The 11th Circuit’s decision in LabMD v. FTC comes just as the new FTC Chairman and Commission have been sworn in. The long-awaited decision arises in a case which raised fundamental questions regarding the FTC’s data breach enforcement authority under Section 5 of the FTC Act and the level of injury that gives rise to a cognizable privacy harm. A fraught factual and procedural history – involving allegations of FTC misconduct and an ALJ decision in LabMD’s favor reversed by the full Commission – preceded the 11th Circuit’s action. Is this the end of the road or will the Court’s decision be subject to further appeal? What are the implications for the new Commission and its privacy enforcement authority?
Neil Chilson, Senior Research Fellow for Technology and Innovation, Charles Koch Institute
Scott Delacourt, Partner, Wiley Rein LLP
Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up here. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.
Operator: Welcome to the Federalist Society's Practice Group Podcast. The following podcast, hosted by the Federalist Society's Telecommunications and Electronic Media Practice Group, was recorded on Monday, June 18, 2018 during a live Courthouse Steps teleforum conference call held exclusively for Federalist Society members.
Mr. Micah Wallen: Welcome to the Federalist Society teleforum conference call. This afternoon our conversation is on the LabMD Inc. v. Federal Trade Commission decision, which was released last week. My name is Micah Wallen, and I am the Assistant Director of Practice Groups here at the Federalist Society.
As always, please note that all expressions of opinion are those of the experts on today's call.
Today, we are happy to have with us Neil Chilson, who is a Senior Research Fellow for Technology and Innovation at the Charles Koch Institute. We also have with us Scott Delacourt, who is a Partner at Wiley Rein.
After hearing from our speakers, we will go to audience Q&A. Thank you for speaking with us. Scott, the floor is yours.
Mr. Scott Delacourt: Thanks, Micah. Um, and thanks to people who are listening in. I'd thought, um, given the, the possibility of different of levels of familiarity with the case, I might start with a quick recap of what went on here, and what the 11th Circuit decided.
LabMD was a cancer detection facility that had personal information regarding some of its patients. And some of that information was stored on a workstation, where an employee was using file-sharing software to listen to music, which made information on the workstation accessible to the outside.
A firm called Tiversa, which, uh, was either a security firm or a hacker depending on your perspective, accessed a document containing sensitive information of around 9,000 patients. It was never shown that anyone other than Tiversa accessed the data, or that any misuse of – was made of the data.
The FTC investigated and brought administrative – an administrative complaint asserting that LabMD's data-security practices were unreasonably lax and therefore, unfair under Section 5 of the FTC Act.
The case was initially heard by an FTC administrative law judge, who sided with LabMD, but was overturned by the full Commission. LabMD then appealed it—the Commission's decision—to the 11th Circuit, where the issues before the court was first, whether unauthorized access to data alone, without any misuse, constitutes consumer harm that rises to unfairness under Section 5, warranting FTC enforcement action. And the second issue: uh, what is the level of notice required regarding what the FTC deems to be reasonable data-security practices, the failure to provide, which gives rise to unfairness under Section 5, and potential enforcement action?
Interestingly, the 11th Circuit did not really decide either of those issues. Instead, it held that the cease-and-desist order that the FTC imposed on LabMD, requiring reasonable data-security practices and an overhaul of the company's data-security practices, generally, was unenforceable because it lacked specificity as to what exactly was required.
Um, uh, I think I'll stop there and, uh, and, Neil, do you want to fill in on the, on the facts, or what occurred here?
Mr. Neil Chilson: Yeah. So I think I would just add that, um, as all litigation, uh, well, as much litigation is, the, the procedural background for this case is actually quite complicated. And if you look at the full docket and the number of times it moved up and down, uh, between, for example, the ALJ and the Commission, and then, uh, even between the Commission and, uh, Federal Court, um, it's quite complicated. But I think Scott covered the, the highlights and the points that really matter for our, our decision today.
Um, uh, and I think with that, uh, you know, maybe we can jump into some of the questions. I think this is a pretty interesting case and one that, uh, I've been paying attention to for a long time. And that I know that the data-security community, uh, more generally, as well as people who like to keep an eye on what the FTC does, um, this is a case that, uh, I think people were very interested in. And so, I'm glad to be here to talk about it, uh, with all of you.
Mr. Micah Wallen: All right. So the first question we have is, uh, what are the broader implications of the case, uh, beyond the impact on the particular litigants?
Mr. Neil Chilson: So I'll just jump in here and say that I think that this case, uh, despite not having, uh, answered – I think Scott quite accurately characterized it as not really having answered the, the, the two main questions. Um, this does have a lot of implications for the FTC's data security orders going forward. Um, the court was very skeptical of the way that the FTC adopted the order in the LabMD case or what was contained in the order. And in – it essentially said that it wasn't specific enough to say reasonable data security, um, focusing very much on the, the, the reasonable data security prong of the order.
FTC orders, uh, in the data security space and other spaces, they have lots of other provisions as well. Um, the court didn't really talk about any of the other provisions, many of them which are quite specific but are not necessarily focused on the data-security issue, uh, that was, that was the core of this case.
Um, and so, the reasonable security requirement that was in the order, um, is one that the FTC has used in many of its cases in the data-security space, uh, I think with the aim of largely not being too prescriptive. The court found that to be a flaw of the order, and said that, um, there, there – that essentially, uh, to enforce such an order would require the FTC and the defendant—in this case LabMD—to relitigate various factual matters in front of the court about what was reasonable security. And the court said that that was not attended to – uh, that was not a proper way to, to do a, uh, enforceable order. That made these orders—this order—unenforceable.
So I think the implications are, um, that the FTC will need to be more specific in its orders and more prescriptive in its orders about what, uh, a company would need to do to comply with the order. Um, I, I, I, think that's, that's, uh, that's a str- – well, I would say from a policy perspective, it will be interesting to see how the FTC, uh, balances the need for, uh—under the 11th Circuit's decision—the need for specificity against the challenges in the data-security space of maintaining, um, something that's reasonable and not doing a sort of checklist view of security, which, uh, most security experts say is, is not – it's a good way to still get in trouble because the space moves so fast. The checklist can be out of date pretty quickly.
So that's one of the – I think that's, uh, I think that's one of the, the – probably the biggest implication. There will be some implications for how the FTC writes orders in, in future cases. Uh, in the data-security space specifically, but perhaps in other, in other areas as well.
Mr. Scott Delacourt: Yeah, I, I agree with, with Neil that there's going to be broad impacts from, from this, um, case. And I think, you know, you can look to two immediate ones being, um, a limitation on the FTC's authority, um, both with respect to remedies and potentially with respect to the, the kind of cases it might bring in the future.
Um, the decision of course is limited to the particular litigants. Um, but the court's holding can be a, a constraint on the FTC's data-breach authority. Most obvious and direct limitation is on, um, the kinds of remedies that can be ordered. If a case is litigated, um, and success in a case like this, likely means more cases involving data breaches are likely to be litigated, where they may have settled before. The FTC's going to need to spill out – spell out with greater specificity what reasonable data security means for a particular company, just as Neil was saying.
And that's not at all an easy thing to do. Um, ordering that some identified shortcoming be corrected is easy and straightforward. But outlining a comprehensive data-security plan, that's not easy because industry standards change and technology changes. Um, but I think beyond remedies, the case will make the FTC even more circumspect in identifying Section 5 violations in the first place because it will know that it's going to be put to its proofs to show a company's data-security practices were unreasonable.
Mr. Neil Chilson: Yeah, and, and I might add there, we might see a shift towards more cases brought under deception. I, I would note that many of the FTC's data security cases include a deception count, where the company made a claim of some kind about the types of security that it had. Um, and, and, uh, the order here is focused on, uh, essentially what was the unfairness – the unfairness portion of the LabMD complaint. And so, uh, deception cases we might, we might see more cases brought under that, um.
Or we might see more cases where the unfairness practice that's alleged is, is not so much, uh, unreasonable data security, but for example in the Lenovo case, there was a very specific count of unfairness. This is a case in which the Lenovo—one of the big PC manufacturers—had installed, uh, middleware software onto a laptop, um, for the purposes of advertising, but which created, uh, a pretty sizeable security problem, um, on these people's PC's.
And so, uh, in that case, the, the Commission had a general data-security unfairness count that said it was unfair that they didn't have reasonable data security. But it also had a very specific unfairness count that said that the installation of this kind of software was unfair.
So we might see, uh, more of a focus towards complaints that, uh, have very specific, uh, activities, uh, alleged as unfair.
Mr. Scott Delacourt: Yeah, I agree with that. And, and, um, the deception count is always the, the easier one to bring and a little bit more less fraught when it's litigated. Um, the, the downside for the enforcers is that, is that I think, um, companies are kind of wise to that and are being more careful about the kinds of representations that they make about the security that they offer.
Whereas at one time, a company may have said, um, your, your data is secure with us, you'll find now more commonly, more nuanced representations that say, um, of course, you know, rigorous data security cannot prevent the activities of a determined hacker, and no security if perfect. This sort of thing. That may not be the get-out-of-jail card that it, it sounds like. Um, if you've made some representation that you're taking, um steps, and you, you've been, uh, uh, and you've been quite lax, then you, you may have deception anyway.
But it – the easy cases for the enforcers are, um, on, on deception I think, uh, becoming fewer and further, further between.
Mr. Neil Chilson: Yep.
Mr. Micah Wallen: Interesting. Thank you, both. Uh, another question is, uh, one of the issues before the 11th Circuit was the scope of the FTC Section 5 enforcement authority in data-breach cases. Uh, uh, how did the court expound about that, and what do you think the fallout is from their reasoning?
Mr. Neil Chilson: Well, it's a, it's a really interesting point. I think that was one of the key, uh, issues that had come up in the Wyndham case. And in, in that case, uh, the circuit court or the Court of Appeals had, uh, decided that the FTC under Section 5 could bring data-security actions.
Uh, interestingly, um, Wyndham is not mentioned at all in the LabMD case. Um, it was in a different circuit so that's, that's not problematic, but it is interesting. Uh, it was interesting to me to see that the court does sort of take a tour through the FTC's unfairness authority under Section 5. It looks at the statute and it looks back towards an older test that the FTC used for unfairness. And which is arguably still sort of the super structure around which, uh, the FTC does unfairness.
Uh, that was set forth in, uh, the cigarette-labeling rules, uh, or statement. That was a three-factor test that was then talked about the Supreme Court in, uh, Sperry & Hutchinson in dicta, and sort of ratified. And that test, uh, it was a three-part test that talked about causing consumer injury, compet-, or con-, consumers, competitors, or other businesses substantial injury; two, offending public policy as established by statute the common law or otherwise; and three, immoral, unethical or unscrupulous.
That was a sort of framework, uh, that the FTC in the 1970s got into a lot of trouble under. Um, it started to rely heavily on public policy, uh, which it interpreted to mean if it found, uh, uh, uh, um, a matter that was of some, some interest to the public, uh, that it could, it could either pass a rule, which is what it had tried to do a couple times, or bring cases, uh, under unfairness.
And, um, that – when the FTC, uh, did some of this, it, it got into a lot of trouble from Congress. And Congress actually dialed back, uh, defunded it for a period, and, um, when the Commission came back open, uh, there was some reform under, underway. And they adopted a new unfairness statement in the 80s, the early 80s that really focused on the first prong of that original test, and gave three sort of sub-prongs to that. And that is what is colloquially today referred to as the Unfairness Test, which it means that – and there has to be a substantial injury that's not avoidable by consumers and that's not outweighed by, uh, benefits to consumers or competition.
That has sort of colloquially been called the Unfairness Test since the mid-80s. And, um, it's interesting to have the LabMD. The LabMD decision goes back to that earlier test and talks about the public-policy prong of that test. Um, I'm not quite sure how to read the impact of that, uh, on the FTC's authority. The court after having done all this analysis, then ultimately concludes that it wasn't going to decide whether or not – it was just going to assume for this case that there was, uh, a violation of Section 5 unfairness, and then it transitioned over to the order and said the order was unenforceable.
So I'm not quite sure how to take the court's reading of what unfairness is, but that – there are at least some implications for, not just data-security cases and how unfairness might be applied, uh, but how unfairness generally – you know, the FTC brings lots of unfairness cases that aren't data-security cases. I'd think it'd be really interesting to see how people, uh, talk about Lab-, uh, the court's – the 11th Circuit's decision here, uh, on unfairness and that analysis.
And I actually wrote a piece, um, on techliberation.com, uh, if anybody's interested on this sort of obscure and possibly dicta part of the LabMD decision. So I'd refer anyone who's interested to that.
Mr. Scott Delacourt: Yeah, I, uh, like Neil was, was, uh, a little bit puzzled by, by what the court did here, um, in terms of the, um, question that was presented to it about the FTC's authority under Section 5 to bring, uh, data-breach enforcement cases.
Um, it might have gone a couple of different ways. I mean, one way would have been for, um, the 11th Circuit to have said affirmatively that, um, Wyndham is the law of the land, that the FTC has the authority under Section 5 to bring, um, data-breach enforcement cases. Um, and while that wouldn’t have solved the matter, it would've been a long way – it would've gone a long way towards solving the matter because two circuits having ruled that way, you know, it's kind of, you can see the momentum in the writing on the wall.
The other way it might have gone is, is the court may have, uh, decided that, you know, we disagree with the Wyndham case, um, and so the, uh, Federal Trade Commission does not have, um, data-breach enforcement authority under Section 5. That's reading too much into the Act. That would have set up a circuit split, um, and the issue would have then gone to the Supreme Court.
What's interesting is that here they didn't do either of those things. They really sidestepped the issue. Uh, Wyndham is not, uh, mentioned at all. And, as Neil said, the court just assumes, um, that, that a Section 5, uh, violation has occurred. Um, and then, con-, con-, continues on to discuss the merits of the, the remedy.
Um, you know, why, why did that happen? I'm, I'm not sure we'll, we'll ever really know, but, um, Neil mentioned earlier that the, the, um, procedural process of this case was somewhat unusual. And I think part of that, um, the long pendency of this case, the time that it was before the court, um, was unusual.
The case was originally filed in December of 2016, and not decided until, um, until June of this year. Um, so it was pending for over a year and a half. And, you know, while we can never go behind the curtain, um, where a case is pending before an appellate court for a long period of time, the, um, speculation is often that there is a disagreement among judges on the panel about what to do with the case.
And in this case, um, the very narrowness of the decision and the fact that, um, while there was a discussion of issues, they aren't decided. And the focus in deciding the case is this very narrow focus on deciding that the cease-and-desist order is unenforceable. That may well have been because there were disagreements on—among the panel of the 11th Circuit—on what to do on these harder questions, like what does Section 5 mean about the FTC's authority? And that the way to resolve that was to come to a very narrow decision.
Mr. Neil Chilson: That's as good as an explanation of it as, as I have heard for sure. I, uh, as good as, as good as speculation as, uh, as I could, as I could do. So I have nothing to disagree with there for sure.
Mr. Scott Delacourt: And I, and I candidly admit rank speculation.
Mr. Micah Wallen: Does this case make it harder or easier for the FTC to bring enforcement actions in data-breach cases?
Mr. Scott Delacourt: Uh, I think it does make it harder for the FTC to bring enforcement cases. Um, it's not an accident that the FTC hasn't provided a lot of specificity about what is reasonable data security. Um, as Neil mentioned, this is a very difficult and fraud area. If they identify certain practices a certain level of encryption for example, uh, those practices are likely to shown to be ineffectual in the next breach or to quickly become outdated relative to other better or more secure practices.
Um, and the FTC doesn't, you know, candidly doesn't want to be in that business. And it isn't particularly well-equipped to be in that business of setting, uh, data-security standards. That's something better done by industry and maybe better done on an industry-specific basis, where there are different needs and exigencies for, for different, um, practices.
Um, so, you know, it's not an accident that, that they wanted – that they have sought to have a, um, be less prescriptive as Neil says. Um, I think another thing that will become more difficult, uh, as a result of the LabMD case is, um, the FTC is likely to face more opposition when it, when it investigates and brings enforcement actions. And that the LabMD case itself may shift the leverage dynamic to some degree.
Until the Wyndham case, no one had really litigated the FTC's data-breach enforcement authority under Section 5. Nearly everyone entered a consent decree. And the FTC has entered over 50 such, such consent decrees with various companies, um, and has pointed to them as a, a sort of common law giving a sense of what constitutes reasonable data security.
Um, in the consent-decree process, the FTC has a freer hand on, on remedies because there's a back and forth, voluntary negotiation—I mean, voluntary in, in the dynamic of, of, of law enforcement— but the parties can agree to things that wouldn't necessarily be accepted by an Article III court.
With the LabMD decision out there, parties are likely to negotiate harder on remedies and to litigate more frequently.
Mr. Neil Chilson: Uh, I agree with all that. Um, you know, I think the, the FTC will also be facing some possible new arguments about, uh, how unfairness – the unfairness test works, um, and, and while I don't know that those will be prevailing, I think anytime there are new arguments, um, that have, uh, even the, the, a slight stamp of approval from, a, a, a federal court that then staff has to spend time dealing with those arguments.
And so, I would expect litigation in this space is a little more difficult—bringing cases in this space is a little bit more difficult. And that I would say, it's sort of more on the pragmatic level. I think this will emphasize, uh, cases. I think this will have the effect of emphasizing cases at the FTC that have very clear drawn lines between the activities of the company and, uh, the injuries to the consumer. Um, I think those will still be cases where the FTC will, will be relatively safe in bringing, um, but I think they will make sure to get more of their ducks in a row, uh, before moving into an investigation or before moving into settlement, uh, uh, discussions or litigations. Um, so yes, it does make the – it does make it harder for the FTC to bring enforcement cases.
Mr. Micah Wallen: Great. Another question to get to is, uh, the LabMD case raises issues about how law is made in the administrative process. With respect to privacy cases, uh, brought under Section 5, they're just a couple of litigated cases, the FTC maintains that, that large, larger number of consent decrees, there's also a body of precedent regulated companies should look to as a guidance on applicable standards. What does that LabMD case mean, if anything, for development of precedent by consent decree?
Mr. Scott Delacourt: So, yeah, I think this is an interesting aspect of, of the case because there've been lots of questions raised about, um, consent decrees as being a common law on reasonable data security. Some parties think that that is a, a very reasonable practice and provides good guidance. And, in fact, there are industry groups that have gone to the effort of, uh, abstracting from those various consent decrees the elements that, um, they see as, as firm guidance, that, that, companies should be aware of and should take into account when, um, formulating their data-security plans.
Other say, you know, that's not really an appropriate, um, source of law because of the leverage dynamic between the parties. And also because those – many of those consent decrees are very fact-specific particular to particular industries and companies.
But in terms of the impact for, for parties that have already entered consent decrees, uh, the LabMD case may have a, a limited impact. Two parties can agree to remedies in a consent decree, which is like a contract. Even if those remedies wouldn't be accepted by an Article III court if the matter were litigated.
So it won't be an out to your consent decree that what you agreed to is lax specificity, um, because you have agreed to it. Now, if you had litigated it, then a court might decide that it was, um, you know, not enforceable, but you may not have that, that same luxury where you've agreed to it.
Um, now, that doesn't mean that, um, the FTC doesn't have any exposure. Uh, if the FTC is to allege an FTC consent-decree violation, um, that party is not providing reasonable data security as required under a consent decree, then LabMD offers a defense, um, that the consent decree doesn't provide specificity about the data-security practices required.
Um, as to the use of consent decrees as a common law, um, LabMD – the LabMD decision seems to call that practice into question, or at least open it up to challenge. Um, the remedies ordered in consent decrees tend to be specific to the party involved and the particular group stances. Um, and they don’t seem to provide the level of specificity the 11th Circuit was looking for, at least with respect to a cease-and-desist order.
Um, as to the level of notice as to what reasonable data security means before bringing a Section 5 enforcement action, that remains an open question.
Mr. Neil Chilson: I, I, I think I would just add that, uh, I think there's a – there's some – some make a distinction between the sort of common law of the consent decrees—the orders—and what's in them. And the more – if you're looking for what the violation of what the law is, you might look more towards the complaints that issue. Those are, um, typically much less negotiated between the two parties, and I think that is the clearer statement, uh, typically of what the FTC believes is the legal violation outside of the – whatever negotiations, um, the company and the FTC might enter and memorialize in an order.
Um, and sort of building on that, it's interesting how much time the, the decision in the 11th Circuit spends on walking through how litigation works both at the ALJ level and then in the, in the court. And then also, like, what might be the different mechanisms for enforcing, uh, these orders. It walks through a couple hypotheticals. Um, I, I'm not sure that those, uh, undermine the, uh – I think those accurately describe the process, but it's interesting how much time they spent on that, uh, relative to other things.
Um, I'm not sure that this changes the usefulness of consent decrees and, uh, the complaints that accompany them for lawyers who are advising clients or for clients who are looking for examples of what the FTC is thinking. I think those are still useful documents for that. and while that's not the – uh, I think that's not the paradigmatic, uh, formulation for what common law is, I think these – you can – one can still learn a lot from looking at, uh, what, what the Commission found to be a Section 5 violation and then how it came to agreement about how that violation could be remedied. For, if you're trying to advise a client, um, I think those are still quite useful.
Mr. Micah Wallen: All right. Well, let's – um, there's a few more questions to get to, but let's go ahead and open it up to audience questions and mix a few from the audience in here if there are any on the line. In a moment, you'll hear a prompt indicating that the floor mode has been turned on. After that, to request a floor, enter the star key and then the pound key on your telephone.
When we get to your request, you will hear a prompt and then you may ask your question. We'll answer the questions in the order in which they are received. Again, to ask a question, please enter the star key and then the pound key on your telephone keypad.
We already have a question lined up, so without further ado, let's move to our first question.
Mr. Mike Daugherty: Well, good afternoon, gentlemen. This is Mike Daugherty, the CEO of LabMD. I'll try hard to make it really brief and keep it as a question. But – and that is to me—and I would really want your feedback on this if you see this—but of course, I've lived through this for ten years and I think a lot of the details of the court's really in the oral argument. Every lawyer I know that never stays animated and stays monotone through all sorts of academic analysis lost their mind when they read or heard the oral argument and how Judge Tjoflat and Robreno specifically came at the FTC for how they conducted themselves through this, saying such things as, you know, you got annulated, um, were you working with criminals, uh, you know, thank you for that concession for saying that you can, you know, make up – you can avoid rulemaking and you can adjudicate, um – you can make up rules though adjudication.
So, to me, this is really a, a notice case and a due process case. Uh, that there were no standards, and coming from 30 years in medicine, LabMD, and myself as CEO and our lawyers that worked in healthcare were blown away by this argument that we can't manage, um, technology without – with specifics, when there are no specifics in medicine. If you guys think technology moves fast, try cancer.
And so, and so, it was laughable the lack of, um, that argument to those that work within an industry that is well-regulated and seems to get along more collaboratively was a big deal. So this was a war. Make no, make no mistake about it. It still is. It was, persecution due process. The details will show that—and those are still coming—but I would recommend everyone read the oral argument to get a lot of what was going on because certainly when I say it, in a way it's the least credible because people see myself as someone with an axe to grind.
But, anyway, so I don't know, um, what, you know, what your, your, your feedback would be on, on, on my comment.
Mr. Neil Chilson: Uh, let me just jump in and say, well, first of all, congratulations on the win, Mike. Um, uh, I, I do think that a lot of people when they heard the oral argument knew it wasn't going well for the FTC. Um, I – and I think people weren't really surprised by the outcome in this case; what the final verdict was. I, I think there was, there was a sort of anticipation that the court, um, uh, was not finding the FTC's, uh… I, I, I don't – I just think there were – this was a closed case, um, and I think people were, were expecting, uh, a loss or at least a very narrow decision.
I think what is more surprising is how little, uh, this case answered the big hard questions. And I think Scott already laid out some of the reasons why that might be. Um, it doesn't do a very good job of addressing the due process point, except sort of backwards by looking at the order. And the question is how will this be applied in the future? And I think we'll, we'll have a chance to see that. But, um, the outcome, maybe not a surprise. The sort of way the court got there I think was, was quite surprising to me and I think probably to other people as well.
Mr. Mike Daugherty: Don't, don't you think that's because they dance around getting overturned, or I mean, I think your point on disagreements is fantastic because there's just a lot of people within in this system that have nothing to do with technology or medicine that just do not want to take power away from the government. And there was just a really hard way to slice a baby without this thing getting nowhere.
I mean, the government has an unbelievable amount of power and one big echo chamber. And I – in a way, given the realities of the judiciary today, and the legal system, and the regulatory system, um, I actually thought it was pretty darn brilliant.
Maybe that's not a question.
Mr. Scott Delacourt: Yeah, no, Mike. Uh, this is Scott Delacourt. Yeah, and, and I second the congratulations. I know it was a, a, a long, very long road and you had to show a lot of staying power to get to the, to the victory. So, um, congratulations, uh, on that.
Um, you know, in terms of the court's decision, yeah, I think the, the, uh, judicial process is, uh, part of the reason the decision came out so narrowly. On the questions that were presented in the case on the Section 5 authority, and on, um, what I would call the informational, uh, injury question—whether, um, exposure of data alone without misuse, um, is a violation of Section 5—those are really tough questions.
And the, um, the court, I think, was very concerned about where it might not have liked what the Federal Trade Commission had done or agreed with its take on those questions, I don't think it, um, was in a position to answer those, uh, questions and support them with the authorities, uh, available to it in a different way. Not meaning that it, that it couldn't have come to a different decision, but again, looking at the processes, you mentioned the concern about being overturned, I don't think they had a clear roadmap to, to coming out, uh, uh a different way. So, instead, they went to a very narrow decision, um, that enabled them to, to, uh, get rid of this case without, um, making, uh, choices there were, uh, on, uh, very difficult issues that were going to have a more widespread effect.
Um, you know, to address a couple of other things you mentioned, um, in terms of the, the conduct in the, in the case and the FTC's conduct and sort of the, um, the issues around working with Tiversa and, and whether or not they're a legitimate act and everything that went on there was appropriate. That was something that, that came up at oral argument, and that the court had some concerns with. Um, I think that has continuing relevance as to, um, next steps here because there is, of course, the issue of whether the, the Federal Trade Commission would seek a rehearing en banc or would, um, seek to appeal to the Supreme Court. I, I would guess—and, and, I don't know. It's a new group and they'll have to think hard about it. But I would guess they’ll let this decision stand and not appeal further.
And, uh, the bad facts are, are, part of the reason why. I think they will have other, um, data-security cases to bring Section 5—enforcement cases, data breaches happen all the time—and they will want to, um, confront these issues where they have a much cleaner record than the one they have in this case. And it's actually surprising to me that they pursued this case as far as they did with some of the bad, bad facts involved.
And then, just, just to address one, one other issue that you raised about, um, you know, you, you think providing, um, standards is difficult in a fast-developing area like data security, try, try medicine and try cancer. That's a good point. And I think, um, you know, that's part of what the next hard question before the Federal Trade Commission will be, um, how can we provide some greater specificity on those issues and what a data sec-, – reasonable data security means, and what are our options?
And one of them would be, you know, a more, um, process-oriented requirements, um, like, like medicine. Medicine isn't static. It doesn't say, you know, um, do these things and do only these things. But it sets out what are, um, est-, established standards of care, and as long as you follow those prescribed standards of care, if something goes wrong you're not exposed to liability. And you can imagine a similar con-, construct to that for, for data security. And that may well be one of the things that the new Commission will explore.
Mr. Mr. Micah Wallen: Let's move to our next question.
Mr. John Vecchione: This is John Vecchione at Cause of Action. Um, my question, uh, is about the FTC's next steps if they don't go for en banc or they don’t, um, ask for cert. And it's 3-0 decision and there's no circuit split on the issue that I'm aware of, so I don't think they can go very far. But their public comments have been that we’re, we're looking at our next steps, which I guess has the advantage of the being true. But what – they have two courses of action that strikes me. Try to cabin the 11th Circuit decision so it doesn't go to other circuits and it has no effect the best they can; they can ignore it. Um, or they can incorporate it in how they, in how they proceed on data-security cases. Uh, which do you think it'll be?
Mr. Scott Delacourt: Uh, well, I'll go first there. I, I don’t – this is not a group that is inclined to ignore a decision of the 11th Circuit. The, the, um, the group that has the new Federal Trade Commission, um, and, uh, the new commissioners who are in place, um, like, like the ones before them, but I say this is a particular merit of the, of this group and the new General Counsel, Alden Abbott.
These are – they're very rule-of-law folks and very much, um, will give a, a close read to the 11th Circuit's, um, decision. I'm sure they've read it many times already and will, will take it into account in, um, deciding, uh, one, um, what kinds of remedies they can order in, in cases that they're already negotiating. Um, two, what kind of, um, uh, cases they can bring for violations of consent decrees. And then, three, they'll be thinking about the broad question of what does this mean for our authority and the notice we have to give before bringing an enforcement case in the first instance.
So I think it'll be, between the two options, you, uh, outlined—either ignore it or take it into account in developing their practices going forward—I think it'll very much be the latter.
Mr. Neil Chilson: Yeah, I, I totally agree with that. Uh, I – as I mentioned earlier, I think this will have impact on how the FTC writes its orders going forward, and also in the case selection that it, uh, that it chooses to bring. Um, and also the legal theories that it, that it uses – that it chooses to apply. I think, uh, you know, where there's an option to, to not use an unfairness count, I think they will avoid doing so and focus on deception.
Um, so I, so I do I think, uh, this will be part of the – this conversation inside of the building about how to, uh, how to, how to bring cases in a way that's compliant with this order. Um, as we've mentioned, the order is, is quite narrow and so, um, the conversation might have been much harder if, if this, uh, if this decision had, had gone beyond, um, this – the focus, the more narrow focus that it had.
I don't know, however what the Commission is going to do about the analysis of unfairness that's, you know, arguably in dicta. Um, to me, it has the slight, uh, downside—a potentially, uh, big downside—of moving the FTC's focus, uh, of its unfairness enforcement away from consumer injury and, and also starting to think again about, uh, public policy questions. And, as I mentioned, the history of using that prong of, uh, the old, uh, Sperry Hutchinson Test was, was pretty problematic for the FTC. So it's my hope that the FTC, uh, continues to focus on consumer injury in its unfairness analysis, um, and that this, this decision doesn't, uh, shift that focus away. I don't think that's very likely with this batch of c. Um, or the, the staff that are there. I think the, the long-established, uh, unfairness statement formulation, uh, that's captured in Section 5(n) is pretty solid at this point.
Um, but, you know, it is a little bit concerning to me and I am curious to see how that shakes up.
Mr. Scott Delacourt: Hey, Neil, uh, you know, I would just comment on that, um, because you'd, you'd referenced this earlier and I just wanted to outline it a little because I, I don't know if this is an issue that everyone on the call will be fam-, familiar with. You’ve, you've been traveling these circles a, a longer time. But this is really the, the, a sleeper that issues that has been identified in the case. It may be the most significant, um, aspect of the court's decision with respect to the FTC's authority.
Um, and while it's not part of the holding, as Neil mentioned, um, the 11th Circuit stated its view that, um, Section 5 enforcement actions can't be based on—alone—on consumer injury or even substantial injury. That the lack of data security must be unfair under some established legal standard, meaning either in violation of the Constitution, a statute, or the common law. And, while some data breaches may violate an industry-specific privacy statutes, many—and maybe even most—will not violate a statute and they certainly won't violate the Constitution, which leaves us with the common law.
And what the 11th Circuit looked at in this case—in the LabMD case—was whether failure to provide reasonable data security would be negligent under the common law. And that's us back to torts in law school where the elements of that are duty, breach, causation, and damages. And, and the question arises, well, where is the duty to provide, uh, reasonable data security coming from in the absence of a statute?
So that, you know, if – and again, that wasn’t part of the court's holding, but that line of reasoning, if it, if it were to, um, you know, be accepted by the FTC, be accepted by other courts, that's a fairly significant, um, constraint on the Commission's Section 5 authority, especially in the data breach area where there is no – um, we don't have a, a general privacy statute in the U.S. like the GDPR in Europe. Um, these would essentially be, be negligence cases.
Mr. Neil Chilson: Yeah, and it's, it’s a really interesting issue, and I, I, I, I am not a tort-law expert, um, but the sort of common law elements, uh, that, that people had been talking about in the FTC's data-security space is – it's interesting where the court sort of took that into negligence. Um, I – you know, we were talking earlier about how the difficultly in establishing standards, uh, of behavior in this space, uh, by the FTC, I, I, I think that's, I think that's accurate. Um, that's an accurate concern, um, and that's why I think the FTC has typically tried to focus very hard on something that it, it – on consumer injury. Something that it can look at and see that there's a – that, uh, an injury that's happened. And that's why that prong of the Sperry Hutchinson Test, I think, was elevated quite reasonably.
And so, uh, so it's – it'll be interesting to see how this shakes out, uh, whether, you know, it goes more in the negligence direction, um, uh, and, and there is a common law that's built that way or if in the end, uh, you know, there's a statutory approach to some of this. And, I, I, I, you know, I – it's hard to predict right now, for sure.
Mr. Micah Wallen: We have another question on the line so without further ado, let's move to our next question.
Mr. Ted Gebhardin [sp]: Uh, hi. Uh, this is Ted Gebhardin, Arlington, Virginia. I hope, uh, these questions aren't too much in the weeds. But I'm just curious as to what was the basis of the ALL – ALJ's decision that the Commission overturned? Um, was the decision to overturn it unanimous? And has there been any separate, independent, uh, action been taken against the hacker?
Mr. Neil Chilson: So the ALJ's decision if—this, this is Neil—if I'm remembering correctly, uh, it essentially applied the regular, um, unfairness test and determined that there was not substantial injury here. Um, uh, I, I don't remember the exact details, but it was a much more straightforward, uh, application of Section 5, um, than, than the way that the 11th Circuit approached it in this case. Uh, it was not about the order. Uh, it was about the liability in the first place.
Um, uh, I think – I believe the decision – uh, well, I – the decision to, uh, uphold, or to overturn the ALJ's, uh, decision for LabMD was unanimous. It was – I believe there was not a full Commission at the time, however. I think it was – uh, there may have only been three commissioners. There may have been four. I'm pretty sure it was not a full Commission, though, at the time. Um, which doesn't really have any legal import, uh, I just wanted to add that as a caveat.
Uh, as for prosecuting, uh, uh, the other company, I, I'm not sure. That's – I'm not sure where that stands. That is, um, uh, first of all, I think there's a lot of disagreement over whether they were a hacker or whether they were accessing on the network, uh, information that anybody else who had the LimeWire software could also have accessed. I think that was the, the factual, uh… that was the way that the FTC framed it in its complaint, and I think in the facts as the ALJ found them, talked about the LimeWire software, providing that software – providing that file out, um,9 to anybody else who had that software.
And so, the question is is that if you're taking advantage of that, that software, is that hacking or not? Uh, it's something the court really doesn't get into and, um, I, I don't know that, uh, the FTC, uh…I would just say the court really get into that. And I don't think the ALJ really did either, so I'll just leave it there.
Mr. Scott Delacourt: Yeah, just, Tad, thank you for your question. And just to add to, to Neil's, uh, response, when the, the full Commission—or the Commission as it was constituted at the time—overturned the ALJ, um, in part it was that they, they found that the ALJ had, had I'm-, imposed what they believe—or applied what they believed—was the wrong standard. Um, so the ALJ found that there was no injury because there had been, um, no one outside of, um, Tiversa had accessed the data and there was no evidence of misuse. So there was no injury.
But the, um, the full Commission said that there is, uh, harm in unfairness under Section 5, even in the absence of an actual injury if the potential for injury is large even if the likelihood of injury is low. So it was this – uh, they adopted a, a potential injury standard and the idea was with a large number or patient's data having been exposed, even if the probability of there being misuse of that data was low, that was still, um, injury that was sufficient to give rise to unfairness under Section 5.
That was one of the issues raised in the 11th Circuit appeal, whether that was the correct standard, that again, the 11th Circuit did not respond to, um, sort of sidestepped. And it's the informational injury issue that is – the Commission has subsequently held a workshop on and that I think may well, uh, be the subject of continued activity, uh, under the new Commission. That's a, that's a live question that's out there is, you know, in a, in a case of pure informational injury where data is exposed but there's no evidence of injury resulting from that exposure, is there a cognizable harm that give-, gives rise to un-, enforcement under Section 5. And that's something that the 11th Circuit didn't answer.
Mr. Neil Chilson: Yeah, and I'll, I'll just tag in on that a little bit. Um, thanks for recapping the Commission's decision much better than I did, Scott. Um, there, you know, that sort of question about, uh, causes or likely to cause is straight from Section 5(n) of the FTC Act, where it describes, uh, uh, you know, it says that you cannot bring an unfairness action unless, uh, there's, uh, there was something that caused or was likely to cause a substantial injury. Uh, and then it goes through the rest of the test.
There is a lot of question about what that cause – or likely to cause, what those two prongs mean, um, of the, of Section 5 n. And unfortunately, um, you know, the, the LabMD decision doesn’t add much clarity on that, but I think that will be an ongoing, uh, question for sure.
Mr. Micah Wallen: Let's go to our next question. Uh, caller make sure your telephone is not on mute. Well, it appears that there is a connectivity issue with the caller so we will move on and there are no other questions in the queue. So, uh, before closing remarks, uh, Neil and Scott, uh, I wanted to ask some commentators say LabMD raises the bar to finding a Section 5 violation. But even the presence of substantial injury arising from a data breach may not be enough to find a violation. Uh, what exactly does, does that mean and do you think those, uh, do you think that analysis is fair?
Mr. Neil Chilson: Yeah, this is a conversation we were having earlier about the older test that has a public-policy prong as well as an injury prong. So the, the FTC since the unfairness statement has largely been focused on whether or not an, uh, an act or practice causes substantial injury that's not avoidable by the consumer and that is not outweighed by benefits to consumers or competition. That all sort of falls under the injury part of the old test, and this test, uh—the test set forth, uh, by the 11th Circuit—says, well, that part is, alone, is not really enough. That there also has to be a public policy against, uh, that, that this harm violated essentially.
And so, that's relatively new. I think I – that's, uh, uh, it's both new in that, uh, this is a new combination of the prongs from Sperry and Hutchinson. And it's also old because it's a throwback to, uh, uh, a prong of a much older test. And so, um, that's what they're talking about, uh, when, when they say that. And, uh, I think we've maybe talked that – talked about that piece of dicta in this conversation or possible dicta, um, quite a lot. So I won't really add more to that, but Scott, I don't know if you had any more to say.
Mr. Scott Delacourt: Sure. Just, just that, I, I think you're right that it's both old and new. I mean, when I was first initiated into this practice and learning the un-, unfairness, um, policy, um, you know, I had always l-, l-, learned that, that the, um, uh, injury was the whole ballgame as to whether there was a, um, a violation, and that, uh, the other elements, um, uh, whether it was against public policy and whether it was unethical and unscrupulous were essentially vestigial; that they were included in the original policy. But that if there were injury, it would be found that a conduct was against public policy and also unethical and unscrupulous. And this LabMD decision, um, suggests that, you know, the public policy prong may not be vestigial. There may be, um, some active requirements under that prong, um, that need to be considered going forward.
Mr. Micah Wallen: And with just a few minutes left we don't have any more questions on the line. So Neil and Scott, I'll give you both a chance for any closing remarks.
Mr. Neil Chilson: Well, I'll, I'll just say this is a fascinating case. Um, I think that it will have, uh, an impact. Um, it doesn't answer a lot of the big questions, uh, that will need to be answered either through further cases or if Congress steps in. Um, but I, I think we can expect to see some changes, uh, in FTC orders and in case selection, and, and, and, uh, it will be interesting to see how this develops going forward.
Um, I will say that there is a sort of potential – to the extent that the, the orders get more prescriptive, uh, due to that challen-, the challenge of writing a checkbox list of things that provide good data security, uh, I think we'll – you know, there are some, there's some potential for some unintended consequences in this space. Um, so, uh, you know, interesting decision and I think we'll have to see how it plays out.
Mr. Scott Delacourt: Yeah, I, I agree that it's an interesting decision that some of the big issues were not addressed by the court in it's very, uh, narrow, narrow decision. And so, it will now fall to the new FTC to address them. It's a lega-, legally very rigorous group and conscious group, and I don't think that this will be just a speedbump. They'll, they'll take it seriously. Um, and they've got some hard work ahead of them because framing out what is, uh, reasonable data security, as Neil has said, is, is not, um, an easy exercise.
That said, I do think one, one thing we can expect to see going forward is for, for, um, this Federal Trade Commission to be less entrepreneurial with the Section 5 authorities. There have been, um, in the past some, some Commissions that, um, looked at Section 5 expansively with the idea of growing the FTC's jurisdiction in this space and asserting itself, um, as the lead privacy, privacy regulator among the federal agencies. And I don't, I don't think this group will see a need to en-, engage in that activity. I think they'll be looking, um, at the authorities with, um, more of a, a mind, uh, that's the law is a, is a constraint on them, and, and with a mind to being less entrepreneurial.
Mr. Micah Wallen: Thank you. And on behalf of the Federalist Society, I want to thank our experts for the benefit of their valuable time and expertise today. We welcome listener feedback by email at firstname.lastname@example.org. Thank you all for joining us. We are adjourned.
Operator: Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit the Federalist Society's website at fedsoc.org/multimedia.