An appeals court decision could make it harder for the Federal Trade Commission to enforce online data security, or that is certainly the conclusion of a prominent senator, though it is narrowly tailored to apply to a specific FTC enforcement tool.
A three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit ruled that the FTC could not issue a cease and desist order directing a medical lab to take a variety of actions to protect sensitive medical information online.
It concluded that such orders must identify a specific harm the order is prohibiting, and the FTC failed to do so. "Rather, [the cease and desist order] commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness," the court panel concluded. "This command is unenforceable."
That is the case even if the lab's alleged negligence in "[failing] to implement and maintain a reasonable data-security program" does constitute an unfair or deceptive practice.
But Scott Delacourt, chair of the Wiley Rein FTC practice, still saw some issues for FTC data security enforcement.
“While the ruling is limited to a single cease and desist order, it raises serious questions about the FTC's authority to bring enforcement actions predicated on reasonable data security without providing a better sense of the particular security measures it has in mind.”
LabMD had argued that the order was unenforceable because it did not direct it to cease an unfair act or practice, which is what the FTC is empowered to enforce against.
The court agreed and vacated the FTC order. At issue was a lab employee's installation of the LimeWire peer-to-peer music and video-file sharing app on a company computer, exposing the personal information of almost 10,000 people to the five million or so users of the Gnutella network that allows those users to browse certain folders on connected computers.
The FTC had concluded the company did not take sufficient remedial actions after discovering the installation and had taken other actions that, in total, "failed to provide reasonable and appropriate security for personal information on its computer networks."
But where the FTC got it wrong, said the court, was in its own failure to allege specific acts or practices that LabMD engaged in.
Actually, the FTC's own administrative law judge, in initially ruling, had also concluded the FTC had failed to identify an unfair act or practice and dismissed the FTC complaint. The FTC appealed that to the full commission, which reversed the ALJ.
The court said the FTC was not justified in imposing "sweeping prophylactic measures to collectively reduce the possibility of employees installing unauthorized programs on their computers and thus exposing consumer information" without identifying an unfair act or practice."
"In effect, the decision held that LabMD’s failure to act in various ways to protect consumer data rendered its entire data-security operation an unfair act or practice," the court added.
While the decision was narrow, it troubled Sen. Richard Blumenthal (D-Conn.), the author of the Data Breach Accountability and Enforcement Act, which would give the FTC new power to enforce data security. Blumenthal suggested the decision should fire up Congress to pass his bill.
"Until this damaging ruling, the FTC could at least set expectations and require data security programs to prevent future breaches after finding a failure to adequately protect consumers’ data,” Blumenthal said in a statement. “In undermining the FTC’s ability to impose data security standards, the Court of Appeals has hamstrung our sole cop on the beat protecting consumer privacy.
"This decision increases the risk that Americans’ private data and financial information will continue to be exposed and exploited by criminals due to negligence," Blumenthal added. "I look forward to working with my colleagues in Congress to pass common sense legislation to provide the FTC with clear and effective authority to protect the confidentiality of Americans’ personal information.”
Could the decision weaken the FTC's online enforcement powers just as it is reclaiming broadband regulatory authority June 11, with the sunset of FCC network neutrality regs?
Public interest Attorney Andrew J. Schwartzman doesn't think so.
"This decision is unlikely to have a significant impact on the FTC's network neutrality enforcement plans," Schwartzman told Multichannel News. "LabMD was charged with failing to protect its customers' data, allegedly in violation of HIPPA, the law which protects medical information and the provisions of the FTC's statute relating to 'unfair' practices. The crux of the FTC's network-neutrality regime turns on whether ISPs comply with the privacy policies that they have themselves developed. The scope of 'unfairness' jurisdiction is very controversial, whereas the failure to comply with explicit promises falls clearly under the FTC's ability to sanction 'deceptive" practices.'"
But he said the decision deals a "serious blow" to the FTC's enforcement regime overall and he expects the FTC will appeal the decision to the full court and perhaps even the Supreme Court.