The FTC – in a decision that should surprise no one – refused to dismiss its administrative complaint (“Complaint”) against LabMD. This case – like the FTC’s case against Wyndham Worldwide – illustrates the continuing fight regarding the scope of the FTC’s power for regulate inadequate data security practices. In particular, this decision is important because it further explains the FTC’s rationale for regulating allegedly inadequate data security practices pursuant to its “unfair” acts or practices authority in Section 5 of the FTC Act. The decision also sets forth the FTC’s view as to why its Section 5 authority permits it to regulate and enforce data security when other statutes – such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) administrative simplification provisions addressing the privacy and security of health information – already regulate data security in a particular area. Because the FTC increasingly uses this Section 5 authority to regulate what it views as inadequate data security practices, businesses of any size which deal with data security – essentially all businesses to some degree – should closely review this decision. The bottom line: Unless the courts or Congress limit the FTC’s power in this context, the FTC is likely to expand the exercise of its Section 5 “unfair” acts or practices authority to regulate allegedly “unfair” data security practices by means of case-by-case enforcement actions – without issuing regulations or guidance to inform businesses and industries of the data security standards they must meet to comply with the FTC Act.
Some companies may find the FTC’s approach itself an “unfair” act or practice. Indeed, shortly after the FTC issued its opinion, LabMD’s President and CEO issued a press release posted on his website stating that LabMD was winding down its operations “largely due” to what he called the “FTC’s abuse of power.”
The FTC sued LabMD, a company that performs medical laboratory tests, for allegedly engaging in “practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks[.]” The FTC further claimed that this alleged lack of security harmed consumers, “including exposure to identity theft and disclosure of sensitive, private medical information[.]” This conduct, the FTC claimed, constituted “unfair . . . acts or practices” and violated Section 5(a)(1) of the FTC Act, 15 U.S.C. § 45(a)(1).
The Motion to Dismiss
LabMD moved to dismiss the Complaint on several grounds, including:
- the FTC does not have authority to adjudicate whether data security practices are “unfair”;
- the FTC does not have authority to regulate or enforce data security practices where Congress adopted another statute specifically granting another agency regulatory and enforcement authority in the area; and
- the FTC does not have authority to enforce the FTC Act through adjudicatory actions because it has not issued relevant regulations.
As expected, the FTC rejected these arguments and refused to dismiss the Complaint.
LabMD first argued that the FTC does not have authority under Section 5 to address data security practices because Section 5 does not specifically address data security. The FTC rejected this argument, explaining that Congress delegated the FTC “broad authority” to decide what constitutes an unfair practice. Although Congress later further defined this authority, in the FTC’s view, Congress’s definition simply adopted the FTC’s longstanding definition of what constituted an unfair practice. Specifically, to constitute an unfair practice three criteria must be met: the act (of omission or commission) or practice “(1) causes or is likely to cause substantial injury to consumers which is (2) not reasonably avoidable by consumers themselves and (3) not outweighed by countervailing benefits to consumers or competition.” By codifying this definition, the FTC concluded, Congress “confirmed its intent to allow the [FTC] to continue to ascertain, on a case-by-case basis, which specific practices should be condemned as ‘unfair.’” Thus, the FTC concluded that inadequate data security can constitute an unfair practice.
LabMD next argued that the FTC had changed positions over time about whether it had “‘unfairness’ authority to regulate patient-information (or any other) data-security practices[.]” Again, the FTC rejected this argument, noting that it has “repeatedly and consistently affirmed its authority to challenge unreasonable data security measures as ‘unfair . . . acts or practices’ in violation of Section 5.” Although until 2005 the FTC’s enforcement actions in this area generally focused on “‘deceptive data security practices[,]” the FTC explained that this did not mean the FTC lacked jurisdiction over “unfair” data security practices before that time. Moreover, the fact that the FTC has supported additional data security legislation that would expand the FTC’s enforcement authority does not undermine its existing authority, including its general Section 5 “unfair” authority.
HIPAA and Other Later Enacted Specific Data Security Statutes
LabMD also argued that Congress’s passage of specific, later legislation covering data security – such as HIPAA – “expressly or by implication” limited the FTC’s authority to regulate “unfair” data security practices. The FTC noted that none of these statutes “expressly withdraws any authority” from the FTC, meaning these statutes do not repeal the FTC’s existing authority. Where a later statute covers the same subject matter as a prior statute the intent to repeal the prior statute must be “clear and manifest[.]” HIPAA and the other statutes, however, do not show that Congress had a “clear and manifest” intent to limit the FTC’s authority to regulate “unfair” data security practices. As support for this proposition, the FTC noted that: (i) HIPAA’s data security requirements are “largely consistent” with the FTC’s data security enforcement actions under the FTC Act and (ii) the FTC and the Department of Health and Human Services “coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act.” That HIPAA has a “comprehensive framework governing ‘patient-information data-security practices” does not change this analysis. HIPAA, the FTC noted, “evinces no congressional intent to preserve anyone’s ability to engage in inadequate data security practices that unreasonably injure consumers in violation of the FTC Act, and enforcement of the Act thus fully comports with congressional intent under HIPAA.” Although the FTC acknowledged that it has no authority to enforce HIPAA, it found nothing in HIPAA that would prevent it from exercising its authority under the FTC Act. Moreover, because there is no conflict between HIPAA and enforcement actions under Section 5, companies can legally be required to comply with both.
Lack of Regulations
The FTC next rejected LabMD’s argument that it could not adjudicate claims against LabMD because it had never issued regulations about data security standards. The FTC found that not only could it enforce Section 5 without issuing regulations, it was bound to enforce Section 5, which Congress had directed it to implement, “regardless [of] whether [it had] issued regulations addressing the specific conduct at issue.” Without acknowledging that specific data security requirements have been established under other federal statutory and/or regulatory regimes, the FTC noted that due to evolving threats “no one static standard can assure appropriate security.” Thus, the FTC reasoned, data security practices “are particularly well-suited to case-by-case development in administrative adjudications or enforcement proceedings, given the difficulty of drafting generally applicable regulations that fully anticipate the concerns that arise over emerging business arrangements in this rapidly changing area.”
The FTC further found that its decision not to issue regulations did not violate LabMD’s right to due process, noting that many “courts have rejected such due process challenges to agency adjudications[.]” The FTC found that Section 5’s statutory test for defining unfair practices provided the necessary guidance regarding what constitutes an unfair practice. Moreover, that businesses may have to review FTC enforcement actions to round out this standard is of no moment. This is exactly what must be done in other contexts, such as in the case of tort law, and it is particularly true because, in this case, LabMD is not subject to “damages, let alone retrospective penalties.”
Significance for Business
As noted above, the FTC’s decision in the LabMD case is significant in a number of ways:
- The FTC explains its rationale for enforcing data security practices under its Section 5 “unfair” acts or practices authority.
- For HIPAA covered entities and other industries that are already subject to federal industry-specific data security requirements, the decision demonstrates – against a challenge from the target of an FTC enforcement action – that such businesses and industries may be subject to regulatory/enforcement actions based on two different – and potentially inconsistent – regulatory or enforcement regimes.
- The FTC establishes its view that it can take enforcement action for allegedly inadequate data security practices without issuing prospective guidance to businesses to help them understand the scope of their data security obligations under the FTC Act.
Written by Paula Stannard, Counsel, Health Care, Zach Neal, Senior Associate, Litigation & Trial Practice and Claire Readhead, Associate, Privacy & Data Security | Alston & Bird LLP