In one of two highly watched cases involving the FTC and data security, the Commission has denied LabMD’s motion to dismiss the FTC’s complaint.
In their order denying LabMD’s motion, the Commission writes:
Respondent LabMD, Inc. (“LabMD”) has moved to dismiss the Complaint in this adjudicatory proceeding, arguing that the Commission has no authority to address private companies’ data security practices as “unfair . . . acts or practices” under Section 5(a)(1) of the Federal Trade Commission Act (“FTC Act” or “the Act”), 15 U.S.C. § 45(a)(1). This view, if accepted, would greatly restrict the Commission’s ability to protect consumers from unwanted privacy intrusions, fraudulent misuse of their personal information, or even identity theft that may result from businesses’ failure to establish and maintain reasonable and appropriate data security measures. The Commission would be unable to hold a business accountable for its conduct, even if its data security program is so inadequate that it “causes or is likely to cause substantial injury to consumers [that] is not reasonably avoidable by consumers themselves and [such injury is] not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(n).
LabMD’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings (“Motion to Dismiss” or “Motion”), filed November 12, 2013, calls on the Commission to decide whether the FTC Act’s prohibition of “unfair . . . acts or practices” applies to a company’s failure to implement reasonable and appropriate data security measures. We conclude that it does. We also reject LabMD’s contention that, by enacting the Health Insurance Portability and Accountability Act (“HIPAA”) and other statutes touching on data security, Congress has implicitly stripped the Commission of authority to enforce Section 5 of the FTC Act in the field of data security, despite the absence of any express statutory language to that effect. Nor can we accept the premise underlying LabMD’s “due process” arguments – that, in effect, companies are free to violate the FTC Act’s prohibition of “unfair . . . acts or practices” without fear of enforcement actions by the Commission, unless the Commission has first adopted regulations. Accordingly, we deny LabMD’s Motion to Dismiss.
The order, which represented the Commission’s unanimous opinion, with Commissioner Julie Brill recusing herself, was written by Commissioner Joshua D. Wright. You can read it here (pdf).
Previous posts and coverage of this case on this blog are linked here.