Why the FTC Can Go After Companies For Insufficient Data Security Allegations

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/why-the-ftc-can-go-after-companies-for-i-08693/

The FTC seems more confident than ever in its authority to go after
companies with insufficient data security measures. As of January 2015, it
had settled 53 data-security enforcement actions, and FTC Senior Attorney
Lesley Fair expects that number to increase.

Not everyone is sanguine about the FTC’s enforcement efforts. Companies
targeted for administrative action complain that the Commission is acting
beyond its delegated powers under the Federal Trade Commission Act (the
“FTCA”). So far, courts have declined to intervene in any administrative
action that is not yet resolved at the agency level.

One such case involves LabMD, Inc., an Atlanta-based cancer-screening
laboratory. At least nine years ago, someone downloaded onto the billing
department manager’s computer a peer-to-peer file-sharing application
called Limewire. Hundreds of files on the computer were designated for
sharing on the network, including an insurance aging report that contained
personal information for more than 9,000 LabMD customers. In 2008, a third
party notified LabMD that the aging report was available on Limewire. The
application was promptly removed from the billing department manager’s
computer, but the damage had already been done. In October 2012,
authorities discovered that data from the aging report and other LabMD
files were being used to commit identify theft against LabMD’s customers.

Ten months later, the FTC filed an administrative complaint against LabMD
alleging that it had failed to employ reasonable and appropriate data
security measures. The FTC further alleged that LabMD could have corrected
the problems at relatively low cost with readily available security
measures. By contrast, LabMD’s customers had no way of knowing about the
failures and could not reasonably avoid the potential harms, such as
identity theft, medical identity theft, and disclosure of sensitive,
private, medical information. On these facts, the FTC alleged that LabMD
had committed an unfair trade practice in violation of the FTCA.

LabMD tried to get the administrative action dismissed on several grounds,
including that the FTCA does not give the Commission express authority to
regulate data-security practices. The Commission denied LabMD’s motion,
explaining that Congress gave the FTC broad jurisdiction to regulate unfair
and deceptive practices that meet a three-factor test: section 5(n)
provides that, in enforcement actions or rulemaking proceedings, the
Commission has authority to determine that an act or practice is “unfair”
if (i) it causes or is likely to cause substantial injury to consumers
which is (ii) not reasonably avoidable by consumers themselves and (iii)
not outweighed by countervailing benefits to consumers or competition.
Commissioners noted that the FTCA, as passed in 1918, granted the FTC the
authority to regulate unfair methods of competition. When courts took a
narrow view of that authority, Congress responded by amending the FTCA to
clarify that the Commission has authority to regulate unfair acts or
practices that injure the public, regardless of whether they injure one’s
competitors. According to the Commission, the statutory delegation is
intentionally broad, giving the FTC discretionary authority to define
unfair practices on a flexible, incremental basis. For these and other
reasons, the administrative action against LabMD would proceed.

Having failed to get the case dismissed, LabMD sought relief from the
federal courts to no avail. On January 20, 2015, the U.S. Court of Appeals
for the Eleventh Circuit dismissed LabMD’s suit for lack of subject-matter
jurisdiction. The court explained that it lacked the power to decide
LabMD’s claims in the absence of final agency action. The FTC had filed a
complaint and had issued an order denying LabMD’s motion to dismiss. But
neither was a reviewable agency action because neither represented a
“consummation of the agency’s decision-making process.” Moreover, “no
direct and appreciable legal consequences” flowed from the actions and “no
rights or obligations had been determined” by them.

LabMD can challenge the FTC’s data-security jurisdiction only after the
Commission’s proceedings against it are final. That may well be too late.
As a result of the FTC’s enforcement action, the company was forced to wind
down its operations more than a year ago.

LabMD is one of very few companies to test the FTC’s data-security
jurisdiction. In 2007, a federal court in Wyoming sided with the FTC in
holding that the defendant’s unauthorized disclosure of customer phone
records was an unfair trade practice in violation of the FTCA. The Tenth
Circuit affirmed that decision on appeal.

More recently, a district court in New Jersey gave the FTC a preliminary
victory against Wyndham Worldwide Corporation. In that case, the court held
that the FTC’s unfairness jurisdiction extends to data-security practices
that meet the three-factor test under Section 5(n). That decision is
currently on appeal before the Third Circuit. During oral argument on March
3rd, the three-judge panel signaled little doubt that the FTC has authority
to regulate unreasonable cybersecurity practices. Instead, the panel was
concerned with how the Commission exercises that authority—specifically,
whether and how it has given notice as to what data security measures are
considered to be “unfair.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!