The on-going fight to hammer out the extent of the Federal Trade Commission’s authority to bring regulatory enforcement actions in data breach cases took another blow last week in LabMD v. FTC. In that case, the U.S. Court of Appeals for the Eleventh Circuit sided with the FTC holding companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are final. Practically speaking, the Eleventh Circuit’s decision means that companies already beleaguered from investigating and remediating data breaches will be further embroiled with the FTC for the duration of an enforcement action, with no relief from a court until the FTC issues a final agency action.
LabMD provides cancer testing services for doctors. Several years ago, FTC discovered that LabMD files could be inappropriately accessed on a peer-to-peer review network. LabMD has corrected this security issue. FTC investigated LabMD for three years. LabMD filed suit against the FTC seeking an injunction to stay the FTC action from continuing against it. LabMD took the position, among other things, that FTC lacks the authority to regulate healthcare data breaches—an ultra vires argument that has been made, albeit slightly differently by different companies in different contexts. Although LabMD raised numerous legal arguments about FTC’s authority to regulate cybersecurity, the Eleventh Circuit did not reach them on the merits. Instead the Court determined that LabMD’s entanglement with the FTC was not sufficiently final for the Court to rule leaving LabMD to tangle with FTC for a while longer.
According to the Administrative Procedures Act, (“APA”) which governs judicial review of agency actions, only a “final agency action for which there is no other adequate remedy in a court [is] subject to judicial review.” 5 U.S.C. § 704. LabMD argued that FTC’s Order and Complaint were sufficiently “final” and thus ripe for review. The Eleventh Circuit Court of Appeals disagreed. It stated that no “direct and appreciable legal consequences” flowed from the on-going FTC action, and “no rights or obligations had been determined. Thus, the APA barred review of the FTC’s authority to investigate LabMD until agency took a more final action.
LabMD also argued that FTC’s actions in its case were unconstitutional and ultra vires, and that failures of jurisdictional authority made the decision ripe for review. The Court disagreed holding that such matters would better be considered on a more thorough and complete administrative record. The Eleventh Circuit stated that a constitutional challenge is intertwined with a review of the procedures and merits in the context of the agency’s final order. Thus, it would not review such questions in the absence of a final agency record.
LabMD illustrates the practical problem of the decisions regarding the FTC’s authority in the cyber security space. If the FTC has a statutory (and constitutional) authority to regulate in this arena under Section 5 of the Federal Trade Commission Act, then its investigation and enforcement of companies that commit “unfair” or “deceptive” cyber security practices is lawful. However, if FTC does not have such authority, it does not have it—not now, not ever, as a matter of law. Waiting until it has spent more than four years investigating and sanctioning a company in order to create a final agency action on which to base such a decision seems inefficient and costly for businesses that are left guessing what the law is.
The practical implications of LabMD are similar to those gleaned from other recent FTC jurisdiction cases in other circuits. At this juncture, companies must operate with the assumption that the FTC has the authority to: (1) investigate data breaches; (2) bring enforcement actions for cyber security and privacy practices it believes are unfair or deceptive; (3) enter into consent decrees for penalties, on-going supervision and policy revision and training.