As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.
The FTC’s Final Order was viewed as a significant development in privacy law because the FTC concluded a “substantial injury” existed – and sanctions were appropriate – without any evidence of actual economic harm or physical injury, or any actual health or safety risks as a result of the data security breach. However, according to the 11th Circuit, the FTC’s conclusions raise “a serious legal question” justifying a stay pending resolution of the appeal for several reasons. First, the appeals court stated, “it is not clear that a reasonable interpretation of §45(n) includes intangible harms like those that the FTC found.” Second, it is not clear it was reasonable for the FTC to conclude that the data breach was “likely to cause substantial injury to consumers” in light of the actual scope of the breach and resulting “disclosure”. Third, the court concluded that the costs of complying with the FTC’s Final Order would cause LabMD irreparable injury because, if LabMD ultimately prevailed on appeal, the costs of compliance could not be recovered later given the FTC’s sovereign immunity. Finally, the court concluded that there would be no injury to other parties as a result of the stay.
While the 11th Circuit’s recent opinion is not the final word from the court on the various issues presented by LabMD’s appeal on the merits, it is clear that the court has some doubt as to whether the FTC was within its authority to enforce the FTC Act based upon perceived “intangible harms” and a low likelihood of any future harm. Stay tuned to this blog for future developments.