By Leslie Gordon
Suppose a medical testing company posts a file containing the information of 9,300 patients on a file sharing network and neglects to give notice to the patients. What if the firm learns that the file is available on the network and does nothing about it for a year? Have those patients been injured, such that federal consumer protection authorities should be able to intervene?
In an amicus brief filed by Berkeley Law Professors Deirdre K. Mulligan, Chris Hoofnagle and Kenneth Bamberger, the trio argued that the Federal Trade Commission (FTC) has the power to police data security in these kinds of situations.
The friend-of-the-court brief was filed with the U.S. 11th Circuit Court of Appeals in LabMD, Inc. v. Federal Trade Commission. In it, they and other privacy and security scholars explained why Congress gave the FTC broad flexible authority to respond to evolving threats in the marketplace—and the importance of FTC investigations in spurring improved corporate attention to secure consumers’ personal information.
In the case, the FTC had determined that LabMD’s lack of security protections resulted in the release of sensitive information, thereby causing “substantial injury” to consumers in violation of the FTC Act’s “unfairness” prong. LabMD argued that the agency exceeded its authority.
Written in conjunction with Nicholas Diamand and Lara Heiman, lawyers at Lieff Cabraser Heimann & Bernstein, the professors’ brief asserts that the types of injury at issue fall squarely within the preventative enforcement power that Congress granted the FTC.
Agency under fire
“This case is one in a series of challenges to the FTC’s authority,” said Hoofnagle, whose recent book Federal Trade Commission Privacy Law and Policy is considered a seminal work on the agency’s consumer protection mission. “There’s a faction of the corporate community arguing that ‘substantial injury’ is solely about economic harm. But what about breach of confidentiality, or the harm of embarrassment or fear? These are real harms that flow from a medical testing lab with inadequate security.”
If people fear their embarrassing condition could be made public, Hoofnagle noted, “the ‘substantial injury’ might be a chilling effect: someone may not get screened or treated. If people lose trust in the ability of testing labs to appropriately care for sensitive health information, they may avoid or delay seeking treatment. This harms the individual and society which faces higher medical costs, loss of participation in the workforce, and if it’s a communicable disease danger to public health.
Hoofnagle added that the case reflects a libertarian war on the administrative state. “Many in the tech industry are desperate to weaken the FTC’s ‘unfairness’ authority because it can be used to set standards for product quality—one element of which is security,” he said.
In effect, Hoofnagle explained, some in industry want to “foist a 19th-century regulatory regime upon 21st-century technologies. The result will be a disaster for security and privacy, which are poorly regulated by price.”
Also at issue in the LabMD case: whether the FTC must articulate specific one-size-fits-all measures that all companies must implement, or simply require companies to adopt “reasonable” data security measures—the approach the agency has long taken.
Bamberger believes this is important for two reasons. “First, because companies are very different from one another and the privacy and security risks are different, one-size-fits-all rules may not be appropriate or effective across the board,” he explained. “Second, in a world of fast-changing technology and business models, what’s reasonable and necessary to protect consumers will change.”
Keeping pace with new challenges
Bamberger and Mulligan’s recent book, Privacy on the Ground, presented empirical research exploring the ways that the FTC’s approach has spurred companies to adopt privacy-protective measures that change over time to meet new technological and social challenges. “Regulators who follow a one-size fits all approach have been less successful,” Bamberger notes.
According to Mulligan, the FTC’s current model is a leading factor in companies hiring privacy and security specialists who develop processes to manage personal information as if it were an asset—and a risk if mishandled. A specific, regulator-prescribed set of rules, she said, is anathema to the way professionals approach security.
“The FTC’s approach is designed to encourage companies to stay abreast of security risks,” Mulligan contended. “Security methods should evolve as companies respond to emerging threats rather than yesterday’s problems because security is a process, not a checklist.”
Given the difficulty in proving that a specific security breach led to specific harm, “the FTC’s authority is exceedingly important,” Mulligan said. “Usually you have to wait until you’re injured. But Congress gave the FTC specific authority to proactively protect consumers because personal health information, just like tax returns and financial documents, are vulnerable to identity theft and other harms.”