Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016

by Associate Breana Jeter

The end of 2015 represented a mixed bag for the Federal Trade Commission on privacy enforcement.  In November, the FTC’s Chief Administrative Law Judge dismissed the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information.  The patient’s sensitive information was discovered on peer-to-peer software by a data security company seeking to sell its services to LabMD.  While LabMD maintained that the patient’s information never left the company’s network and that there was no actual breach, the FTC proceeded with its lawsuit on the grounds that LabMD’s security practices were so unreasonable as to likely cause substantial consumer harm.  The ALJ, however sided with LabMD, dismissing the complaint because there was no evidence of consumer harm, only speculation by the FTC that an unspecified harm may occur in the future.  The ALJ rejected the FTC’s argument that liability can be imposed based solely on the risk of data breach; according to the ALJ, “[f]undamental fairness dictates that proof of likely substantial consumer injury under Section 5(a) requires proof of something more than an unspecified and hypothetical ‘risk’ of future harm, as has been submitted in this case.”  The FTC is appealing the decision.

In December, however, Wyndham Hotels and Resorts agreed to settle the FTC’s enforcement action, which alleged that Wyndham’s inadequate data security measures “unfairly” exposed consumer’s payment card information to three separate data breaches between 2008 and 2010.  We previously wrote about the enforcement action here.  As a refresher, in Wyndham the FTC relied on Section 5(a) of the FTC Act as its authority for enforcement actions; the statute provides that “unfair or deceptive acts or practices in or affecting commerce…are…declared unlawful.” According to the FTC, Wyndham’s deficient security practices, including the failure to use readily available security measures such as firewalls and encryption, allegedly caused “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”  Although Wyndham made valiant attempts at challenging the FTC’s authority to enforce data security breaches under Section 5(a), the District of NJ and the Third Circuit disagreed and allowed the lawsuit to proceed.  In that sense, the Wyndham case represents a tremendous victory for the FTC. As Chairwoman Edith Ramirez proclaimed after the entry of the settlement, “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security.  Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

The dismissal of the LabMD matter on the other hand may represent a figurative bee in the Chairwoman’s bonnet, particularly with respect to consumer harm.  In reality, the facts of LabMD differ starkly enough in comparison to the facts of Wyndham, where a massive breach resulted in over 10 billion in fraudulent charges on many consumer’s accounts.  Nevertheless, the LabMD decision is significant because it appears to place a higher burden on the FTC to prevail in unfairness claims.

Regardless, companies should not expect the FTC to discontinue its vigilant efforts under Section 5 of the FTC Act against companies with inadequate data security measures, and should not expect leniency for failure to adhere to those standards.  While the LabMD dismissal should make companies more bullish in negotiating with the FTC in cases where there is no actual harm to consumers, at the end of the day, 2016 does not appear to be the year in which the FTC will slow down its pursuit of companies with data security failures that lead to consumer data breaches.  Commissioner Julie Brill’s comments at PrivacyCon last Thursday (see DataPoints post here) shows that, if anything, the FTC expects companies to ensure that their data security measures keep up with new and changing technologies.


No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA


    Blog Topics


    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.


    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.

    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)