FTC Administrative Complaint Asserts Authority to Regulate Data Security Practices
August 29, 2013. The Federal Trade Commission (FTC) announced that it has filed (but not released to the public) an administrative complaint against LabMD. The FTC issued only a news release that omits key information.
The FTC's release does not disclose what statute it alleges has been violated by LabMD. The FTC's release does not disclose what statute authorizes the remedies that it seeks.
The FTC's release does disclose that it alleges that LabMD "failed to reasonably protect the security of consumers' personal data, including medical information". See also, the FTC's web page for this proceeding, FTC Docket No. 9357.
The Congress has not granted the FTC any general statutory authority with respect to either data security or consumer privacy. Numerous such bills have been introduced in recent Congresses, but none has been enacted into law. However, the FTC has on many occasions relied upon Section 5 of the FTC Act (15 U.S.C. § 45) in filing civil and administrative complaints that make allegations regarding data security.
Section 5 merely provides, in relevant part, that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."
The FTC has promulgated no regulations to implement its asserted authority over data security practices. Hence, the only notice that companies and attorneys have regarding what the FTC asserts is prohibited is its prior complaints and settlements. Since many FTC settlements involve no fines, no admissions of wrongdoing, and no findings of fact and conclusions of law by a judicial officer, they are particularly unsuitable as precedential authority.
LabMD stated in a release that "The Federal Trade Commission's enforcement action against LabMD based, in part, on the alleged actions of Internet trolls, is yet another example of the FTC's pattern of abusing its authority to engage in an ongoing witch hunt against private businesses. The allegations in the FTC's complaint are just that: allegations. LabMD looks forward to vigorously fighting against the FTC's overreach by seeking recourse through the available legal processes."
The FTC did not promptly return a phone call from TLJ regarding this case.
Section 5, Deception, and Unfairness. Section 5 of the FTC Act contains two prongs -- unfairness and deception. The FTC's release does not state whether it is alleging unfairness or deception, if indeed it is even alleging violation of Section 5. However, the FTC's release does allege that LabMD "failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data". This sounds in the nature of unfairness, rather than deception.
A deception case, hypothetically, might be based upon allegations that the defendant published written representations regarding its data security measures, which representations in fact were not true. An unfairness case would be based upon allegations that there exist standards for data security which business ought to follow, and that the defendant did not adhere to these standards.
Most FTC privacy related actions, other than those involving children and the Children's Online Privacy Protection Act (COPPA), allege violation of the deceptive prong. However, the FTC has taken action based upon the unfairness prong in data security cases.
For example, in 2005, in an action against BJ's Wholesale Club, the FTC alleged unfairness in the context of data security. The FTC alleged in its administrative complaint that BJ's "did not employ reasonable and appropriate measures to secure personal information collected at its stores", such as encryption, and that "This practice was an unfair act or practice". See also, FTC web page with hyperlinks to pleadings in that proceeding.
In 2006, in FTC v. Choicepoint, the FTC alleged both deception, for violating statements in its web site, and unfairness, for failure to "employ reasonable and appropriate security measures to protect consumers' personal information". See also, story titled "FTC Sues ChoicePoint for Sale of Consumer Data to Identity Thieves" in TLJ Daily E-Mail Alert No. 1,298, January 27, 2006. That case is USA v. Choicepoint, Inc., U.S. District Court for the Northern District of Georgia, D.C. No. 1:06-cv-0138-GET.
In 2011, in FTC v. Frostwire, the FTC alleged unfairness in the context of default privacy settings. It filed a complaint in the U.S. District Court (SDFl) that alleged, in Count III, that "FrostWire for Android mobile file-sharing application was likely to cause a significant number of consumers installing and running it to unwittingly share personal files stored on their mobile computing devices with the public", thus increasing "consumers' vulnerability to identity theft", and that this constitutes "unfair acts or practices in violation of Section 5 of the FTC Act". See also, FTC web page with hyperlinks to pleadings in that proceeding.
In June of 2013 the FTC filed a complaint against Wyndham hotel companies alleging both deception and unfairness associated with network security breaches. The complaint alleges that the defendants falsely "represented ... that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access". The complaint also alleges that "Defendants have failed to employ reasonable and appropriate measures to protect personal information against unauthorized access". That case is FTC v. Wyndham Worldwide Corporation, et al., U.S. District Court for the District of Arizona, D.C. No. 2:12-cv-01365-SPL.
Also, on March 26, 2012, the FTC released a report [112 pages in PDF] titled "Protecting Consumer Privacy in a Era of Rapid Change: Recommendations for Businesses and Policy Makers" that contains statements that may imply a forthcoming increased reliance upon unfairness, rather than deception, as the basis for FTC interpretation of its statutory authority under Section 5 of the FTC Act. See also, stories titled "FTC Releases Second Report on Privacy Issues" and "Commentary: Unfair v. Deceptive Conduct" in TLJ Daily E-Mail Alert No. 2,357, March 26, 2012. See also, FTC web page for that proceeding.
Whether the FTC relies upon the deception prong or the unfairness prong of Section 5 is critical.
The word "deceptive" in Section 5 has meaning in both common and legal usage. It gives persons and businesses some notice as to what actions may subject them to enforcement actions. It provides limits to FTC action.
In contrast, the word "unfair" in Section 5 lacks meaning. Whether or not a certain activity is unfair varies from person to person, group to group, business to business, and FTC regulator to FTC regulator. It does not put businesses on notice. It does not limit FTC action.
The task of developing a collective determination as to what activities are unfair, and should be subject to prohibition by law, is inherently legislative. In democratic societies, this task is the province of the elected legislature.
If the FTC is proceeding under Section 5, and relying upon the unfairness prong, it would be exercising two questionable powers. First, it would be asserting the authority to determine what business practices are unfair in the context of data security, which is essentially a legislative power. Second, it would be enforcing non-existent standards. Neither the Congress by statute, nor the FTC by rules, has written any data security standards.
Tech Freedom to Host Panel Discussion. On Thursday, September 12, 2013 at 12:00 NOON, the Tech Freedom (TF) will host a panel discussion titled "What to Do about Data Security? A Discussion of the FTC's LabMD & Wyndham Cases". The speakers will include Mike Daugherty, the founder of LabMD. See, notice and registration page.
LabMD is not large corporation that funds an experienced and connected lobbying team in Washington DC. However, some large and politically active technology companies, such as Google, have received rough treatment from the FTC for alleged violation of unwritten Section 5 principles.
For example, in 2011 the FTC brought and settled an enforcement action against Google in connection with its privacy related practices associated with the initial launch of its Buzz social networking service. See, Decision and Order [7 pages in PDF] dated October 13, 2011.
There is also the matter that many companies are concerned that the FTC is currently shifting its antitrust activities from enforcement of the antitrust statutes, which have been construed in detail by numerous Supreme Court and lower court opinions, to antitrust regulation based upon invocation of a single clause in Section 5. This frees the FTC from the constraints of precedential law, and leaves technology companies in the dark as to what three out of five FTC Commissioners might some day consider to be a violation of Section 5.
(Published in TLJ Daily E-Mail Alert No. 2,595, September 4, 2013.)