Featured Expert Column: Antitrust & Competition Policy — Federal Trade Commission
By M. Sean Royall and Richard H. Cunningham, Partners with Gibson, Dunn & Crutcher LLP, and Bennett Rawicki, Associate Attorney, all in the firm’s Dallas, TX office.
The U.S. Court of Appeals for the Eleventh Circuit’s recent LabMD, Inc. v. FTC decision imposes significant limits on the Federal Trade Commission’s freedom to prosecute and settle cases the agency pursues pursuant to the “unfair acts or practices” prong of Section 5 of the FTC Act.
Overview of the FTC’s Case Against LabMD
In 2013, the FTC brought an administrative enforcement action against LabMD alleging a Section 5 violation based on purported unfair data security practices. Among other alleged deficiencies, LabMD failed to identify that a file-sharing program an employee installed on a company computer had for years been exposing confidential patient information to the public.
The FTC’s administrative law judge dismissed the case for failure to prove substantial injury. The full Commission reversed, concluding that “LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violates Section 5,” and ordering LabMD to “maintain[] a comprehensive information security program that is reasonably designed to protect the security [of consumer information].” LabMD, which ceased operations during the pendency of the FTC’s investigation, appealed to the Eleventh Circuit, which issued a recent decision reversing the FTC.
First, the court addressed whether LabMD’s data security practices were unfair. Section 5 prohibits the FTC from declaring an act or practice unfair “unless [the conduct] causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). The court explained further that “an ‘unfair’ act or practice is one which meets the consumer-injury factors listed above and is grounded in well-established legal policy.” LabMD at 13 (emphasis added).
The court elaborated that “[t]he Commission must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes, or the common law.” Id. at 16. The FTC had not identified the well-established standard it had used to find LabMD’s security unfair, but the court found it “apparent . . . that the source is the common law of negligence.” Id. at 16-17. After explaining the legal standard, the court assumed, without deciding, that LabMD had acted negligently and caused substantial injury that was not reasonably avoidable by consumers or outweighed by countervailing benefits. Id. at 17-18.
Second, the Eleventh Circuit evaluated the FTC’s order requiring LabMD to maintain a reasonably designed security program. The court reasoned that the order was unenforceable because enforcing an order requires clear and convincing evidence that the defendant violated the order, and the “reasonableness” standard used in the FTC’s order was too vague for the FTC ever to be able to prove that a practice was unreasonable by clear and convincing evidence. Id. at 28-29.
Summarizing the problem with the FTC’s order, the court explained that it “contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” Id. at 27.
Potential Implications of the LabMD Decision
The FTC has not yet indicated whether it will change its practices or seek further review of the Eleventh Circuit panel’s opinion. Assuming the opinion stands, the court’s reasoning has the potential to significantly affect the FTC’s long-standing approach to Section 5 unfairness cases in general and cybersecurity cases in particular.
Effect on Unfair Practice Cases Generally
The FTC has long taken the position that all that is required to prove “unfair acts or practices” is that the challenged conduct satisfies Section 5(n) of the FTC Act, which extends to conduct that causes substantial injury which was not reasonably avoidable by consumers or outweighed by countervailing benefits. At least one lower court (the U.S. District Court in the Western District of Washington in the FTC’s action against Amazon involving alleged unauthorized in-app purchases by children) has agreed with this interpretation of the law.
LabMD expressly rejects the FTC’s position, explaining that “[t]he act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.” LabMD at 13, n.24. LabMD’s interpretation of Section 5 provides added clarity to an issue few other courts have addressed. The Third Circuit in FTC v. Wyndham touched on this issue by commenting, “Arguably, § [5(n)] may not identify all of the requirements for an unfairness claim” because “[w]hile the provision forbids the FTC from declaring an act unfair ‘unless’ the act satisfies the three specified requirements, it does not answer whether these are the only requirements for a finding of unfairness.” 799 F.3d 236, 244 (3d Cir. 2015).
Limiting the definition of unfairness to a practice that is contrary to a “well-established legal standard” could complicate the Commission’s ability to bring unfairness claims in the future. The FTC would need to specify the legal standard under which it claims a particular practice is unfair, which could create additional avenues to defend against FTC claims and potentially implicate legal precedents and standards from other bodies of law, such as common-law negligence standards.
Effect on Cybersecurity Cases
The Eleventh Circuit found it “apparent” that the “well-established legal standard” applicable to cybersecurity was common-law negligence. LabMD at 17. Although this standard is quite similar to the “reasonableness” standard already ostensibly applied by the FTC in cybersecurity cases, an explicit requirement that the Commission allege and show negligence will permit companies and courts to draw upon the well-developed common law pertaining to negligence claims and defenses when assessing or challenging the FTC’s claims of unfair cybersecurity practices. One relevant negligence principle is proximate causation, which requires proof that a company’s conduct was unreasonable in light of a foreseeable threat and that specific conduct was causally linked to the alleged consumer harm.
In addition, the Eleventh Circuit’s determination that the FTC’s order is unenforceable could call into question the enforceability of other FTC cybersecurity consent orders. Ever since its first cybersecurity settlements in the early 2000s, the FTC’s orders in this area have used essentially the same, unspecific language that LabMD found unenforceable: “[M]aintain a comprehensive information security program . . . that is reasonably designed to protect the security [of consumer information].” All of these orders were set to extend 20 years and thus are still in effect today.
According to the Eleventh Circuit, an order that merely requires a company to maintain “reasonable” security is not specific enough to be enforceable. Providing additional specificity may be a significant challenge for the FTC. The FTC’s guidance on cybersecurity practices typically recommends that companies “consider” certain security measures rather than identifying particular measures that companies should or must implement. The FTC has suggested in the past that it is disinclined to be more prescriptive in identifying the specific security measures that companies must use or adopt because “there is no one-size-fits-all data security program” and “reasonable and appropriate security is a continuous process of assessing and addressing risks.” However, this approach may no longer be viable in light of LabMD.