Yesterday, the Eleventh Circuit Court of Appeals issued a long-awaited ruling in a case called LabMD v. FTC. Followers of the case will tell you that it has been, to put it mildly, an interesting saga, and it hits on the biggest data related issues of the past fifteen years. The ruling has serious implications for how data security is regulated in the United States. There’s a lot to unpack but, I promise you: this case is very important, so stick with me.
LabMD was an Atlanta-based medical testing lab that, naturally, processed a high volume of personal health data. Back in 2005, in the days when file sharing was still in full swing, a LabMD employee installed file-sharing software called LimeWire so that he could download pirated music on his computer because, you know, sometimes you just have to listen to “Since You Been Gone” at work.
Inevitably, this same employee shared his “My Documents” folder, which happened to include a document listing names, dates of birth, social security numbers, laboratory test codes, health insurance company names, addresses, and policy numbers for 9,300 patients. (Again: Whoops!) A data security company called Tiversa downloaded the file from LimeWire and tried to sell its services to LabMD. When LabMD refused, Tiversa got a little upset and the file somehow ended up with the FTC, which promptly started an investigation.
Pretty bad right? Except that was the non-dramatic portion of the story: the investigation and litigation have been contentious, to say the least. The FTC imposed a twenty year reporting obligation (just like with Uber) and the kind of broad data security requirements that have become a frequent component of its consent orders. LabMD took exception to this, and sued for relief in the U.S. District Court for the Northern District of Georgia on the grounds that the FTC had no authority to punish a company for an employee’s conduct when that conduct was already prohibited. The litigation got pretty heated, with more than one wild accusation thrown around. The tactics both sides employed were so scorched-earth that District Judge Duffey had to remind everyone that this litigation was taking place in the South where we use our manners.
The gravamen of the fight has been this: does the FTC have the power to punish a company that has been hacked if there is no specific statutory or regulatory definition of what kind of minimum standards of data security the company should have used? That argument may sound familiar, because it’s exactly the one Wyndham hotels advanced in its own lawsuit with the FTC. In that case, the Third Circuit Court of Appeals agreed with the FTC, giving the FTC its first robust judicial approval of its power to police data security. All the while, though, the LabMD case worked its way through the courts in the Eleventh Circuit, until yesterday.
After years of litigation, the Eleventh Circuit has sided with LabMD, albeit in a limited way. The court concluded that the FTC’s consent order was simply too vague to be enforced. In the court’s view, FTC’s requirement that LabMD implement technical, administrative, and procedural safeguards for data would effectively require an ongoing review by the Court of all of LabMD’s policies at endless injunction hearings, subject to FTC’s changing opinion of what is an adequate security regime. As the court put it:
The practical effect of repeatedly modifying the injunction at show cause hearings is that the district court is put in the position of managing LabMD’s business in accordance with the Commission’s wishes. It would be as if the Commission was LabMD’s chief executive officer and the court was its operating officer. It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law.
That’s a pretty big blow to the FTC, which has issued dozens of nearly-identical consent decrees over the past two decades. And while LabMD does not directly conflict with Wyndham Hotels, the differences are just enough to create uncertainty about FTC consent orders for both the Commission itself and the entities it regulates.
Consider the following scenario: two travel agencies alike in dignity, one in Atlanta and one in Philadelphia. Both failed to secure their data with adequate passwords and restricted access, both lost 1,000 customer credit card numbers and drivers license numbers, both are investigated by the FTC, and both receive consent orders from the Commission. Everything is the same, except that in Atlanta, the order will have to be far more specific, and likely a great deal more limited in its scope, while in Philadelphia, the FTC could impose the kind of sweeping requirements it has in the past.
What happens when there are disparate results like this? There are a few possibilities. The first, but least likely, is that the Supreme Court intervenes to resolve the apparent divergence in the law. But SCOTUS doesn’t like to get involved unless it absolutely has to, and this doesn’t rise to that level. The second outcome is that the FTC modifies its approach to consent orders to be in line with LabMD, and steps back from its current method of policing data security. That may happen, but it strikes me that, given the Commission’s extensive efforts to expand its cybersecurity authority, there’s little chance of a retreat now.
A third outcome is that the FTC will come back at LabMD with a more tailored consent order, but continue everything else as usual. It will look on the LabMD ruling as a “blip,” tied to the (very) unique facts and circumstances of the case, and will consider its data security remit unchanged. This outcome seems likely, because a central component of the FTC’s approach to cybersecurity is flexibility. By imposing long-term monitoring requirements not tied to any set standards (e.g., “Thou shalt keep up with minimum safeguards for data”), the Commission ensures that there is not the very kind of “come back and check with us” that the Eleventh Circuit identified as a flaw in the LabMD consent order.
In other words, the LabMD ruling is based upon a disagreement with the very nature of FTC’s enforcement methods because it requires a measurable standard set in stone. The Eleventh Circuit wants there to be a metric — like the GDPR — by which it can measure the enforceability of FTC orders. There is a double irony to that reasoning. First, it is precisely because the U.S. lacks a nationwide standard for data security that the Commission uses a “minimum standards” test. And second, the GDPR itself is predicated on the notion of flexibility, so that the baseline for measuring data security compliance evolves.
So if nothing is going to change, why is LabMD so important? Because it sets up a second, critical test for the FTC’s authority. The first was in Wyndham Hotels, when Wyndham expressly questioned the FTC’s ability to file claims against businesses who were themselves the victim of a breach. The Commission met, and passed that challenge. This second hurdle is determining what happens after a Court pushes back on FTC’s enforcement power. If the Commission does follow the third approach outlined above, and there is no substantial pushback from the courts, then the question “when it comes to data security, who decides” has been answered. That answer is enough to make LabMD, even now that the case has ended, a story to watch.