In the rapidly-evolving world of privacy law, does the Federal Trade Commission (FTC) giveth while courts taketh away? The 11th Circuit Court of Appeals issued a stay of enforcement of the FTC’s Final Order regarding LabMD (now defunct,) on November 10, 2016.
The FTC’s Final Order gained considerable attention when it was issued this past August for its holding that the mere unauthorized release of sensitive personal information such as medical data could constitute a substantial likelihood of harm so that jurisdiction was conferred on the FTC under Section 45(n) of the FTC Act which states that “an act or practice is unfair if it causes or is likely to cause substantial injury to consumers.” An FTC Administrative Law Judge had dismissed the proceeding against LabMd for release of thousands of patients’ identifying information, holding that there had been no showing of concrete injury as a result of the release.
The ruling was appealed and the FTC reversed, holding that “the sole fact of the unauthorized disclosure constituted actual harm,” in that the affected consumers had suffered a “privacy harm” that was also “likely to cause substantial injury.” The FTC, in its Final Order, directed that LabMd undertake a number of remediation actions and provide notice to affected consumers. Lab MD appealed the 11th Circuit.
The court, granting a stay of enforcement pending appeal, was troubled by the FTC’s interpretation of likelihood of substantial injury by virtue of a “privacy harm.” One prong of the standard for granting a stay is “strong showing” of likelihood of success on the merits, and it is here that privacy specialists may be troubled by a potential retrenchment in privacy enforcement. In finding that LabMD has a strong argument, the court noted “there are compelling reasons why the FTC’s interpretation may not be reasonable,” in that the “substantial likelihood of injury” standard in the text of the FTC Act sets a higher bar for likelihood of harm from a disclosure of sensitive information than that set by the FTC in its Final Order.
While the 11th Circuit decision was not a final order on the merits, the likelihood of success standard and the court’s language favorable to LabMD does not auger well for the FTC’s expansive interpretation of its privacy mandate. The FTC has recently announced it will consider health information breaches as within its jurisdiction, effectively providing parallel HIPAA enforcement along with the Office of Civil Rights of the Department of Health and Human Services. Whether the 11th Circuit decision is a harbinger of how the courts will view the FTC’s enhanced privacy regulation in 2017 cannot be determined here, but it highlights the unsettled nature of privacy laws in the absence of national legislation and in the run-up to a change at the top of the FTC.
If you have questions regarding or require assistance with privacy compliance, please contact Kenneth N. Rashbaum.