Companies have a responsibility to protect the sensitive employee and consumer data they hold, but we do not know how much of their revenues must be spent on this effort before it is considered enough. We do not know what protections meet the legal requirements to secure the personal data of others. A new case may change the way these matters are considered, applied and litigated for data security breaches
On June 6, the Eleventh Circuit Court of Appeals ruled that the FTC could not enforce its injunction ordering LabMD to “complete[ly] overhaul” LabMD’s data security program.1 The Eleventh Circuit made the ruling on technical grounds, but this decision could have far-reaching substantive implications in the field of data security.2 It may be read as the first US case to insist that reasonable standards be prescribed by regulators who attempt to remedy inadequate personal data protection by companies.
The Court did NOT rule on whether the FTC can force companies to improve data security as part of its UDAP enforcement power. The Third Circuit in the 2015 Wyndham case confirmed the FTC’s authority to regulate failures in data security as a UDAP violation, and that opinion was not questioned by the LabMD Court. To date, when the FTC ruled that a company’s security lapse rose to the level of a UDAP violation, the FTC has been able to resolve the matter with vague orders to make things better. But this may not be possible after the LabMD case.
The LabMD Court struck down the FTC’s current practice in these cases, but did not propose or prescribe a clear alternative. In essence, the LabMD Court ruled where FTC finds that failure to plan adequate data security becomes unfair or deceptive to consumers, the FTC can’t enforce its decision by ordering broad, non-specific changes affecting security across the entire defendant’s business. Without using the term, the Eleventh Circuit decided that there must be standards for a business to follow, and those standards are best set forth by either the FTC or by Congress itself.
So where does this leave the FTC, whose previous chair, Maureen Ohlhausen, avowed to change the agency’s past practices and to only address tangible harms, to exercise regulatory humility, and to foster business innovation? Whoever is serving as Commissioners, the current administration has been clear that its priorities are for an FTC that is less aggressive in its filings against private companies. It is likely that in the next three years the FTC will only take up cases against companies experiencing major security breaches where it can be established that actual harm from security failures befell affected consumers. Even then, we may not see FTC action against companies where otherwise we would have expected it.
The LabMD case plays into this directional lean by the agency. Thus far, no court or agency has been eager to propose that a broadly defined set of data security standards was required of US businesses, and highly specific sets of standards tend to fall flat, because 1) the risks and technologies are ever-changing, and 2) each defendant company’s data and resources will vary widely. Courts have not yet been forced to rule on what adequate security standards look like for any specific business.
This has had the effect of imposing nearly strict liability on any company that suffers an attack from outside forces – if no standards are set forth, then regulators can simply assume that a data breach proves that security was unlawfully inadequate. But this is the same as suggesting that the simple fact that a shopper falls in a grocery store means that the store was clearly negligent in maintaining its floors. This has never been the way US tort litigation has worked. This de facto strict liability has only been apparently applied for data breaches because none of the damage claims in these cases have been fully litigated. Each major data breach UDAP case has been settled, thrown out for lack of damages, or upheld an administrative finding with no specific standards defined and applied.
The LabMD Court has blasted this status quo, demanding that where regulators meddle in a company’s data security policy decisions, they do so with some specific standards laid out for the world to see. This will make FTC enforcements in this space even more rare and difficult. So we are likely to see movement in data security UDAP violations in the near future to arise at a state -by -state process, and likely to see more emphasis on what a company should be doing right, and not simply what it was doing wrong.
1 LabMD, Inc. v. FTC, No. 16-16270 (11th Cir., June 6, 2018) here.
2 The ruling could also have far-reaching implications in the more generalized field of U.S. federal administrative cease and desist orders in Unfair or Deceptive Acts and Practices (UDAP) cases, as this may have been the first case to call the structure and enforcement mechanisms of a UDAP claim into question as unsupported by Congressional action. However, general UDAP claims are not the focus of this discussion.