Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Labmd, Inc. v. Federal Trade Commission

United States Court of Appeals, Eleventh Circuit

June 6, 2018

LABMD, INC., Petitioner,
v.
FEDERAL TRADE COMMISSION, Respondent.

          Petition for Review of a Decision of the Federal Trade Commission Agency No. 9357

          Before TJOFLAT and WILSON, Circuit Judges, and ROBRENO, [*] District Judge.

          OFLAT, Circuit Judge:

         This is an enforcement action brought by the Federal Trade Commission ("FTC" or "Commission") against LabMD, Inc., alleging that LabMD's data-security program was inadequate and thus constituted an "unfair act or practice" under Section 5(a) of the Federal Trade Commission Act (the "FTC Act" or "Act"), 15 U.S.C. § 45(a).[1] Following a trial before an administrative law judge ("ALJ"), the Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures. LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.[2]

         I.

         A.

         LabMD is a now-defunct medical laboratory that previously conducted diagnostic testing for cancer.[3] It used medical specimen samples, along with relevant patient information, to provide physicians with diagnoses. Given the nature of its work, LabMD was subject to data-security regulations issued under the Health Insurance Portability and Accountability Act of 1996, known colloquially as HIPAA. LabMD employed a data-security program in an effort to comply with those regulations.[4]

         Sometime in 2005, contrary to LabMD policy, a peer-to-peer file-sharing application called LimeWire was installed on a computer used by LabMD's billing manager.[5] LimeWire is an application commonly used for sharing and downloading music and videos over the Internet. It connects to the "Gnutella" network, which during the relevant period had two to five million people logged in at any given time. Those using LimeWire and connected to the Gnutella network can browse directories and download files that other users on the network designate for sharing. The billing manager designated the contents of the "My Documents" folder on her computer for sharing, exposing the contents to the other users. Between July 2007 and May 2008, this folder contained a 1, 718-page file (the "1718 File") with the personal information of 9, 300 consumers, including names, dates of birth, social security numbers, laboratory test codes, and, for some, health insurance company names, addresses, and policy numbers.

         In February 2008, Tiversa Holding Corporation, an entity specializing in data security, used LimeWire to download the 1718 File. Tiversa began contacting LabMD months later, offering to sell its remediation services to LabMD.[6] LabMD refused Tiversa's services and removed LimeWire from the billing manager's computer. Tiversa's solicitations stopped in July 2008, after LabMD instructed Tiversa to direct any further communications to LabMD's lawyer. In 2009, Tiversa arranged for the delivery of the 1718 File to the FTC.[7]

         B.

         In August 2013, the Commission, following an extensive investigation, issued an administrative complaint against LabMD and assigned an ALJ to the case. The complaint alleged that LabMD had committed an "unfair act or practice" prohibited by Section 5(a) by "engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks." Rather than allege specific acts or practices that LabMD engaged in, however, the FTC's complaint set forth a number of data-security measures that LabMD failed to perform.[8] LabMD answered the complaint, denying it had engaged in the conduct alleged and asserting several affirmative defenses, among them that the Commission lacked authority under Section 5 of the Act to regulate its handling of the personal information in its computer networks.

         After answering the FTC's complaint, LabMD filed a motion to dismiss it for failure to state a case cognizable under Section 5. The motion essentially replicated the assertions in LabMD's answer. Under the FTC's Rules of Practice, the Commission, rather than the ALJ, ruled on the motion to dismiss. The Commission denied the motion, concluding that it had authority under Section 5(a) to prosecute the charge of unfairness asserted in its complaint. LabMD, Inc., 2014-1 Trade Cases P 78784 (F.T.C.) (Jan. 16, 2014).

         Following discovery, LabMD filed a motion for summary judgment, presenting arguments similar to those made in support of its motion to dismiss. As before, the motion was submitted to the Commission to decide. It denied the motion on the ground that there were genuine factual disputes relating to LabMD's liability "for engaging in unfair acts or practices in violation of Section 5(a), " necessitating an evidentiary hearing. LabMD, Inc., 2014-1 Trade Cases P 78785 (F.T.C.), at *1 (May 19, 2014) (quotations omitted). An evidentiary hearing was held before the ALJ in July 2015.[9]

         After considering the parties' submissions, the ALJ dismissed the FTC's complaint, concluding that the FTC failed to prove that LabMD had committed unfair acts or practices in neglecting to provide adequate security for the personal information lodged in its computer networks. Namely, the FTC failed to prove that LabMD's "alleged failure to employ reasonable data security . . . caused or is likely to cause substantial injury to consumers, " as required by Section 5(n) of the Act, 15 U.S.C. § 45(n).[10] Because there was no substantial injury or likelihood thereof, there could be no unfair act or practice.

         The FTC appealed the ALJ's decision, which under 16 C.F.R. § 3.52 brought the decision before the full Commission for review. In July 2016, reviewing the ALJ's findings of fact and conclusions of law de novo, see id. § 3.54, the FTC reversed the ALJ's decision.

         The FTC first found that LabMD "failed to implement reasonable security measures to protect the sensitive consumer information on its computer network." Therefore, LabMD's "data security practices were unfair under Section 5." In particular, LabMD failed to adequately secure its computer network, employ suitable risk-assessment tools, provide data-security training to its employees, and adequately restrict and monitor the computer practices of those using its network. Because of these deficiencies, the Commission continued, LimeWire was able to be installed on the LabMD billing manager's computer, and Tiversa was ultimately able to download the 1718 File. The Commission then held that, contrary to the ALJ's decision, the evidence showed that Section 5(n)'s "substantial injury" prong was met in two ways: the unauthorized disclosure of the 1718 File itself caused intangible privacy harm, and the mere exposure of the 1718 File on LimeWire was likely to cause substantial injury. The FTC went on to conclude that Section 5(n)'s other requirements were also met.[11]

         Next, the Commission addressed and rejected LabMD's arguments that Section 5(a)'s "unfairness" standard-which, according to the Commission, is a reasonableness standard-is void for vagueness and that the Commission failed to provide fair notice of what data-security practices were adequate under Section 5(a). The FTC then entered an order vacating the ALJ's decision and enjoining LabMD to install a data-security program that comported with the FTC's standard of reasonableness. See generally Appendix. The order is to terminate on either July 28, 2036, or twenty years "from the most recent date that the [FTC] files a complaint . . . in federal court alleging any violation of the order, whichever comes later." Id. at 6.

         C.

         LabMD petitioned this Court to review the FTC's decision. LabMD then moved to stay enforcement of the FTC's cease and desist order pending review, arguing that compliance with the order was unfeasible given LabMD's defunct status and de minimis assets. After an FTC response urging against the stay, we granted LabMD's motion. LabMD, Inc. v. FTC, 678 Fed.Appx. 816 (11th Cir. 2016).

         II.

         Now, LabMD argues that the Commission's cease and desist order is unenforceable because the order does not direct it to cease committing an unfair "act or practice" within the meaning of Section 5(a).[12] We review the FTC's legal conclusions de novo but give "some deference to [its] informed judgment that a particular commercial practice is to be condemned as 'unfair.'" FTC v. Ind. Fed'n of Dentists, 476 U.S. 447, 454, 106 S.Ct. 2009, 2016 (1986). We review the FTC's findings of facts under the "substantial evidence" standard, McWane, Inc. v. FTC, 783 F.3d 814, 824 (11th Cir. 2015), which requires "more than a mere scintilla" of evidence "but less than a preponderance, " Dyer v. Barnhart, 395 F.3d 1206, 1210 (11th Cir. 2005).

         A.

         Section 5(a) of the FTC Act authorizes the FTC to protect consumers by "prevent[ing] persons, partnerships, or corporations . . . from using unfair . . . acts or practices in or affecting commerce." The Act does not define the term "unfair." The provision's history, however, elucidates the term's meaning.

         The FTC Act, passed in 1914, created the FTC and gave it power to prohibit "unfair methods of competition."[13] Rather than list "the particular practices to which [unfairness] was intended to apply, " Congress "intentionally left development of the term 'unfair' to the Commission" through case-by-case litigation[14]-though, at the time of the FTC Act's inception, the FTC's primary mission was understood to be the enforcement of antitrust law.[15] In 1938, the Act was amended to provide that the FTC had authority to prohibit "unfair . . . acts or practices."[16] This amendment sought to clarify that the FTC's authority applied not only to competitors but, importantly, also to consumers.[17] Hence, the FTC possesses "unfairness authority" to prohibit and prosecute unfair acts or practices harmful to consumers.

         In 1964, the FTC set forth three factors to consider in deciding whether to wield its unfairness authority. The FTC was to consider whether an act or practice (1) caused consumers, competitors, or other businesses substantial injury; (2) offended public policy as established by statute, the common law, or otherwise; and (3) was immoral, unethical, or unscrupulous.[18] The Supreme Court cited these factors with apparent approval in dicta in the 1972 case FTC v. Sperry & Hutchinson, 405 U.S. 233, 244 n.5, 92 S.Ct. 898, 905 n.5 (1972).

         "Emboldened" by Sperry & Hutchinson's dicta, "the Commission set forth to test the limits of the unfairness doctrine."[19] This effort peaked in a 1978 attempt to "use unfairness to ban all advertising directed to children on the grounds that it was 'immoral, unscrupulous, and unethical' and based on generalized public policies to protect children."[20] Congress and much of the public disapproved.[21] Congressional backlash included refusing to fund the FTC, thus shutting it down for several days, and passing legislation that prevented the FTC from using its unfairness authority to promulgate rules that restrict children's advertising.[22]

         Following this episode, the Commission wrote a unanimous letter to two senators in 1980[23] placing gloss on the three 1964 unfairness factors that were recognized in Sperry & Hutchinson. As to the first factor, consumer injury, the FTC laid out a separate three-part test defining a qualifying injury. These consumer-injury factors would later be codified in Section 5(n). The FTC stated that to warrant a finding of unfairness, an injury "[1] must be substantial; [2] it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and [3] it must be an injury that consumers themselves could not reasonably have avoided."

         As to the second 1964 unfairness factor, public policy, the FTC specified that the policies relied upon "should be clear and well-established"-that is, "declared or embodied in formal sources such as statutes, judicial decisions, or the Constitution as interpreted by the courts, rather than being ascertained from the general sense of the national values." Put another way, an act or practice's "unfairness" must be grounded in statute, judicial decisions-i.e., the common law-or the Constitution. An act or practice that causes substantial injury but lacks such grounding is not unfair within Section 5(a)'s meaning.[24] Finally, the FTC stated that it was nixing the third 1964 unfairness factor-whether a practice is immoral, unethical, or unscrupulous-because it was "largely duplicative" of the first two. Thus, an "unfair" act or practice is one which meets the consumer-injury factors listed above and is grounded in well-established legal policy.

         B.

         Here, the FTC's complaint alleges that LimeWire was installed on the computer used by LabMD's billing manager. This installation was contrary to company policy.[25] The complaint then alleges that LimeWire's installation caused the 1718 File, which consisted of consumers' personal information, to be exposed. The 1718 File's exposure caused consumers injury by infringing upon their right of privacy. Thus, the complaint alleges that LimeWire was installed in defiance of LabMD policy and caused the alleged consumer injury. Had the complaint stopped there, a narrowly drawn and easily enforceable order might have followed, commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers.

         But the complaint continues past this single allegation of wrongdoing, adding that LimeWire's installation was not the only conduct that caused the 1718 File to be exposed. It also alleges broadly that LabMD "engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks." The complaint then provides a litany of security measures that LabMD failed to employ, each setting out in general terms a deficiency in LabMD's data-security protocol.[26] Because LabMD failed to employ these measures, the Commission's theory goes, LimeWire was able to be installed on the billing manager's computer. LabMD's policy forbidding employees from installing programs like LimeWire was insufficient.

         The FTC's complaint, therefore, uses LimeWire's installation, and the 1718 File's exposure, as an entry point to broadly allege that LabMD's data-security operations are deficient as a whole. Aside from the installation of LimeWire on a company computer, the complaint alleges no specific unfair acts or practices engaged in by LabMD. Rather, it was LabMD's multiple, unspecified failures to act in creating and operating its data-security program that amounted to an unfair act or practice.[27] Given the breadth of these failures, the Commission attached to its complaint a proposed order which would regulate all aspects of LabMD's data-security program-sweeping prophylactic measures to collectively reduce the possibility of employees installing unauthorized programs on their computers and thus exposing consumer information. The proposed cease and desist order, which is identical in all relevant respects to the order the FTC ultimately issued, identifies no specific unfair acts or practices from which LabMD must abstain and instead requires LabMD to implement and maintain a data-security program "reasonably designed" to the Commission's satisfaction. See generally Appendix.

         The decision on which the FTC based its final cease and desist order exhibits more of the same. The FTC found that LabMD "failed to implement reasonable security measures to protect the sensitive consumer information on its computer network" and that the failure caused substantial consumer injury. In effect, the decision held that LabMD's failure to act in various ways to protect consumer data rendered its entire data-security operation an unfair act or practice. The broad cease and desist order now at issue, according to the Commission, was therefore justified.

         The first question LabMD's petition for review presents is whether LabMD's failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice within the ambit of Section 5(a). The FTC declared that it did because such failure caused substantial injury to consumers' right of privacy, and it issued a cease and desist order to avoid further injury.

         The Commission must find the standards of unfairness it enforces in "clear and well-established" policies that are expressed in the Constitution, statutes, or the common law.[28] The Commission's decision in this case does not explicitly cite the source of the standard of unfairness it used in holding that LabMD's failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice. It is apparent to us, though, that the source is the common law of negligence. According to the Restatement (Second) of Torts § 281 (Am. Law Inst. 1965), Statement of the Elements of a Cause of Action for Negligence,

[an] actor is liable for an invasion of an interest of another, if:
(a) the interest invaded is protected against unintentional invasion, and
(b) the conduct of the actor is negligent with respect to the other, or a class of persons within which [the other] is included, and
(c) the actor's conduct is a legal cause of the invasion, and
(d) the other has not so conducted himself as to disable himself from bringing an action for such invasion.

         The gist of the Commission's complaint and its decision is this: The consumers' right of privacy is protected against unintentional invasion. LabMD unintentionally invaded their right, and its deficient data-security program was a legal cause. Section 5(a) empowers the Commission to "prevent persons, partnerships, or corporations . . . from using unfair . . . acts or practices." The law of negligence, the Commission's action implies, is a source that provides standards for determining whether an act or practice is unfair, so a person, partnership, or corporation that negligently infringes a consumer interest protected ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.