Header graphic for print
TMT Perspectives Insight & Commentary on Business, Legal and Policy Developments Affecting the Telecom, Media, and Technology Sectors

FTC Asserts Jurisdiction over Privacy in Unusual Case

Posted in FTC, Lawsuits, Privacy and Data Security

ThinkstockPhotos-517343725What is the FTC’s jurisdiction over privacy?

That is one of the most important—and overlooked— issues in Washington, DC today.

The reason it is so important is because privacy issues can arise for almost any business engaged in electronic commerce. And if the FTC has jurisdiction over privacy generally— on the theory that failure to protect privacy is “an unfair or deceptive” practice, then the FTC potentially has jurisdiction over all electronic commerce without any formal rules to constrain FTC enforcement actions.

In other words, in the absence of clearly ascertainable ex ante privacy regulations, a “we know a violation when we see it” standard would apply. This is an invitation to arbitrary government adjudication, never a good thing.

An Unusual Alliance. A case in point is a suit brought by the FTC against LabMD, a small cancer diagnostic business, now mostly defunct except for clean-up operations out of the owner’s condo. Although the litigation is ongoing, it appears that in 2008 the FTC was concerned about privacy and peer-to-peer (PTP) networks. At about that time a private company, Tiversa, took a LabMD file containing information on 9,300 patients. The file was on a LabMD’s employee’s computer. Unfortunately this single employee had a PTP application running on her computer which enabled Tiversa to access the computer, in violation of LabMD policies and inspection practices.

Once Tiversa took the file, it approached LabMD to sell a Tiversa security product. According to testimony, Tiversa gave LabMD the option of either purchasing a Tiversa data security solution or “face the music.” LabMD declined, and Tiversa brought the matter to the FTC.

Making this all worse, at the time Tiversa was advising the FTC on certain privacy issues. While this might make it look like a staged job, when Tiversa took the file, it was not, in fact, acting on behalf of the FTC.

The Legal Issue. In business, leverage is used, and it sounds like it was used here, possibly with the FTC being an unwitting accomplice. But as noted above, what is most interesting here is the jurisdictional angle. What is the FTC’s jurisdiction here given that the FTC doesn’t have rules specifying data security standards and that aside from Tiversa’s actions, there was no general data breach and therefore no complaints from the LabMD patients? Notably, the FTC is not alleging a HIPPA violation and it appears LabMD had HIPPA appropriate encryption.

The FTC’s answer to that question is Section 5 of the FTC Act. That section provides simply that “unfair or deceptive acts or practices in or affecting commerce…are…declared unlawful.” See this brief FTC overview at Section II.

But which of LabMD’s actions or inactions violate Section 5? And would LabMD, with its generally secure operations, have reason to believe that it had violated Section 5, or have any reason to be concerned about the enforcement power of the FTC?

Given that there was no general data breach, one would presume that LabMD’s behavior does not justify shutting down an otherwise viable business, yet that is seemingly the effect of the FTC’s lawsuit. So why would the FTC bring this particular suit?

Why this Suit? Presumably, there are some good reasons why the FTC first focused on LabMD. However, a cynic might say that a powerful federal agency only prosecutes a suit for six years against a generally non-offending and relatively weak company where no harm occurred because the agency wants something. And in this case, it looks very much like the FTC desires precedent to support extending its jurisdiction over privacy under the very general Section 5 standards.

“Affecting Competition.” This case is also interesting because it is hard to understand how LabMD’s mistake “affected competition,” which is the touchstone of Section 5. Is the FTC articulating a new standard that every business mistake is an “offense against competition”?

Would the FTC’s position mean that every security update, such as this one by Cisco, is an admission of a violation of Section 5? And if not, then why not?

And if lack of data privacy and security is itself an “unfair competition” offense under Section 5, it would appear that much of the mobile telecommunications network and equipment suppliers are in violation, at least according to this Alcatel Lucent report.

On balance, it appears that the FTC has chosen an unfortunate enforcement action, one that does not further the public interest.

The FTC Staff’s August 12, 2015 post-trial brief and LabMD’s September 4, 2015 post trial briefs (LabMD pleadings) provide a good sense of the issues being litigated.