FTC v. LabMD: FTC Jurisdiction Over Information Privacy Is 'Plausible,' but How Far Can It Go?

Abstract

The Federal Trade Commission (FTC) plays a large role in the cybersecurity world by enforcing specific statutes, such as HIPPA, COPPA, and FCRA, and, more generally, utilizing its authority under the Federal Trade Commission Act to penalize companies that allow data breaches. Recently, however, businesses have begun to push back, contesting the FTC’s authority to police information security. In FTC v. LabMD, Inc., a company under FTC investigation for an alleged data breach challenged the FTC’s ability to issue an administrative subpoena. LabMD indirectly disputed the FTC’s role in information security and its use of the unfairness category of the FTC Act as a basis of enforcement in data breach cases. The district court ultimately found that the FTC made a plausible case for its authority, but based its holding on the weight of precedent surrounding the FTC’s general use of the FTC Act in information security cases. Thus, the FTC’s reliance on the FTC Act is currently permitted, but could be challenged in the future. LabMD’s challenge of the FTC’s authority was significant however, because there is no legislative or executive action on privacy, so the FTC’s guidance, best practices, and enforcement set the de facto “privacy law.” As the FTC casts an increasingly wider net with or without congressional or executive action on data security, the future of the FTC Act’s scope in this area is uncertain.