Growing Regulation Powers Force Companies to Be Proactive
As previously reported, the Federal Trade Commission (FTC) found LabMD’s data security practices to be an unfair practice that violated federal consumer laws. It marked one of the first times that the FTC has ruled on the harm to consumers (the focus of the FTC) caused by improper data security measures. However, the arguably novel ruling brings up larger questions of its authority to prosecute data security claims and the growing regulation powers of federal agencies over everyday business dealings.
The FTC’s Ability to Enforce Reasonable Data Security Practices
In its brief to stop the effect of the FTC’s Final Order, LabMD primarily argued that the FTC did not have authority to consider medical privacy and data security issues as “unfair and deceptive acts” because it wasn’t the FTC’s traditional field of expertise. The FTC found, however, that Congress gave it the authority to decide which practices should be condemned as “unfair” and found that “substantial injury to consumers” was imminent through LabMD’s lack of cyber security practices.
Despite losing and being out of business, LabMD is still fighting allegedly because “the FTC could use the LabMD decision as authority to investigate other U.S. businesses’ data-security practices . . . at any time (even without a breach, with or without evidence of actual harm),” according to Modern Healthcare. The reality is more nuanced as the the lack of actual injury could run afoul of Spokeo, Inc. v. Robins, in which the US Supreme Court held that a lawsuit requires an injury that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”
Additionally, the Consumer Financial Protection Bureau (CFPB) is taking its own action against companies that misrepresent their data security practices to the public. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
LabMD’s appeal to the federal circuit court is imminent. However, the standard for overturning an executive agency’s determination is generally quite high. Short of LabMD proving it was denied the due process of law, an unlikely outcome as Congress has directed the FTC to handle certain data privacy issues and LabMD had hearings on its matter, judicial review of an agency’s determination is usually limited to findings of “arbitrary” or “capricious” decisions or those that exceed statutory authority. Meaning, it would be an uphill battle for LabMD to get the FTC’s Final Order overturned.
Training As a Way to Mitigate Increased Agency Power
LabMD’s cries of overbreadth bring up two important issues for organizations.
First, the power of agencies is pretty broad. While executive agencies have to act within the power granted to them by Congress, they enjoy considerable authority to prosecute legal claims. For example, the Equal Employment Opportunity Commission (EEOC) settled a historic sexual orientation discrimination lawsuit despite no explicit mention of sexual orientation in Title VII of the Civil Rights Act, the federal employment anti-discrimination law. And according to the American Bar Association, the Department of Justice (DOJ) and Securities and Exchange Commission are ramping up their FCPA enforcement through increased enforcement staff and a higher volume of cases, respectively. The pervasive legitimacy of agencies and increased enforcement efforts make regulatory oversight an imperative for any organization.
Second, the law does not always catch up with organizational best practices. In the data security realm, business cannot rely on courts to regulate employees’ use (or misuse) of sensitive, confidential information despite insider negligence being the leading cause of data loss for organizations. More broadly, we are seeing an emphasis on better compliance programs where behavior, everyday tasks, and business strategy are aligned with compliance objectives (aka compliance culture). Going beyond check-the-box compliance is good risk management.
The DOJ, EEOC, and FTC have all recommended training as one way for companies to effectuate compliance with law and policy. In same way that these federal agencies are going beyond the black letter law to address modern problems, online compliance training needs to do the same. LawRoom provides effective online compliance training on sexual harassment, FCPA, HIPAA, and data security to thousands of companies and universities. To learn more, visit us here: LawRoom.com.