The Federal Trade Commission’s saga with LabMD began in August of 2013. Someone will write an interesting book about the twists and turns of this enforcement action. Maybe it will be better as a movie — plot twists, multiple sub-plots, changing narratives, interesting characters and a lot of David and Goliath — and the last chapter hasn’t yet been written.

Yesterday, the 11th Circuit issued its long-awaited decision on LabMD’s challenges to the FTC’s enforcement action, resulting in a decision to vacate the commission’s order. While there still is more to come, what does this case mean today for the FTC and for companies facing potential FTC enforcement action?

As this case has evolved, four key questions emerged:

  • Does the FTC have authority to act on data security compliance?
  • If so, does the FTC have authority to take action against a HIPAA-covered entity?
  • Is the FTC’s authority limited by a need to demonstrate consumer harm (and what level of harm is needed)?
  • Was the FTC’s decision in this single instance right or wrong?

Curiously enough, despite the attention paid to these issues, the court decision really focuses on a fifth issue: Was the relief sought by the FTC appropriate? The court assumed the first issue, avoiding any challenge or support for the 3rd Circuit’s Wyndham decision on this point. It said nothing whatsoever about the HIPAA issue and really didn’t talk much about consumer harm, a topic that an administrative law judge had focused on earlier in the process. The court also really didn’t address whether the FTC was just wrong in its judgment, the narrowest possible basis for a decision.

Instead, the court’s opinion turns on the relief sought by the FTC, rather than the “violation” itself. The key language is as follows: "In the case at hand, the cease-and-desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable."

The decision says that the commission’s order — which dictates a compliant information security program going forward  — “does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul.” Therefore, the 11th Circuit vacated the FTC’s order.

So, what’s next? In Twitter language, it means confusion, nervousness, new challenges to the FTC’s authority and the need to develop new and improved compliance orders.

Let’s flesh this out. The 11th Circuit did not address the FTC’s general authority over data security. It simply assumed that this authority exists. A decision that directly undermined the FTC’s authority would have had enormous implications (including the possibility for Supreme Court review if there was a direct conflict with the Wyndham decision). It also could have led to congressional action to implement data security legislation – although Congress has not been able to do this on its own. The court didn’t do this at all, but it is fair to read the decision as being somewhat skeptical in this area. That will lead more potential defendants to act more aggressively about the FTC’s enforcement activity.

The biggest challenge in the short term will be the need for the FTC to figure out the path going forward in specific cases, once it has determined that a current violation exists.

The biggest challenge in the short term will be the need for the FTC to figure out the path going forward in specific cases, once it has determined that a current violation exists. In some cases, the FTC has simply obtained an agreement of the party to implement the required regulatory or statutory practices. While that results in an enforcement “win” for the FTC, it may be hard for privacy advocates to see the benefits of an order getting a party to follow the law. Here, a broader more general order requiring an improved overall data security program did not meet with the court’s approval. The FTC order required LabMd to implement a data security program “reasonably designed” to meet the FTC’s approval. How different is that from the idea that a company must maintain “reasonable and appropriate” data security standards (which is both generally the regulatory standard in many situations and also the standard the FTC generally uses to launch its enforcement efforts)? The court seemed to assume that the FTC could determine what is a reasonable and appropriate data security program now, but could not leave that scope open going forward.  

It is possible that this decision may lead to more efforts to give the FTC additional authority in this area. Perhaps the FTC will try to define more clearly — presumably through guidance — what it views as these reasonable and appropriate standards (although IAPP and others have collected this information from prior cases). Unlike most enforcement agencies, the FTC does not have the authority in the first instance to fine or penalize companies on data security issues. So, they are forced to focus on the future, while other enforcement agencies could focus on the past.  

Much like the Supreme Court’s Spokeo decision — which has launched a thousand new court challenges in an effort to address a common issue — we can expect that potential defendants will become more aggressive in challenging the FTC and that the FTC in response may direct its challenges in a more focused manner where specific identifiable problems can be enumerated.

Much like the Supreme Court’s Spokeo decision — which has launched a thousand new court challenges in an effort to address a common issue — we can expect that potential defendants will become more aggressive in challenging the FTC and that the FTC in response may direct its challenges in a more focused manner where specific identifiable problems can be enumerated. Putting aside broader political questions of where the FTC is going in this area overall, companies clearly will benefit from a more significant focus on overall policies and procedures and more aggressive efforts to manage overall security risks. Companies that can demonstrate a thoughtful basis for a reasonable and appropriate security program may find even more benefits from this activity. While it is important to prepare for a FTC investigation, it also is important to remember that any government enforcement action typically lags far behind many of the other results of a security breach — including adverse publicity, altered business relationships and class-action lawsuits.

While the LabMD decision by the 11th Circuit is interesting, important and, frankly, a bit surprising, we should expect that it will not immediately alter the overall landscape for data security enforcement, but it will lead to more opportunities for well-prepared defendants to respond appropriately to enforcement investigations. The FTC’s challenge will be to navigate the tricky lines left by the court’s decision — the FTC’s current ability to determine that existing security issues were not reasonable and appropriate, but an apparently tougher standard in defining what that behavior must be going forward.

photo credit: eli.pousson via photopin cc