In another twist in the LabMD case, LabMD has succeeded in obtaining a delay on the FTC’s enforcement action during its appeal. Of course, the substantive issues remain to be determined.
In 2013, the Federal Trade Commission (FTC) issued an administrative complaint against LabMD for alleged “unfair” data security practices culminating in an Opinion and Final Order (Order) against the company for violating Section 5 of the Federal Trade Commission Act (Section 5). After exhausting administrative law procedures, LabMD filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit to prevent the FTC from enforcing the Order until the court reviewed several unresolved legal questions, including whether or not the FTC can enforce data security standards in the absence of identifiable harm.
The Court’s Analysis
In determining whether or not to grant the Stay, the court weighed the following four considerations:
- Did LabMD make a strong showing it would succeed on the merits;
- Would LabMD be irreparably injured without the stay;
- Does issuing the stay substantially injure a third party; and
- What is in the public’s best interest?
Success on the Merits
To succeed on the merits, LabMD must show that the FTC misinterpreted Section 5 as it was applied in the Order. Section 5 grants the FTC authority over “unfair or deceptive acts.” (15 U.S. C § 45 (a)). “Unfair” is defined as something that has caused “or is likely to cause substantial injury to consumers.” (15 U.S.C. § 45 (n)). Federal agencies are charged with reasonably interpreting their own statutes. In its discussion, the court said that LabMD presented “a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” In other words, there is enough ambiguity in the FTC’s analysis that the Order should not be enforced, yet. The court says, “[i]t is not clear that the FTC reasonably interpreted ‘likely to cause’ …we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”(emphasis added).
Irreparable Harm
The second point of analysis examines to what extent LabMD would be harmed if the Order is enforced. Here the court highlights the fact that LabMD (which was founded in 1996) is no longer in operation, with no employees, no revenue, and is relying on pro bono legal representation. Simply put, the court determined that LabMD is not well positioned to assume the costs required to comply with the Order.
Third Party Injury & Public’s Interest
The third and fourth points consider if third parties would be harmed by delaying the Order. Here the court notes that the “FTC’s ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm.” The court continues, “there is no evidence that any consumer ever suffered any tangible harm…we find it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates”. This analysis led the court to determine there is no risk of immediate harm to consumers or the public if the Order is delayed.
What’s Next for the FTC and LabMD?
This Stay comes after a handful of attempts to clarify the FTC’s policies and procedures in this case, including a letter from Sen. Jeff Flake and Sen. Mike Lee sent to Chairwoman Ramirez challenging the FTC’s analysis. In particular, the letter addresses whether the “FTC’s cybersecurity regime complies with the protections of due process under the constitution.” The letter directly addresses the FTC’s analysis that LabMD’s vagueness challenge was inapplicable because there are no fundamental rights implicated in the case. The letter asks “[a]re laws unconstitutionally vague only if they implicate fundamental rights?”
This case then begs the question: has data security regulation hit the proverbial ‘tipping point’? Is momentum slowly crawling away from big agency regulation and inching towards streamlined industry standards? Maybe. The Stay is certainly a win for LabMD, but it does not mean it is a loss for the FTC. The case is far from over. There are several substantive claims that must be addressed on appeal.