In a case that fundamentally challenges the Federal Trade Commission’s ability to regulate data security, the Commission has denied a motion to dismiss its own complaint against a cancer-detection laboratory LabMD for alleged data security failures. Given that the FTC has filed and settled dozens of data security actions over the last decade, the FTC’s decision was no surprise, but it is notable for its clear articulation of the FTC’s theory of its authority to bring such actions.
LabMD came to the FTC’s attention after a LabMD patient information file became available for download on the peer-to-peer network LimeWire. After settlement discussions failed, the FTC filed an administrative complaint against LabMD, alleging that its data security practices violated the prohibition against unfair trade practices found in Section 5 of the FTC Act. This provision prohibits an unfair trade practice that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.”
In the ensuing groundbreaking litigation, LabMD has been aggressively fighting back. Among a variety of other procedural maneuvers, LabMD filed a motion to dismiss the FTC’s complaint, arguing that the FTC lacked authority under Section 5 to bring data security enforcement actions in general, and against entities such as LabMD that are regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) in particular.
The FTC’s stated reasons for denying the motion include the following:
- The FTC has authority to adjudicate whether data security practices are “unfair” within the meaning of Section 5.
- Congress granted the FTC broad authority to regulate unfair practices, and the FTC’s authority to regulate a particular kind of unfairness does not depend on whether Congress specifically authorized the FTC to regulate it.
- The FTC has consistently affirmed its authority to regulate data security.
- The FTC has authority to bring unfairness claims even without having issued regulations that define specific rules (such as detailed data security regulations), and this lack of prior regulation does not violate LabMD’s due process rights.
- The fact that LabMD is covered by HIPAA does not shield it from its obligation under the FTC Act to refrain from unfair data security practices.