Companies Challenging the Federal Trade Commission’s “Unfairness” Authority Over Data Security Practices Suffer a Second Setback

May 19, 2014 | Health Care


Issue: Health care companies and others collecting personally identifiable health information should be aware that the Federal Trade Commission (“FTC”) is asserting broad enforcement authority over data security practices and succeeded in fending off another preliminary challenge in a lawsuit brought to prevent that enforcement. Last week, a federal district court in Georgia dismissed a legal challenge to the FTC’s enforcement authority over data security practices. See LabMD, Inc. v. Federal Trade Commission, No. 14-cv-00810, 2014 WL 1908716 (N.D. Ga. May 12, 2014). The federal court’s decision clears the way for the FTC to prosecute its administrative case against a medical laboratory for its alleged failure to protect consumers’ personally identifiable health information. At the same time, the ruling was based on procedural grounds and leaves open the possibility of a later challenge of the substance of the asserted standard.

Background. The plaintiff in the federal action, LabMD, Inc. (“LabMD”), is a medical laboratory that provides doctors with cancer-detection services. Id. at *1. LabMD is the subject of a pending FTC administrative enforcement action in which the FTC alleges the company failed to implement adequate security for patient information retained on its internal network and has invoked its authority under Section 5 of the FTC Act, which prohibits “unfair. . . acts or practices.” Id. at *1. According to the FTC, LabMD failed to discover that its billing manager had installed a “peer-to-peer” file sharing application on his work computer, which resulted in the unauthorized disclosure of approximately 9,300 patients’ personal health information. Id. When police officers in Sacramento, California arrested alleged identity thieves, they found LabMD documents containing sensitive personal information in their possession. Id.

LabMD moved the Commission to dismiss the administrative complaint on grounds that the FTC had no statutory authority to address the data security practices of private companies under Section 5 and that the application of Section 5 violated the Due Process Clause of the United States Constitution. Id. The Commission denied the motion, concluding that Section 5 covers a private company’s data security practices if they are found to be so deficient that they “‘cause[] or [are] likely to cause substantial injury to consumers [that] is not reasonably avoidable by consumers themselves and [the harm is] not outweighed by countervailing benefits to consumers or competition.’” Id. (quoting 15 U.S.C. § 45(n)). The FTC’s administrative law judge scheduled an evidentiary hearing for May 20, 2014. Id. at *2.

LabMD then moved to challenge the FTC’s authority in federal court, filing a complaint in the United States District Court for the District of Columbia to enjoin the enforcement action, while also filing a motion to stay the administrative proceedings in the Eleventh Circuit. Id. The Eleventh Circuit dismissed the plaintiff’s petition, sua sponte, for lack of jurisdiction. Id. The next day, the plaintiff voluntarily dismissed its complaint in the district court.

A month later, LabMD renewed its challenge to FTC authority in the United States District Court for the Northern District of Georgia, filing a complaint for declaratory and injunctive relief from the FTC’s enforcement proceeding. Id. at *2. LabMD again argued that the FTC was exceeding its statutory authority under Section 5 and that the FTC’s enforcement action was arbitrary and capricious under the Administrative Procedures Act (“APA”). Id. Specifically, LabMD argued:

  • Section 5 does not authorize an action for alleged security breaches involving personal health information that is provided by physicians ordering laboratory tests for their patients;
  • Personal Health Information is already regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”);
  • The FTC has not published any requirements for the protection of patient information, leaving companies like LabMD without notice of the purportedly required protections; and
  • The FTC’s enforcement action is retaliation for the criticism its President publicly levied against the FTC.

The FTC responded with a motion to dismiss the federal complaint for failure to state a claim. Id. at *4-5.

Ruling. The district court agreed with the FTC, but relied entirely on procedural grounds. The court found that the agency’s denial of LabMD’s motion to dismiss the administrative complaint was not a final order subject to judicial review under the APA. Id. The court rejected LabMD’s argument that a ruling on the agency’s statutory or constitutional authority to regulate personal information retained by medical service providers was a final agency decision. Id. Nor did the FTC’s submission of its decision to other federal courts as supplemental legal authority establish the decision was a final agency action, according to the court. Id. The court also declined to address LabMD’s arguments based on Due Process and First Amendment concerns, finding that those “constitutional injuries are not currently ripe for review.” Id. at *6. However, in a statement that may serve to embolden further FTC data security enforcement actions, the court noted that it believed the likelihood of LabMD prevailing on its challenge to the FTC’s authority is “slight.” Id. at *5 n.6.

Why You Should Care: As explained in our previous alert, the FTC requires what it deems “reasonable” security measures to protect consumer data, and it considers the failure to provide such reasonable security measures an “unfair” business practice in violation of Section 5 of the FTC Act. A few companies have recently sought to challenge in court the FTC’s assertion of authority, and these threshold challenges have not been successful. Last month, a federal district court in New Jersey upheld the FTC’s authority to enforce Section 5 against companies that allegedly fail to implement reasonable data security measures and suffer a security breach as a result. See FTC v. Wyndham Worldwide Corp., --- F. Supp. 2d ---, 2014 WL 1349019 (D.N.J. Apr. 7, 2014).

The FTC has brought approximately 50 enforcement actions against companies for failing to implement reasonable security measures, and this matter demonstrates that the FTC considers members of the health care industry to be subject to its jurisdiction, notwithstanding industry-specific privacy and data security regulation under HIPAA and HITECH. Indeed, this decision is noteworthy as yet another example of the FTC’s broad application of its “unfairness” authority, even in industries where personal data is already regulated by other federal agencies under industry-specific statutes.

If You Want Further Information: The case is LabMD, Inc. v. Federal Trade Commission., No. 14-cv-00810, filed in the U.S. District Court, Northern District of Georgia. The FTC’s webpage regarding its administrative enforcement action against LabMD is here. Our previous alert on FTC v. Wyndham Worldwide Corp., may be found here.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall Edwards, an O'Melveny partner licensed to practice law in California, Richard G. Parker, an O'Melveny partner licensed to practice law in District of Columbia and California, Maryanne Kane, an O'Melveny Of Counsel licensed to practice law in the District of Columbia, Katrina Robson, an O'Melveny counsel licensed to practice law in the District of Columbia and California, and Mimi Vu, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2014 O'Melveny & Myers LLP. All Rights Reserved.