Alert

Recommended Alerts

Sign Up For Alerts

UK’s Data Protection Regulator, the ICO, publishes a revised draft of its Direct Marketing Code of Practice

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalised, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarised below, including new guidance on in-app advertising and direct marketing on social media platforms.

Read More

Eleventh Circuit Vacates FTC Cybersecurity Order against LabMD


Time to Read: 4 minutes Practices: Data, Privacy & Cybersecurity

Printer-Friendly Version

On June 6, 2018, at the urging of Ropes & Gray, the U.S. Court of Appeals for the Eleventh Circuit vacated an order that the Federal Trade Commission (the “FTC”) had imposed on LabMD, Inc. (“LabMD”) to overhaul the cancer detection laboratory’s data security program. The court ruled that the FTC’s order is unenforceable because, rather than enjoining a specific act or practice, it mandates a complete overhaul of LabMD’s data security program and says little about how this is to be accomplished, effectively charging a district court with managing the overhaul. The decision also recognizes important limitations on the agency’s authority even to declare an act “unfair” in the first place. The Eleventh Circuit’s rejection of the FTC’s action against LabMD has significant implications both for the FTC’s privacy and data security program and for other regulatory and private litigation contexts.

The LabMD Case

The origins of the LabMD matter date back more than a decade. In 2008, Tiversa Holding Corporation (“Tiversa”) took from LabMD a file containing a limited amount of personal information of approximately 9,300 patients by exploiting a vulnerability in a peer-to-peer file-sharing application that, contrary to LabMD policy, was installed on one of LabMD’s workstations. After LabMD rebuffed Tiversa’s attempt to sell the laboratory its purported remediation services and instead remediated the vulnerability on its own, Tiversa turned over the file to the FTC.

Following an extensive investigation, on August 28, 2013, the FTC initiated enforcement proceedings against LabMD. The FTC’s administrative complaint (the “Complaint”) alleged that LabMD’s data security practices were “unfair” in violation of Section 5 of the FTC Act because, “taken together,” they “failed to provide reasonable and appropriate security for personal information on its computer networks.”

An administrative law judge dismissed the Complaint but the FTC reversed on appeal, holding, as the Complaint charged, that LabMD’s data security practices constituted an unfair act or practice in violation of Section 5 of the FTC Act. The FTC concurrently issued an order requiring LabMD to undertake various affirmative actions, such as establishing and maintaining a reasonable and comprehensive information security program (the “Order”). LabMD then retained Ropes & Gray to petition the Eleventh Circuit for review, seeking to have the Order vacated.

The Eleventh Circuit’s Decision

In a unanimous opinion, the Eleventh Circuit agreed with and adopted LabMD’s argument that the FTC’s Order is unenforceable. The court reasoned that the remedy that the FTC seeks “must comport with th[e] requirement of reasonable definiteness.” In that regard, the court held that a fundamental flaw with the Order entered against LabMD is that it “does not instruct LabMD to stop committing a specific act or practice.” The FTC did not seek to address the one-off vulnerability of the patient file through a narrowly drawn, easily enforceable order, such as one commanding LabMD to eliminate the possibility that employees could install unauthorized programs. Instead, the Order mandates a complete overhaul of LabMD’s data security program and says little about how this is to be accomplished, effectively charging a district court with managing the overhaul. The Order’s command to LabMD to “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness” is, the Eleventh Circuit concluded, unenforceable.

The court also recognized important limitations on the agency’s authority to declare an act “unfair” in the first place. The panel stated that an unfair act or practice “is one which meets the consumer-injury factors . . . and is grounded in well-established legal policy.” That is, pursuant to Section 5(n) of the FTC Act, the FTC must allege and prove actual or likely substantial injury to consumers that is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits. And in addition, the FTC must also find that “[t]he act or practice alleged to have caused the injury [is] unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.” The court thus rejected the FTC’s recent position that it may “bring suit purely on the basis of” actual or likely “substantial consumer injury.” The court did not need to, and therefore did not, assess the legality of LabMD’s data security practices under this standard. But the court called out that LabMD did, in fact, maintain a data-security program that included a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections.

The Eleventh Circuit’s decision has significant implications both for the FTC’s privacy and data security program and for other regulatory and private litigation contexts, which in many instances borrow from the FTC regime. For more information regarding the impact of the LabMD decision, please feel free to contact a member of the Ropes & Gray team that represented LabMD, which includes partners Doug Hallward-Driemeier and Debbie Gersh. Please also feel free to reach out to any other member of Ropes & Gray’s leading privacy & cybersecurity team, including Mark Szpak.

Printer-Friendly Version

Cookie Settings