Representing LabMD in its successful petition to the U.S. Court of Appeals for the 11th Circuit has been a fascinating experience in a number of ways. One of those is what the case reinforced for us about how the state of cybersecurity regulation in the United States could be greatly improved.
While there is more to this topic than can possibly be covered in a single column, we address two aspects here: First, this case highlights how the FTC’s “regulation by consent decree” approach is simply not working. Second, it shows how readily a false narrative can be created about a company’s security measures and the supposed ease of implementing additional measures, such that regulators end up seeking to address issues that either do not exist or have been greatly exaggerated, and then impose requirements that actually do more harm to consumers than good. There is no time like the present to fix these pressing issues with our country’s regulatory approach to cybersecurity, and it is our hope that a silver lining to this case will be a greater understanding of the costs and benefits of regulatory action in this space.
Regulation by consent decree
The FTC’s “regulation by consent decree” approach in the cybersecurity space had already been hotly debated for many years before we took on LabMD’s appeal to the 11th Circuit, and we had been on the front lines of this dispute through representation of other clients in FTC investigations and litigation. Working on the LabMD case once again threw the drawbacks of the FTC’s method into stark relief. LabMD was a tiny cancer detection laboratory that was forced to go out of business as a result of an enforcement action by the FTC alleging that LabMD’s cybersecurity measures were “unreasonable,” allegedly resulting in a vulnerability on its computer network in 2007-2008 that enabled a self-described cybersecurity firm named Tiversa to take a file with patient information. When asked how LabMD could possibly have known back then what the FTC considers “reasonable” or “unreasonable,” the agency pointed to consent decrees — settlement agreements embodied in FTC and court orders — that it had previously entered into with other companies. But those decrees were not helpful at all to LabMD (or anyone else) back then in understanding the FTC’s position. For one thing, they were not the sorts of sources one would normally consult to understand legal requirements. They were settlements, not adjudications, and the companies at issue admitted no liability.
More importantly, the consent decrees did not elaborate on what “reasonable” security entails in any meaningful way. Critically, many of the security measures the FTC faulted LabMD for allegedly failing to implement in 2007-2008 were not mentioned in any of the decrees that predated that time period and none of the decrees came even close to stating that the precise combination of security measures that the FTC faulted LabMD for allegedly failing to implement was required. The other sources the FTC pointed to as “guidance” — such as a 2007 pamphlet the agency had issued — were similarly unhelpful.
The FTC nevertheless proceeded to bring an action against LabMD, destroying LabMD’s business. To make matters even worse, the FTC then entered an order compelling the defunct LabMD to overhaul and replace its data security program to meet the FTC’s still-undefined reasonableness standard. The order provided no meaningful guidance as to how LabMD could accomplish this. A district court would have been charged with managing the required security program overhaul with no standard governing how it should do so. The 11th Circuit picked up on these problems and held that the Commission’s order against LabMD was unenforceable. This was sufficient to overturn the FTC’s action against LabMD, so the court did not reach many of the other problems with the FTC’s action.
Among other things, the court’s decision illustrates that, whatever the solution to the country’s cybersecurity crisis may be, it must give companies fair advance notice of what they are legally required to do, and it must give courts a workable standard for deciding cases. The FTC’s consent decrees in the cybersecurity area do not come close to doing that and do not even vaguely resemble something equivalent to a “common law” of cybersecurity as some commentators have argued.
Aside from their failure to provide courts and companies with any reliable guidance on what Section 5 does and does not require in the cybersecurity context, FTC consent decrees are not decisions arrived at based on independent fact-finding by an impartial tribunal through an adversarial process and thus bear none of the fundamental hallmarks of common-law decisions arrived at by courts of law.
False narratives and mistaken analysis
But there is another pressing problem with the U.S. approach to cybersecurity that this litigation underscored to us, and that is the pervasiveness of false narratives that are both unfair to the victims of those falsehoods and also undermine the efficacy of regulation.
When we dug into the record in the LabMD case, we found that many of the FTC’s findings that LabMD lacked specific security measures had inexplicably ignored a host of evidence establishing that LabMD in fact did have the measures in place, including: (1) LabMD’s letters to the FTC explaining its network architecture and security measures generally, (2) evidence regarding LabMD’s security policies and training practices, (3) testimony and documents regarding LabMD’s anti-virus tools, (4) expert testimony regarding LabMD’s network security measures, (5) evidence that LabMD’s access practices were necessary for LabMD employees to perform their job functions, (6) LabMD’s network configuration, including certain firewalls, and (7) LabMD’s security-related walk-arounds and manual inspections. Worse, the FTC based its conclusion that LabMD lacked these measures on speculation by LabMD employees who were not even employed by the company during the relevant period (and so could not testify as to LabMD’s practices at that time) and others who were deposed without LabMD’s counsel present. This was not the first time we have seen cybersecurity regulators make mistakes about the facts, but in the LabMD case these mistakes actually formed the basis for an adjudication finding the company liable and ordering the company over its objection to overhaul its practices.
The 11th Circuit had no occasion to rule on the FTC’s missteps on these fronts, because, as noted, it had already overturned the FTC’s ruling on the ground that its order was impermissibly vague. But the court did note LabMD’s implementation of many of the above measures in its background discussion of the facts of the case.
We also discovered that the FTC had completely overlooked many significant costs associated with the additional measures it claimed LabMD should have implemented in order to attain “reasonable security,” such as the enormous personnel costs of implementing, maintaining, and monitoring those measures on a day-in, day-out basis, which would have been passed on to patients. And the FTC never quantified the benefits that would have accrued from implementing these additional measures. Those benefits would have been minimal at best. Accordingly, the FTC was likely making consumers worse off by insisting that LabMD should have taken these measures. Here again, the 11th Circuit had no need to rule on this issue, as it had already overturned the FTC’s decision, but it remains critically important.
As many courts have recognized, when the lawfulness of an actor’s conduct hinges on the reasonableness of the actor’s conduct, the analysis of lawfulness must evaluate, at an absolute minimum, the costs and benefits of that conduct (See for example Int’l Union, United Auto., Aerospace & Agr. Implement Workers of Am. v. O.S.H.A., D.C. Cir. 1991: “‘Reasonableness’ has long been associated with the balancing of costs and benefits”).
As the Third Circuit held in Wyndham, in the cybersecurity context such a cost-benefit analysis would entail a consideration of “a number of relevant factors, including the probability and expected size of reasonably avoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” To conduct such an analysis in the cybersecurity context, regulators must ensure that the problems they are citing with a company’s cybersecurity program actually exist and that the risks to consumers have not been exaggerated. Both for the sake of corporate cybercrime victims and consumers, we are hopeful that future regulatory actions in this space will be based on a full and accurate weighing of the costs and benefits of agency action.
The above lessons learned from the LabMD litigation are only two among many others in this complicated case. But they are a starting place for cybersecurity regulators and the cybersecurity community at large as they continue to address the cybercrime threat faced by American businesses. We are optimistic that a silver lining to LabMD’s plight – including the enormous sacrifice LabMD and its CEO Mike Daugherty made to fight this case to the end – will be many productive discussions and, perhaps, effective solutions to the country’s cybersecurity crisis.
If you want to comment on this post, you need to login.