Last week, the U.S. Court of Appeals for the Eleventh Circuit heard arguments in the continuing saga of the LabMD, Inc. v. Federal Trade Commission case. LabMD argues the court should vacate the FTC's 2016 order that it implement a data security program for the next 20 years, among other requirements, on the basis that the FTC overstepped its authority in the case. The FTC says LabMD should have known its data-security obligations, and the language of the FTC Act supports the FTC’s order.

In arguments, the three-judge panel questioned why the FTC wouldn't simply turn to rulemaking as opposed to an individual enforcement against LabMD, if its impetus for the case is to prevent future and similar incidents, and questioned whether an injury had, in fact, occurred, with Judge Eduardo Robreno saying, "A tree fell and nobody heard it, that’s the case we have here.”

Many observers are closely watching the case, as it could potentially help define the scope of the FTC's power to enforce its Section 5 authority in matters of cybersecurity and privacy.

Quick(ish) history

The FTC's initial complaint, filed in 2013, said the company, a medical testing laboratory, failed to reasonably protect the security of consumers' personal data, including sensitive medical information. The complaint alleged two separate incidents in which a spreadsheet of information, including Social Security numbers, were exposed on a peer-to-peer file-sharing network. (For details on the case, see the IAPP's FTC Casebook.) The complaint alleged LabMD's lax data security standards caused or were likely to cause substantial injury to consumers. 

In 2015, Chief Administrative Law Judge Michael Chappell ruled to dismiss the FTC's complaint. It was the first time a company won a challenge to an FTC complaint brought based on unreasonable information security. But the FTC overturned that judge's decision and issued a final order against LabMD that it implement compliance measures. In November, however, in yet another twist, the 11th U.S. Circuit Court of Appeals held that in cases of a security breach, emotional harm and other acts causing a low likelihood of harm might not meet the FTC Act's definition of "unfairness," under which this entire case is predicated. It granted LabMD a stay against the FTC's order, indicating LabMD might have a chance on appeal. 

Following a number of defeats to fight the FTC, LabMD shut down operations. But the now-defunct company continues to challenge the case, and it's received support via amicus briefs from various groups, including doctors, Tech Freedom and the National Technology Security Coalition.   

June 21 arguments 

Now representing LabMD in the case, Douglas Meal of Ropes and Gray first addressed why this case isn't moot given LabMD is no longer operating. It is "still is an existing company," he argued, "it still is subject to the order. ... We're here because the order will have significant, real, practical impact on LabMD. It does survive. It's here today presenting its case." 

Meal said the 11th Circuit should vacate the FTC's order for three basic reasons: First, the court shouldn't accept the FTC's interpretation that “purely conceptual privacy harm that the FTC found to exist, whenever there is any unauthorized access to any personal medical information, constitutes substantial injury within the meaning of Section 5 under the FTC Act.” The court shouldn't accept, he said, the FTC's interpretation that "likely injury" as defined under Section 5 of the FTC Act includes "low likelihood harm," even in cases where potential harm is large.  

Meal added that subjective injuries are expressly excluded by the FTC's policy statement, and that was Congress's intent when it approved the FTC's Section 5. 

"And what the FTC is basically saying here to this court, is, 'Hey, that was then, this is now; privacy is important, data security is important, and we should be able now to read 'substantial' to include a subjective injury like this, even though the policy statement said we wouldn't.'" 

Second, Meal said the court shouldn't give the FTC "Chevron deference," which, in laymen's terms, means the court would defer to the agency's ruling in the case because of its expertise on the subject matter, because, Meal argued, the commission's interpretation of Section 5 of the FTC Act is unreasonable in this case. 

Finally, Meal said LabMD didn't have "ascertainable certainty" of what its data security practices should have been back in 2007, when the first infractions were said to have occurred at LabMD. 

In response, FTC attorney Michael Hoffman said the commission is looking to common law to define substantial injury. In defining the injury, Hoffman argued there are people who "don't even know they have been injured," but that doesn't mean an infraction hasn't occurred. "The victims don't even know they've suffered injury." 

The FTC also argued that "companies have an obligation to act reasonably under the circumstances."

To which Judge Gerald Bard Tjoflat replied, "That's about as nebulous as you can get unless you get industry standards ... but I don't see any industry standards here," he said.

"There certainly were industry standards," said Hoffman. For example, NIST standards or Centers for Medicare & Medicaid Services standards. And in the case of entities like LabMD, "They're in the medical space, there's also HIPAA. So all of these things help, are designed to help companies determine what's reasonable under the circumstances." 

Meal countered, "There was no evidence of industry standards." He said the standards Hoffman pointed to were examples of what other companies do, but that's not an industry standard. He also argued LabMD is a tiny medical entity, not a major healthcare entity following industry standards created for behemoths following such standards. 

Robreno asked Hoffman about the FTC's approach, itself.

"Is there any outer limit to this approach?" asked Tjoflat? "You're just looking for prophylactic measures, isn't that what we've got here? ... You can go to any company, any place where there's any privacy information and lay it out there because there's a potential for injury?" 

Hoffman agreed that there sometimes isn't rulemaking because it's unclear what the nature of security or privacy violations will be, and regulating on a case-by-case basis is just what the agency is entitled to do. 

"You don't do the rulemaking cause you can't anticipate the problems until they occur," said Tjoflat

"That's certainly one reason why we don't do rulemaking, in this particular instance," Hoffman said. 

"So this is a substitute?" Tjoflat asked of the FTC's order. 

"Yes," Hoffman said. 

The judges repeatedly took issue with the fact that, as Tjoflat said, "there is no standard here except unreasonable in retrospect." 

In closing, Hoffman said of LabMD, "LabMD certainly knew of its obligation to act reasonably and implement data security. ...  That's what they said on paper. But they didn't put into practice what they put on paper. And that's the reason we're here." 

Meal's final take, on behalf of LabMD?  

"We’re here because what happened here shouldn’t have happened here. And yes, there is absolutely—I’m not gonna walk away from it one bit—there is a matter of principal that is very important to LabMD in this case. Absolutely, that is part of why we’re here, for sure."

To hear the arguments in full, find the audio recording here.

Asked for comment on the day's proceedings, Meal told The Privacy Advisor: “We greatly appreciate the time and attention the Court is giving to LabMD's arguments, and we look forward to receiving the court's decision."

The FTC declined to comment, citing it does not comment on pending litigation.

The privacy world now awaits the Eleventh Circuit Court's ruling, though it's unclear when that will come. 

Photo credit: eli.pousson via photopin cc