Judges Question FTC Data Security Standard at LabMD Argument

The Federal Trade Commission’s data security enforcement standard came under fire June 22 from a panel of federal appeals court judges (LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17).

As predicted, the level of harm required for the FTC to act was “front and center” during the oral argument. Attorneys for the FTC and the now-defunct medical testing company LabMD Inc. squared off before the U.S. Court of Appeals for the Eleventh Circuit over what level of data breach injury is sufficient to allow the privacy regulator to take enforcement action.

Companies subject to the FTC’s data security enforcement authority, will be strongly affected by the court’s ruling on whether to uphold the FTC’s enforcement standard.

In the absence of direct data security statutory or regulatory authority, the commission has relied on FTC Act’s Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions. The FTC requires reasonable data security safeguards for sensitive information and takes action against companies it deems to have lax security that improperly exposed data causing a substantial risk to affected individuals. A wide variety of companies, from social media giant Twitter Inc. to identity theft services company Lifelock Inc., have faced FTC enforcement action over their alleged insufficient data security.

Douglas H. Meal, litigation partner at Ropes & Gray in Boston and counsel for LabMD, argued that the court shouldn’t accept the FTC’s “purely conceptual” argument that there is “substantial injury” sufficient to act against a company over alleged lax data security based only on “any unauthorized access to any personal medical information” rather than evidence of “tangible injury.”

The FTC’s “subjective harm” standard isn’t authorized by Congress or established in regulations, and it gives the FTC too much enforcement discretion, Meal said.

A commission attorney told the court that nothing in the FTC Act’s text or legislative history says that “intangible injuries are off limits.”

Read more of this Bloomberg BNA article by Jimmy H. Koo by clicking here.