Unreasonable and (Effectively) Unreviewable: A Call for Congress to Clarify the FTC's Data Security Enforcement Authority

Since 1995, the FTC has used its jurisdiction to police “unfair or deceptive acts or practices” to force companies to adopt data security measures to protect consumer data. However, the FTC’s authority in the data security enforcement context came under scrutiny in LabMD, Inc. v. FTC, a 2018 Eleventh Circuit decision that invalidated the FTC’s attempted enforcement action against LabMD, a medical laboratory that suffered a data breach exposing patient records. Finding that the FTC’s proposed consent order “commanded LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness,” the court held that the FTC could not enforce its order. Specifically, the court cited the lack of specificity of what data security measures LabMD failed to take prior to the breach and would be ordered to take if the company agreed to the consent order as the reasons for its decision. For the FTC, LabMD represented a significant defeat, Prior to the decision, the FTC used its authority under the “unfairness” prong of Federal Trade Commission Act Section 5 to bring cases against companies for failing to adopt what the Commission considers “reasonable” data security measures without any additional specificity. Therefore, the LabMD decision called into question the FTC’s entire data security enforcement practice. In December 2018, the agency held a rare public hearing on the topic. And, FTC Chairman Joseph Simons asked Congress for “targeted rule-making authority” in the data security context governed by “clear and specific rules.” However, following California’s passage of a data privacy law last year and the implementation of the GDPR in the European Union, the current focus in Congress is on data privacy — “user[] . . . control over how businesses collect, use, and share their information” — and not data security — “prevent[ing] unauthorized parties from accessing, altering, or rendering unavailable [consumers’] data.” As a result, regulated parties — really any business operating online or using electronic records — are likely to continue to face the risk of FTC data security enforcement actions without clarified standards. This Comment argues that regulated parties lack adequate notice of what the FTC considers “reasonable” data security practices given the realities of the FTC’s current enforcement mechanisms, and Congress should provide clearer data security standards as part of a larger privacy bill this year. Absent congressional action, regulated parties should begin commenting on the FTC’s complaints, orders, and consent decrees to force the Commission’s data security staff to clarify what “reasonable” data security practices entail. Part I discusses the FTC’s current data security enforcement practices and the LabMD decision that called them into question. Part II identifies the problem with the current approach. Part III provides two potential solutions, one involving congressional action and one involving congressional inaction, to provide regulated parties notice of what “reasonable” data security means.