Oral Argument in LabMD Case to Test FTC’s Enforcement Authority

Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.

The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.

Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.

Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.

To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.

A Question of Harm

The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.

LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.

The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”

The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.

Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.

LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.

LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.

To contact the reporter on this story: Jimmy H. Koo in Washington atjkoo@bna.com

To contact the editor responsible for this story: Donald Aplin atdaplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.