03 Aug FTC’s efforts in LabMD lack required due process and don’t actually improve security
Written by Gus Hurwitz
In yesterday’s post, I looked at some of the key features of the FTC’s recent LabMD opinion, in which the FTC rejected the findings of the administrative law judge (ALJ) who had thrown the case out last November and instead found that LabMD’s security practices, which failed to prevent a data breach, were unreasonable under Section 5 of the FTC Act. Today I take a broader look at whether its efforts in these cases actually improve the state of data security in the United States (foreshadowing: no).
FTC’s flawed theory of how security decisions are made
The FTC’s approach to data security regulation has been to bring enforcement actions against firms that experience data breaches, on the theory that other firms will take heed of these actions, learn lessons from the mistakes of others, and improve their own data security practices. Unfortunately, the FTC’s approach to data security doesn’t actually improve how firms make decisions about security and, more important still, does nothing to improve the overall state of the security ecosystem.
The problem is that the FTC’s vision is not how firms make decisions about data security – few firms turn to the FTC for data security guidance. The very fact that the commission believes that a mid-size medical testing lab in Georgia, or a consulting firm in Iowa, or a small logistics company in Nebraska will ever think to turn to the FTC in Washington, DC, for guidance about data security practices defies reason. The thought that businesses such as these will monitor the FTC web page for press releases about settlements the FTC reaches, or that they will pay attention to workshops hosted by the FTC, or that they will read the Federal Register, is the high point of regulatory arrogance.
FTC hopes nobody notices the lack of notice
Two of the FTC’s data security cases – LabMD and Wyndham – have been reviewed in whole or in part by six independent jurists: an ALJ, two District Court judges, and three Circuit Court judges. Every one of these jurists has recognized potentially serious due process issues with the commission’s approach to these cases. Five of the six have actually rejected or suggested they would reject the FTC’s claims that its data security efforts provide constitutionally sufficient notice to those who may be subject to FTC action. Only the FTC believes its approach to these issues is appropriate.
In the LabMD opinion, the FTC says “We provided ample notice to the public of our expectations regarding reasonable and appropriate data security practices by issuing numerous administrative decisions finding specific companies liable for unreasonable data security practices,” and that “LabMD cannot seriously contend that it lacked notice that its security failures … could trigger Section 5 liability.” It is incredible that the FTC believes this – and an incredibly acute demonstration of the agency’s arrogance. Recall, the proximate cause of the data breach central to this case was the use of LimeWire installed on an employee’s computer between 2005 and 2008. To support its argument that LabMD had notice, the FTC cites two of its earliest data security enforcement actions, settled in 2005 and 2006. In other words, at the time of LabMD’s alleged transgressions, literally no one other than those closely following unlitigated FTC consent decrees would likely be aware of the FTC’s efforts. Indeed, the meaning of those efforts have been the subject of intense regulatory and academic debate for the past several years – since after any of LabMD’s alleged transgressions. Yet the FTC imputes sophisticated knowledge of them to LabMD.
The Third Circuit Court of Appeals recognized these issues in its review of the Wyndham case. While it affirmed the FTC’s legal authority in that case, it did so on the grounds that Wyndham’s conduct was so egregious that it could constitute an “unfair” practice under a lower-burden standard used by the Article III courts. The judges used this standard instead of relying on the body of precedent that the FTC has been attempting to develop for standalone data security cases. In fact, the judges expressly agreed with Wyndham that the materials the FTC pointed to (the same materials that the FTC cites in LabMD) as having provided firms with notice of its data security standards were problematic. They say, for instance that “consent orders … were of little use to it in trying to understand the specific requirements imposed by [the FTC],” and that “it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees,” and that materials such as an FTC guidebook published on the FTC website did not provide sufficient notice (under the standard that applies to the FTC’s administrative actions, not to Article III courts) of the cybersecurity practices the commission found problematic. Under the standard of review the Third Circuit applied to its review of Wyndham, it did not need to decide the notice issue – but the judges sent very clear signals that they believe the commission’s theory of notice is constitutionally insufficient.
Oddly, the FTC ignores all of these concerns in LabMD, saying nothing about either the Wyndham judges’ or the ALJ’s concerns. Interestingly, they do refer to the Wyndham court’s citation of a separate case, Lachman, to support the proposition that agency adjudications are sufficient to provide notice. As an initial matter, the Wyndham court cites Lachman for the proposition that agency adjudications canprovide sufficient notice, not that they necessarily do. More important, Lachman addressed regulations “addressed to sophisticated businessmen and corporations which, because of the complexity of the regulatory regime, necessarily consult counsel in planning their activities.”
That is the crux of the problem with the FTC’s efforts to regulate data security. It is not trying to regulate the specific practices of a specific industry. It is trying to regulate the general practice of all industry – from big, sophisticated firms down to, quite literally, every small business in America. Most businesses that the FTC would subject to its data security efforts are not “sophisticated” or operating in “complex regulatory regimes.” Very few businesses would think to consult with counsel to design their IT systems. The only people on the planet who think that lawyers should be involved in businesses “planning their [IT] activities” are bureaucrats in Washington, DC.
Indeed, there is a bitter irony in all of this. The FTC likes to think that its settlements and consent decrees, along with a handful of workshops and guidance documents published on its website a decade ago, are sufficient to provide notice of its data security regulations. In reality, only a small subset of the world knows about these efforts. And the truth is that the only reason that most of those who do know about these efforts have taken any notice is because LabMD and Wyndham had the audacity to challenge the FTC’s authority.
Who will the FTC go after next?
As has been famously quipped, there are two types of businesses in the United States: those that have experienced a data breach and those that don’t know that they have experienced a data breach. To the FTC, all of these firms – that is, approximately every business in the United States – are liable for unfair practices. The only thing keeping most of these firms out of legal jeopardy is the beneficence of three FTC commissioners (or, more, a small cadre of FTC staff attorneys who have discretion to conduct these investigations).
The FTC has doggedly asserted that they only take action in cases of unreasonable data security practices, and that in so doing they are informing the business community about bad security practices in a way that improves overall security. But this is not what they are doing. Their approach does little to meaningfully inform the community about good or bad security practices.
If anything – if the FTC really cared about improving data security, instead of about expanding its bailiwick – the commissioners would send LabMD a thank-you card and a check. LabMD, in its efforts to fight the commission’s data security crusade, has probably done more to promote good data security practices than the FTC’s crusade itself ever could hope to accomplish.