Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.
On December 27, LabMD filed its opening brief in support of its appeal from the FTC’s decision ruling that it violated Section 5 of the Federal Trade Commission Act. According to the FTC, LabMD failed to provide reasonable and appropriate data security measures for customers’ personal information and caused substantial injury constituting an unfair act. The appeal – however decided – will have sweeping implications for both the Commission’s data security enforcement authority and the companies under its jurisdiction. The appeal was lodged before the U.S. Court of Appeals for the Eleventh Circuit.
As readers of our blog will recall, last month the Eleventh Circuit signaled its initial discomfort with the FTC’s approach when it granted a temporary stay of the Commission’s final order pending appeal, noting that LabMD had “made a strong showing” that the agency’s legal interpretations of Section 5 may not be reasonable.
The appeal focuses on the interpretation of Section 5’s requirement that an unfair act or practice “causes or is likely to cause substantial injury to consumers . . . .” According to LabMD, the Commission erroneously held that intangible harms, such as embarrassment, reputational injury, and privacy invasions, qualify as “substantial injury” under Section 5. In support of this position, LabMD cites the FTC’s 1980 Policy Statement on Unfairness, which states that emotional and more subjective harm will not ordinary render a practice unfair. But in some circumstances, emotional injuries may qualify as unfair only “where tangible injury could be demonstrated.” LabMD contends that even if intangible harm could be a substantial injury under Section 5, the Commission failed to find any such harm. Indeed, Chief Administrative Law Judge D. Michael Chappell originally dismissed the FTC’s complaint against LabMD and concluded that, not only did the FTC fail to show any proof of actual consumer injury, it also failed to present any evidence that consumers suffered reputational injury or embarrassment.
LabMD also takes aim at the Commission’s interpretation of a practice that is “likely” to cause substantial injury. According to the Commission, unlikely injury can be transformed to a likely injury if the magnitude of the potential injury is large enough. Taking this argument head-on, LabMD contends that the Commission’s reasoning “flies in the face of the plain meaning of the word ‘likely.’” Calling it “an absurd I-know-it-when-I-see-it test,” LabMD argues that the Commission’s approach would run counter to Congress’s intent to strictly limit the FTC’s Section 5 unfairness authority.
Similarly, LabMD characterizes the Commission’s assertion of authority over its data security practices as “repugnant” to Congress’s grant of comprehensive federal healthcare authority to the Department of Health and Human Services.
Finally, LabMD also raises the lingering issue of whether there was “misconduct” by the FTC in investigating LabMD. The claim focuses on a company called Tiversa – a forensics firm that attempted to sell its services to LabMD. Whistleblower testimony from a former Tiversa employee – LabMD contends – “strongly suggests a level of collaboration that may have violated the Fourth Amendment.”
We will post periodic updates as the appeal progresses.