Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
At the 20-minute argument, an audio recording of which is available on the Eleventh Circuit’s website, Doug Meal of Ropes & Gray LLP appeared for LabMD and Michael Hoffman appeared for the FTC. The three-judge panel consisted of U.S. Circuit Judge Gerald Bard Tjoflat, U.S. Circuit Judge Charles R. Wilson, and U.S. District Judge Eduardo C. Robreno. With that, we present the following summary. (Note that it is difficult to discern which judge is speaking on the recording and a transcript is not yet available, so we use the generic term “Court” when referring to the judges’ questions.)
* * *
Mr. Meal began by outlining three major questions before the Court, all of which he stressed should be answered in the negative: (1) does any unauthorized access giving rise to any potential privacy harm constitute “substantial injury” under Section 5(n); (2) does the concept of “likely injury” under Section 5(n) include a low-likelihood harm; and (3) if the Court concludes that FTC is entitled to deference in making these determinations, did LabMD have sufficient notice that it could run afoul of the FTC’s rules?
The Court immediately expressed concern that it was limited in this case to reviewing whether or not the record contained “substantial evidence” underlying FTC’s prior determination, but Mr. Meal disagreed, suggesting that because FTC misinterpreted the plain meaning of Section 5(n) in the first instance, the Court could engage in a more sweeping review of the Commission’s determinations.
Mr. Meal went on to argue that the legislative history of Section 5(n), which codified the status quo of a 1980 FTC policy statement, made clear that FTC could not interpret “substantial injury” to encompass anything more than “tangible harms,” as opposed to the hypothetical harms to data breach victims it sought to enforce in this case, and that the injury inquiry giving FTC enforcement authority under Section 5(n) was narrower than the injury required to confer Article III standing to a data breach victim him or herself (as opposed to the FTC).
Mr. Meal distinguished earlier precedent holding that the FTC had broad enforcement authority over corporate cybersecurity practices—including the Third Circuit’s 2015 ruling in FTC v. Wyndham Worldwide Corporation—arguing that in this case, unlike Wyndham, LabMD had no “ascertainable certainty” that the conduct the FTC sought to enjoin was improper at the time they engaged in it, and that the cease and desist order LabMD was faced with was tantamount to an enforcement order because of its broad impact on LabMD’s ability to continue operations.
Finally, Mr. Meal addressed the Court’s concerns that this case was moot since LabMD was no longer operational. While he acknowledged that LabMD was unlikely to resume operations regardless of the outcome of this case, and that in many respects pursuing this litigation was a matter of principle, Mr. Meal noted that LabMD was technically still a going concern, and that it still had a duty under Federal and Georgia law to maintain patient records.
Turning to the FTC’s argument, Mr. Hoffman immediately took issue with LabMD’s characterization of the harm at issue, suggesting that the fact that no patient was actually injured by the breach in question did not impact FTC’s ability to initiate an enforcement action consistent with Section 5(n) action because the unauthorized disclosure of healthcare information, in and of itself, constitutes a substantial injury under traditional principles of privacy tort law.
The Court immediately jumped on this comparison, noting that the precedent FTC relied on for this proposition involved cases where individuals themselves, as opposed to a regulator, initiated actions for hypothetical harms. The Court questioned whether FTC had authority to stand in that position under Section 5(n) without first promulgating regulations permitting the exercise of such authority through the ordinary rulemaking process, which would give corporations notice that their conduct could give rise to a violation.
Mr. Hoffman parried that there was a long history of FTC enforcement actions prior to the enactment of Section 5(n) that Congress specifically took into account when it enacted the statute, all of which supported FTC’s position that Congress intended it to have the authority to initiate enforcement actions at its discretion, and none of which indicated that FTC was prohibited from enforcing “intangible harms.” Mr. Hoffman noted what FTC sought to enforce here was akin to common-law trespass, which is an intentional tort, and doesn’t require the victim of the trespass to show that they were actually harmed.
Seizing on the trespass analogy, the Court noted that, in order to recover in an action for trespass, the harm is only part of the equation, and a tort plaintiff also has to prove damages in order to have a “complete tort.” The Court questioned what damages existed in this case that would make the analogy appropriate.
Mr. Hoffman was forced to retreat, and ultimately conceded that, in the present case, there was no analogous tort that would be actionable by the FTC or any individual. When pressed, Mr. Hoffman further conceded that (at least under common-law principles) “nobody has a lawsuit here for anything,” and argued that FTC was simply suggesting that common-law principles can inform FTC’s definition of “substantial injury” under Section 5(n).
The Court expressed skepticism that this was a workable approach, observing that it would be difficult if not impossible to set an “outer limit” for FTC’s enforcement authority under Section 5(n) under the rule that FTC proposed, which the parties agreed was intended to “cabin in the discretion” of the FTC Commissioner.
Mr. Hoffman responded by arguing that FTC was interpreting Section 5(n) through this lens only for purposes of enforcing prophylactic measures, and that in the context of data privacy and security issues, FTC needs to be nimble to respond to ever-changing threats.
The Court returned to its question about why, if this was the case, wasn’t it possible for FTC to rely on traditional rulemaking to enact regulations which would accomplish these goals while giving businesses notice of potential violations. Mr. Hoffman responded that though rulemaking might be possible, Supreme Court precedent specifically contemplated that agencies could elect to proceed on a case-by-case enforcement basis instead, which is what FTC felt was a preferable course in the data security arena, given the ever changing nature of cybersecurity threats. The Court responded “that’s about as nebulous as you can get . . . .”
The Court then shifted gears to the background of how FTC became involved in this specific case. The Court suggested that FTC learned of the LabMD data breach through a self-interested third-party, and that the “aroma that comes out of the investigation of this case” is that the third-party “was shaking down private industry with the help of the FTC,” and noted that the Administrative Law Judge who first ruled in LabMD’s favor “shredded . . . totally annihilated” the FTC’s investigation in this respect and suggested that the third-party “got the Commission involved in their shakedown.”
Mr. Hoffman was hard-pressed to respond, and emphasized that only LabMD’s conduct was ultimately at issue in the appeal, and that LabMD failed to take reasonable steps to implement basic data security protections.
The Court appeared dissatisfied that a “reasonableness” standard could ever be sufficient to give a company notice that its conduct could be problematic for purposes of Section 5(n), and suggested that applying this standard would inevitably result in hindsight bias. Mr. Hoffman responded that this is the same standard that applies to commercial conduct generally in the tort context, and that businesses are familiar with operating under this standard. The Court noted, however, that the public policy implications are far different when comparing a company’s potential tort risk to its potential to run afoul of a government agency rule, and in the latter context, more predictability is required.
Mr. Hoffman conceded that a reasonableness standard – without formal rulemaking defining that standard could create an ever-shifting target for industry – but insisted that that is the scheme that Congress intended when it enacted Section 5(n), and such an approach was permissible under Supreme Court precedent despite the fact that it may be difficult if not impossible for companies to have notice of FTC’s enforcement priorities.
Mr. Meal was given a brief rebuttal and addressed three points. First, he argued that there is no legislative history supporting the idea that Congress intended a “reasonableness” standard to apply to Section 5(n), and that the cost/benefit analysis required in Section 5(n) itself indicates that a general “reasonableness” standard could never be workable. Second, Mr. Meal argued that FTC’s contention that rulemaking is impossible in the data security arena is baseless, and cited healthcare, financial services and payment card security regulations—all of which were enacted through a rulemaking process by different administrative agencies—as examples. Third, Mr. Meal argued that FTC was incorrect to characterize the injury here as “objective,” because in FTC’s own submissions, they claim that the injury stems from the fact that the breach victims may “want” their data protected, and may be “offended” if its released, which are subjective injuries by definition.
Mr. Meal closed by citing Eleventh Circuit precedent from almost forty years ago, observing that if FTC wants the powers it claims it possesses in this case, the proper way to obtain them is by seeking them from Congress, not the courts. The Court then took the case on submission.
* * *
Needless to say, it was an engaging argument that covered a substantial amount of territory. And while the FTC seemed to be on the ropes through much of the oral argument, we know from experience that’s never a good indication of how any court will ultimately rule. It will likely take several months for the Court to issue a final opinion, which will no doubt have a broad impact on how FTC’s authority to regulate corporate cybersecurity practices is interpreted going forward. We look forward blogging about it, so stay tuned!