“New and improved”: Will the FTC’s latest round of data security orders remedy its authority challenge in LabMD?

January 16, 2020

The Federal Trade Commission (FTC) has become the de facto enforcer of data security issues in the United States’ sectoral, or industry-specific, privacy laws. In 2018, the regulatory entity’s authority was successfully challenged in this arena in LabMD, Inc. v. Federal Trade Commissiondue to unspecific nature of the FTC’s order being deemed too vague to be enforceable. In response, a new batch of FTC consent ordersseeks to remedy this defect, but will they hold up to further challenges?

Where Congress has decided to enact privacy laws around certain contexts only (e.g., children’s online privacy in the Children’s Online Privacy Protection Act, student records in the Family Educational Rights and Privacy Act), all other harms suffered by consumers from privacy and data security matters fall under the FTC’s general jurisdiction over unfair and deceptive trade practices, granted to the organization in section 5 of the Federal Trade Commission Act. The FTC investigates a business, and if it finds unfair and/or deceptive practices, it often enters into a consent order with the business. The order lays out certain requirements, the violation of which result in fines and further restrictions or obligations. However, the FTC’s rulemaking ability is severely limited; it’s unable to promulgate substantive rules in most situations, including data security. As far as that sphere is concerned, this leaves the agency in the crucial role of protecting consumers’ data and privacy rights without the ability to generally proscribe specific practices it deems unfair or deceptive.

In 2018, the FTC’s authority in the data security sphere was challenged by LabMD, who attacked their consent order as being vague and unspecific such that it was unenforceable. The Eleventh Circuit agreed. In the case, an employee of LabMD installed a peer-to-peer file sharing program on a company computer, compromising the personal information of customers.

The FTC alleged “a number of practices that, taken together, fail[] to provide reasonable and appropriate security for personal information on its computer networks.”The court saw this as the agency relying on the common law of negligence rather than “‘clear and well-established’ policies” the FTC could point to in assessing LabMD’s conduct.

The Eleventh Circuit stated“the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” The court goes on to envision a scenario in which LabMD corrects their program, only for the FTC to say over and over again that the new measure is not good enough, or that there’s some other issue that needs addressing in order for LabMD to reach the unspecified reasonableness standard. This, the court said, was not envisioned in any scheme of the FTC’s authority, for it would “put [the FTC] in the position of managing LabMD’s business in accordance with the Commission’s wishes.”

In response, the FTC has touted “new and improved” data security orders, admittedly in an effort to correct the defects as perceived in LabMD(“We were also mindful of the 11th Circuit’s 2018 LabMD decision . . . .”). The FTC hopes its new orders will be specific enough to be “clearer to companies” and “improve order enforceability.” Employing heightened specificity, requiring enhanced accountability of third parties, and requiring companies kick data security matters up the corporate governance ladder are the main reasons cited as aspirational cures to the FTC’s LabMDproblem.

To look at the final order imposed upon LabMDandone of the FTC’s recent ordersside-by-side is telling. The full text of one provision of LabMD’s order imposes “the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.” 

In contrast, the final order issued on January 6, 2020 to a company called InfoTrax reads: 

Design, implement, main, and document safeguards that control the internal and external risks to the security, confidentiality, or integrity of Personal Information . . . . Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. [InfoTrax]’s safeguards shall also include: . . .

What follows is a seven-item list of required safeguards including, among other provisions, deleting information “that is no longer necessary,” encrypting certain personal information, network segmentation, and “technical measures” to “detect unknown file uploads,” “limit locations to which thirds parties can upload files,” and to “detect anomalous activity” on InfoTrax’s network with specific examples of such activity.

At first glance, the recent order clearly seeks to distinguish itself and lay out the FTC’s data security expectations with specificity. Whether or not their orders continue to face challenges of unenforceability and whether or not those challenges will play out like LabMDremains to be seen.

Data security will continue to become a mainstream issue whether or not Congress will be able to pass a comprehensive federal data privacy law that perhaps enables the FTC to make data security rules applicable to all players. Until then, the FTC must continue to enforce data security under the current state of its authority. Whether or not the FTC can right the ship after the LabMDblow is therefore a crucial moment in the near future of arena of growing significance.

Taylor Townes

January 16, 2020