Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre- Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]
On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who sued for a technical violation of the Fair Credit Reporting Act could maintain Article III standing for a class action without claiming any real-world injury. The case before the Court involved a putative class action brought against petitioner Spokeo, Inc., a company that generates profiles about people based on information obtained though computerized searches. Respondent Thomas Robins was one of the people with a profile on Spokeo’s website. According to Robins, the information on that profile was inaccurate. Robins filed a class-action complaint against Spokeo in federal court, alleging violations of the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports. The Ninth Circuit held that by alleging the violation of a statutory right Robins had satisfied the injury-in-fact requirement of Article III standing.
On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry
Last week, the Administrative Law Judge handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?