In the first part of this post, we examined the security risks posed by the growing “Internet of Things,” especially as connected implants and other medical devices become more common. This part examines the Federal Trade Commission’s regulation of cybersecurity policies, including security for IoT devices, under an “unfair practices” theory.
Section 5 of the Federal Trade Commission Act bars “unfair or deceptive acts or practices in or affecting commerce” if the practice “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45 (a), (n). The FTC is empowered to bring administrative actions against companies for such unfair practices, and its cease-and-desist orders are binding and enforceable.
While “unfair” might sound like it requires an element of deceptive or unethical behavior (or at least intent), the actual standard articulated by the FTC since at least 1980 is that any action causing substantial consumer injury can constitute an unfair practice if it is not avoidable by the consumer and is not outweighed by other benefits. Courts have consistently supported this interpretation.
A History of Enforcement
Consistent with that interpretation, the FTC has held companies’ feet to the fire for failing to secure consumers’ data for over a decade, even in the absence of any affirmative act or even representation by the company. As demonstrated by In the Matter of BJ's Wholesale Club, Inc., for example, the Commission alleged that the defendant retailer engaged in unfair acts or practices by “failing to encrypt [customers’] information . . . storing the information in files that could be accessed . . . using a commonly known default user id and password . . . [and] failing to use readily available security measures.” 140 F.T.C. 465, 476 (2005).
The FTC will even bring cases when no defined harm has occurred. In a more recent case, an employee of a medical testing laboratory downloaded a peer-to-peer sharing program onto her office computer that accidentally provided the whole internet access to a file containing 1,718 pages of patient information. LabMD, Inc. v. Fed. Trade Comm'n, 678 F. App'x 816, 818 (11th Cir. 2016). A security company that routinely scanned peer-to-peer networks for just such vulnerabilities found the file, demanding that the lab use its security services and tipping off the FTC when the lab declined. The FTC ultimately brought an “unfair acts or practices” complaint—notwithstanding that the security company was blatantly using the threat of FTC action to drive business; no patient had suffered any actual invasion of privacy, and it was an unwitting employee’s personal frolic, not any act of the company, that had created the problem.
Although an administrative law judge initially ruled in favor of the lab, noting a lack of evidence that anyone had actually downloaded the file, the Commissioners, on appeal, reversed that ruling and issued a final order, requiring a number of onerous security measures. Id. The lab later won an injunction from the Eleventh Circuit staying enforcement of the FTC order because, among other things, the FTC had interpreted “likely to cause harm” as including even a situation where the security failure had a low likelihood of being repeated. The victory may have been Pyrrhic, however, as the lab had by that time shut its doors, claiming it was unable to bear the cost of litigating with the FTC.
Growing Focus on Security
While these cases dealt with the privacy of information on companies’ internal networks, the FTC is positioning itself to provide guidance on, and therefore presumably regulate, cybersecurity in the Internet of Things. Already the Commission has devoted a whole page of its website to the issue, offering warnings like: “If you’re going to play in the Internet of Things arena, security can’t be a one-and-done proposition . . . . How will you provide updates for products that are already out there? Will you offer them for free? Will updates happen automatically? It’s wise to implement a belt-and-suspenders approach to reach as many of your users as possible.”
Indeed, the FTC is already bringing complaints against companies that advertise that their IoT devices are secure, where the FTC considers these claims to be unfounded. It seems like a short step to complaints regarding device vulnerability even in the absence of an advertising claim.
The liability landscape surrounding the cybersecurity of connected medical (and other) devices is still uncertain. But change is coming fast, and companies that do not have a plan of action will almost certainly run headlong into it.