On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
LabMD Rulings May Shed Future Light on “Reasonable” Data Security Practices
The FTC initiated the LabMD action by filing an administrative complaint against the company in August 2013, alleging that LabMD engaged in unfair trade practices in violation of Section 5 of the Federal Trade Commission Act by failing to utilize reasonable and appropriate data security measures. LabMD sought the deposition of a designee of the FTC Bureau of Consumer Protection on several topics, including “[a]ll data-security standards that have been used by the Bureau” to enforce Section 5. When the Bureau sought to prevent that deposition, the ALJ ruled that the deposition could take place, subject to the important limitation that LabMD could not inquire into the “legal standards” the FTC used or uses to judge whether a party’s data security practices comport with Section 5, or into the legal opinions or decision making processes of the FTC regarding its enforcement standards. During the deposition of Daniel Kaufman, Deputy Director of the Bureau of Consumer Protection, agency attorneys cited this limitation in objecting to LabMD’s questions about the FTC’s data security standards. LabMD responded by filing a motion to compel the testimony of Mr. Kaufman, and the FTC filed a motion in limine to strike Mr. Kaufman as a trial witness.
The ALJ granted LabMD’s motion to compel, holding that discovery about what data security standards the FTC or the Bureau of Consumer Protection published and what data security standards the agency intended to rely on at trial to challenge LabMD’s practices was permissible. The ALJ also denied the FTC’s motion in limine. LabMD stated that it intended to question Mr. Kaufman about published or unpublished FTC data security standards as well as any guidelines that the FTC required entities like LabMD to adhere to. The ALJ determined that Mr. Kaufman possessed information relevant to the trial and that not all of his anticipated testimony would be clearly inadmissible.
The distinction the ALJ drew in these orders between the Bureau’s “legal standards” (off limits for questioning) and its “data security standards” (permissible for questioning) enables LabMD to probe into the central question of what data security practices are reasonable or unreasonable under Section 5. Having prevailed in much of the initial legal sparring over its authority to bring an enforcement action at all, the FTC will now have to divulge more about the standards to which it intends to hold LabMD at trial and its notice to companies about those standards. The FTC’s responses to this questioning, to the extent they are revealed publically, will be closely scrutinized, both by the participants in the ongoing Wyndham data security action proceeding in federal district court, and by all companies concerned with developing data security practices that can satisfy federal scrutiny.