, adding that an appeal win for LabMD “will make the playing field way different.”
In Ropes & Gray’s view, the FTC’s enforcement authority in the privacy and data security space will be dramatically expanded if the FTC decision is upheld.
When it comes to those high-stakes cases like LabMD, it’s all hands on deck, said the group’s co-chairs Meal and Heather Sussman in Boston, and Rohan Massey in the UK. Ropes & Gray has a big team of privacy attorneys that work together across geographies to bring to bear the right expertise and strategies on a case. Sometimes that means being selective with bringing arguments, Meal said.
“We really pressure tested every argument at length to identify which arguments we thought would be the ones to advance,” Meal said about the LabMD case, which meant leaving “some very, very substantial issues on the cutting-room floor because we felt there were better tactics to make certain arguments in detail, and tellingly.”
“Those are the kind of choices you have to make when you’re arguing an appeal,” he added.
But the LabMD litigation, as Meal puts it, isn’t the group’s first rodeo when it comes to handling a major appeal, and the case adds to an already meaty list of data breach clients, including Wyndham, Hilton, Genesco, Aldo, Target, TJX, Heartland, Home Depot, Neiman Marcus, Sony, and Supervalu, among others.
In the Wyndham case — the first-ever lawsuit challenging the FTC’s authority to regulate data security practices and to hold a franchisor liable for alleged data security infractions committed by its franchisees — Ropes & Gray negotiated a consent order with the FTC that dismissed the lawsuit and imposed narrower obligations on Wyndham than the FTC has typically obtained against targets of its data security actions.
That groundbreaking dispute over the scope of the commission’s data security authority was sparked in June 2012, when the FTC filed its complaint alleging Wyndham had violated both the unfairness and deception prongs of Section 5 by failing to maintain reasonable and appropriate security measures. The security failures allegedly led to at least three data breaches between April 2008 and January 2010, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss, according to the regulator.
Also this past year, Ropes & Gray’s privacy group continued advising and representing Target stores in the company’s response to the highly-publicized data breach that Target announced in December 2013, securing approval of a proposed settlement of the class actions filed by banks and credit unions on May 12, 2016, and a dismissal of those class actions in May.
As for the success of the privacy group, the co-chairs agree Ropes & Gray’s “one-firm” approach and culture of collaboration across practice groups and geographies (the firm has offices in New York, Boston, London, Tokyo and Shanghai, to name a few) has been very effective in servicing clients.
“We always have and continue to work together as a team and very collaboratively on all of our matters,” Meal said, noting that “everyone on the team knows pretty much what everyone else is doing,” helping each other out on projects.
Sussman agreed, noting companies around the world increasingly tap the compliance arm of Ropes & Gray’s privacy practice to get in line with data security regulatory requirements, knowing the firm has a network of the best local experts to call on.
— Additional reporting by Cara Salvatore and Allison Grande. Editing by Ben Guilfoy.