On November 10, the US Court of Appeals for the Eleventh Circuit granted LabMD’s motion to stay enforcement, pending appeal, of a Federal Trade Commission (FTC) order against the company for its allegedly deficient data security practices. In doing so, the Eleventh Circuit called into question the FTC’s interpretation of its “unfairness” authority under Section 5 of the FTC Act, where a security breach has caused only intangible harm and has resulted in a low likelihood of actual consumer injury.
The case originates from an administrative complaint filed against LabMD in 2013 for allegedly unreasonable data security practices that resulted in a patient file containing sensitive personal information to spread through a peer-to-peer file sharing program. An Administrative Law Judge (ALJ) dismissed the complaint in November 2015 after finding that there was no proof that anyone other than a single data security firm had downloaded the file and that LabMD’s actions did not cause or were not likely to cause substantial consumer injury. The Commission overruled the ALJ’s decision in July 2016, however, holding that the ALJ applied the wrong standard in deciding whether LabMD’s practices were unreasonable and therefore in violation of Section 5 of the FTC Act. The FTC issued a final order requiring that LabMD notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.
LabMD filed a motion to stay enforcement of the FTC’s order pending appeal on the merits, arguing that the FTC did not properly assess whether the alleged security breach caused or was likely to cause substantial injury to consumers. Under 15 U.S.C. § 45(n), a practice is “unfair” only if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n).
Interpretation of “Causes or is Likely to Cause Substantial Consumer Injury” under the FTC Act
In deciding whether to grant the stay, the Eleventh Circuit noted that “[t]his case turns on whether the FTC’s interpretation of § 45(n) is reasonable” and concluded that there were two compelling reasons why the FTC’s interpretation may not be reasonable. LabMD, Inc. v. FTC, No. 16-16270-D (11th Cir. Filed Nov. 10, 2016). First, the court noted that “it is not clear that a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case.” Id. at 8. The Eleventh Circuit cited a Senate Report indicating that “[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair,” as well as the FTC’s 1980 Policy Statement on Unfairness, which states that the FTC is not concerned with “merely speculative harms.” Id. Second, the court noted that the FTC’s interpretation of “likely to cause,” as the term is used in § 45(n), was unreasonable. Id. at 8-10. The court noted that it was not reasonable for the FTC to conclude that “likely to cause” has the same meaning as “significant risk” and stated that “we do not read the word ‘likely’ to include something that has a low likelihood.” Id.
The Eleventh Circuit concluded that “the statutory interpretation questions . . . are sufficient for LabMD to make a substantial case on the merits and present a serious legal question.” Id. at 10. In addition, the court found that other factors favored granting a stay, in large part because the now-defunct company is no longer an operational business. Id. at 10-13.
This decision casts significant doubt over the FTC’s authority to regulate companies’ data security practices in cases where a security breach has caused only intangible harm and has resulted in a low likelihood of actual consumer injury. Although the case still must be decided on the merits, the Eleventh Circuit’s decision—in combination with a new, incoming administration and future decisions of other circuit courts over time—may affect the FTC’s enforcement strategy when bringing data security enforcement actions in the future, especially where consumer harm is only speculative.