{"id":6545,"date":"2020-01-16T13:04:31","date_gmt":"2020-01-16T17:04:31","guid":{"rendered":"http:\/\/ncjolt.org\/?p=6545"},"modified":"2020-06-04T20:52:23","modified_gmt":"2020-06-04T20:52:23","slug":"new-and-improved-will-the-ftcs-latest-round-of-data-security-orders-remedy-its-authority-challenge-in-labmd","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/new-and-improved-will-the-ftcs-latest-round-of-data-security-orders-remedy-its-authority-challenge-in-labmd\/","title":{"rendered":"\u201cNew and improved\u201d: Will the FTC\u2019s latest round of data security orders remedy its authority challenge in LabMD?"},"content":{"rendered":"\n

The Federal Trade Commission (FTC) has become the de facto enforcer of data security issues in the United States\u2019 sectoral, or industry-specific, privacy laws. In 2018, the regulatory entity\u2019s authority was successfully challenged in this arena in LabMD, Inc. v. Federal Trade Commission<\/em><\/a>due to unspecific nature of the FTC\u2019s order being deemed too vague to be enforceable. In response, a new batch of FTC consent orders<\/a>seeks to remedy this defect, but will they hold up to further challenges?<\/p>\n\n\n

Where Congress has decided to enact privacy laws around certain contexts only (e.g., children\u2019s online privacy in the Children\u2019s Online Privacy Protection Act<\/a>, student records in the Family Educational Rights and Privacy Act<\/a>), all other harms suffered by consumers from privacy and data security matters fall under the FTC\u2019s general jurisdiction over unfair and deceptive trade practices, granted to the organization in section 5 of the Federal Trade Commission Act<\/a>. The FTC investigates a business, and if it finds unfair and\/or deceptive practices, it often enters into a consent order with the business. The order lays out certain requirements, the violation of which result in fines and further restrictions or obligations. However, the FTC\u2019s rulemaking ability is severely limited; it\u2019s unable to promulgate substantive rules in most situations, including data security. As far as that sphere is concerned, this leaves the agency in the crucial role of protecting consumers\u2019 data and privacy rights without the ability to generally proscribe specific practices it deems unfair or deceptive.<\/p>\n\n\n

In 2018, the FTC\u2019s authority in the data security sphere was challenged by LabMD, who attacked their consent order as being vague and unspecific such that it was unenforceable. The Eleventh Circuit agreed. In the case, an employee of LabMD installed a peer-to-peer file sharing program on a company computer, compromising the personal information of customers.<\/p>\n\n\n

The FTC alleged \u201ca number of practices that, taken together, fail[] to provide reasonable and appropriate security for personal information on its computer networks.\u201d<\/a>The court saw this as the agency relying on the common law of negligence rather than \u201c\u2018clear and well-established\u2019 policies\u201d the FTC could point to in assessing LabMD\u2019s conduct.<\/p>\n\n\n

The Eleventh Circuit stated<\/a>\u201cthe cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.\u201d The court goes on to envision a scenario in which LabMD corrects their program, only for the FTC to say over and over again that the new measure is not good enough, or that there\u2019s some other issue that needs addressing in order for LabMD to reach the unspecified reasonableness standard. This, the court said, was not envisioned in any scheme of the FTC\u2019s authority, for it would \u201cput [the FTC] in the position of managing LabMD\u2019s business in accordance with the Commission\u2019s wishes.\u201d<\/p>\n\n\n

In response, the FTC has touted \u201cnew and improved\u201d data security orders<\/a>, admittedly in an effort to correct the defects as perceived in LabMD<\/em>(\u201cWe were also mindful of the 11th Circuit\u2019s 2018 LabMD decision . . . .\u201d). The FTC hopes its new orders will be specific enough to be \u201cclearer to companies\u201d and \u201cimprove order enforceability.\u201d Employing heightened specificity, requiring enhanced accountability of third parties, and requiring companies kick data security matters up the corporate governance ladder are the main reasons cited as aspirational cures to the FTC\u2019s LabMD<\/em>problem.<\/p>\n\n\n

To look at the final order imposed upon LabMD<\/a>andone of the FTC\u2019s recent orders<\/a>side-by-side is telling. The full text of one provision of LabMD\u2019s order imposes \u201cthe design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards\u2019 key controls, systems, and procedures.\u201d <\/p>\n\n\n

In contrast, the final order issued on January 6, 2020 to a company called InfoTrax reads: <\/p>\n\n\n

Design, implement, main, and document safeguards that control the internal and external risks to the security, confidentiality, or integrity of Personal Information . . . . Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. [InfoTrax]\u2019s safeguards shall also include: . . .<\/p><\/blockquote>\n\n\n

What follows is a seven-item list of required safeguards including, among other provisions, deleting information \u201cthat is no longer necessary,\u201d encrypting certain personal information, network segmentation, and \u201ctechnical measures\u201d to \u201cdetect unknown file uploads,\u201d \u201climit locations to which thirds parties can upload files,\u201d and to \u201cdetect anomalous activity\u201d on InfoTrax\u2019s network with specific examples of such activity.<\/p>\n\n\n

At first glance, the recent order clearly seeks to distinguish itself and lay out the FTC\u2019s data security expectations with specificity. Whether or not their orders continue to face challenges of unenforceability and whether or not those challenges will play out like LabMD<\/em>remains to be seen.<\/p>\n\n\n

Data security will continue to become a mainstream issue whether or not Congress will be able to pass a comprehensive federal data privacy law that perhaps enables the FTC to make data security rules applicable to all players. Until then, the FTC must continue to enforce data security under the current state of its authority. Whether or not the FTC can right the ship after the LabMD<\/em>blow is therefore a crucial moment in the near future of arena of growing significance.<\/p>\n\n\n

Taylor Townes<\/p>\n\n\n

January 16, 2020 <\/p>\n","protected":false},"excerpt":{"rendered":"

The Federal Trade Commission (FTC) has become the de facto enforcer of data security issues in the United States\u2019 sectoral, or industry-specific, privacy laws. In 2018, the regulatory entity\u2019s authority was successfully challenged in this arena in LabMD, Inc. v. Federal Trade Commissiondue to unspecific nature of the FTC\u2019s order being deemed too vague to be …<\/a><\/p>\n","protected":false},"author":1,"featured_media":6548,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6545"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=6545"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6545\/revisions"}],"predecessor-version":[{"id":6783,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6545\/revisions\/6783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/6548"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=6545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=6545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=6545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}