Last week, the Administrative Law Judge (“ALJ”) handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?
The FTC initiated the LabMD action by filing an administrative complaint against the company in August 2013, alleging that LabMD engaged in unfair trade practices in violation of Section 5 of the Federal Trade Commission Act by failing to utilize reasonable and appropriate data security measures. LabMD sought the deposition of a designee of the FTC Bureau of Consumer Protection on several topics, including “[a]ll data-security standards that have been used by the Bureau” to enforce Section 5. When the Bureau sought to prevent that deposition, the ALJ ruled that the deposition could take place, subject to the important limitation that LabMD could not inquire into the “legal standards” the FTC used or uses to judge whether a party’s data security practices comport with Section 5, or into the legal opinions or decision making processes of the FTC regarding its enforcement standards. During the deposition of Daniel Kaufman, Deputy Director of the Bureau of Consumer Protection, agency attorneys cited this limitation in objecting to LabMD’s questions about the FTC’s data security standards. LabMD responded by filing a motion to compel the testimony of Mr. Kaufman, and the FTC filed a motion in limine to strike Mr. Kaufman as a trial witness.
The ALJ granted LabMD’s motion to compel, holding that discovery about what data security standards the FTC or the Bureau of Consumer Protection published and what data security standards the agency intended to rely on at trial to challenge LabMD’s practices was permissible. The ALJ also denied the FTC’s motion in limine. LabMD stated that it intended to question Mr. Kaufman about published or unpublished FTC data security standards as well as any guidelines that the FTC required entities like LabMD to adhere to. The ALJ determined that Mr. Kaufman possessed information relevant to the trial and that not all of his anticipated testimony would be clearly inadmissible.
The distinction the ALJ drew in these orders between the Bureau’s “legal standards” (off limits for questioning) and its “data security standards” (permissible for questioning) enables LabMD to probe into the central question of what data security practices are reasonable or unreasonable under Section 5. Having prevailed in much of the initial legal sparring over its authority to bring an enforcement action at all, the FTC will now have to divulge more about the standards to which it intends to hold LabMD at trial and its notice to companies about those standards. The FTC’s responses to this questioning, to the extent they are revealed publically, will be closely scrutinized, both by the participants in the ongoing Wyndham data security action proceeding in federal district court, and by all companies concerned with developing data security practices that can satisfy federal scrutiny.