Court of Appeals Rebukes Federal Trade Commission’s Data Security Overreach

FOR IMMEDIATE RELEASE

JUNE 8, 2018

WASHINGTON, D.C. – In a landmark ruling on June 6, 2018, the Eleventh Circuit Court of Appeals invalidated a Federal Trade Commission (FTC) order against cancer-screening facility LabMD.  The agency had hounded LabMD for years claiming the company violated an undefined data security rule known only to the FTC.  The opinion sends a clear message that the FTC’s enforcement of data security, without publishing any standards, disregards the rule of law, violates due process, and will not be tolerated by the Courts. Cause of Action Institute represented LabMD in the proceedings at the FTC and filed an amicus curiae brief in the Eleventh Circuit on behalf of nine medical doctors harmed by the FTC’s actions.

Cause of Action Institute’s President and CEO John Vecchione commented on the decision:

“The FTC’s lawless bullying of companies and actions that drove LabMD out of business and denied our physician clients’ access to its services have suffered a stern and public rebuke. Standardless regulatory overreach in this case forced the closure of a successful small business even though the FTC has never presented any evidence of consumer harm, nor published any data security standards with which it says the company should have complied.  Notably the 11th Circuit ruled the FTC-issued injunction was so vague and unintelligible that no court could intelligently enforce it.  The Court made no finding and affirmed no decision of the FTC that LabMD had done anything wrong.

“Scores of companies have knuckled under to the FTC’s insistence on ‘consent’ orders to buy peace.  This ruling is a signal that they don’t have to.  The Court signaled that vague, standardless dictates by unelected bureaucrats would not be enforced in Courts of law.  LabMD’s experience in this case is a stark reminder of the costs required to fight a federal agency that is willing to spend millions of taxpayer dollars over more than eight years of investigation and litigation, all in the pursuit of wrong.  We congratulate Ropes & Gray for its representation of this case before the Circuit and LabMD itself for daring to fight the good fight.  We are also proud of our attorneys and Cause of Action Institute’s contribution to that fight.”

In the opinion, the court explained the absurdity of the FTC’s position– namely that the agency requires data security standards without providing any specificity on those very standards.  From the opinion:

“[T]he Commission’s cease and desist order is nonetheless unenforceable. It does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We therefore grant LabMD’s petition for review and vacate the Commission’s order.”

While the decision may appear to be narrowly related to the cease and desist order at issue in LabMD, in practice, it will have broad ranging implications for how the agency investigates and enforces data security. The Court also recognized the constitutional injustice of the FTC’s enforcement action in this case: “Being held in contempt and sanctioned pursuant to an insufficiently specific injunction is therefore a denial of due process.”  This abuse of due process by going after a company for allegedly violating Section 5 of the FTC Act, but never telling the company what it is actually supposed to have been doing has been a central theme of the LabMD case from the start.

The FTC lost this case before its own FTC’s chief administrative law judge (ALJ) and now before the Eleventh Circuit. The FTC’s disregard of the ALJ’s opinion, when the Commission considered the case at the administrative level, illustrates the unfairness of the FTC enforcement process where the agency acts as its own detective, prosecutor, judge, and executioner. As former FTC Commissioner Joshua Wright explained: “[I]n 100 percent of the cases in which the administrative law judge ruled found no liability, the Commission reversed. This is a strong sign of an unhealthy and biased institutional process.

Read the full opinion here.

Read more about Cause of Action Institute’s efforts to hold the FTC accountable here and here.

About Cause of Action Institute

Cause of Action Institute is a 501(c)(3) non-profit working to enhance individual and economic liberty by limiting the power of the administrative state to make decisions that are contrary to freedom and prosperity by advocating for a transparent and accountable government free from abuse.

For more information, please contact Mary Beth Gombita, mbgcomms@gmail.com.

What Happens When Government Emails are Allegedly “Fatally Lost”?

President Trump’s phone and email behavior are coming under scrutiny for security reasons, but regardless of the device used, the type of email account being used could be a bigger concern.  Did you know that a government official’s use of private email to conduct government business is wrong?  If the Hillary Clinton email scandal didn’t showcase that, consider one of our recent and ongoing investigations into former Secretary of State Colin Powell’s work-related email records, which were hosted on a personal AOL account.

In September 2016, the House Oversight & Government Reform Committee held a hearing at which then-Under Secretary of State Patrick Kennedy testified that the State Department had undertaken minimal efforts to retrieve Powell’s work-related email.  In October 2016, Cause of Action Institute sought access to Secretary Powell’s work-related emails under the Freedom of Information Act (“FOIA”).  At the same time, we advised the Secretary of State and the Archivist of the United States of their obligations under the Federal Records Act (“FRA”) to recover those same email records.  Once it became apparent that the State Department would not respond to our FOIA request, and the obligation to initiate action through the Attorney General for the recovery of Secretary Powell’s work-related email would not be met, we filed suit in federal district court.  In January 2018, when the court denied the government’s first motion to dismiss, it described the State Department’s efforts at recovery as “anemic.”  As we’ve noted, U.S. District Court Judge Trevor McFadden explained that “[t]he Defendants’ refusal to turn to the law enforcement authority of the Attorney General is particularly striking in the context of a statute with explicitly mandatory language.”  “[T]here is a substantial likelihood that [CoA Institute’s] requested relief would yield access to at least some of the emails at issue.”

After being repeatedly asked by the National Archives and Records Administration (“NARA”) to contact AOL directly for Powell’s emails, the State Department never did so until CoA Institute filed its lawsuit.  But the State Department continues to use the line that the emails have been “fatally lost” and that our lawsuit should therefore be dismissed.  The Defendants argue that, even if they cannot prove fatal loss or completely recover unlawfully removed records, their obligation to initiate action through the Attorney General (and thus marshal the law enforcement authority of the federal government) can be excused if they have no “reason to believe” records are recoverable.

We’re currently pushing back on that argument, as it rests on a fundamental misapprehension of the FRA.  We have asked the court to order the Secretary of State and the U.S. Archivist to initiate action through the Attorney General for the recovery of Powell’s email, as required by law.  This would entail enlisting the law enforcement authority of the federal government to investigate the possibility of forensically recovering the records at issue, among other things.  Such techniques have been successful in previous cases of unlawfully removed federal records, as evidenced by Hillary Clinton’s email scandal and the FBI’s recovery of Peter Strzok and Lisa Page’s text messages.

The problem with the Defendants’ position is that it ignores the clear text of the FRA and thirty years of precedent, which recognizes a non-discretionary obligation for an agency head to go to the Attorney General whenever its own recovery efforts have failed.  In this last line of their closing brief, the Defendants sum up their argument: “We recognize that the Court has previously rejected the contention that the FRA requires referral only when an agency has reason to believe that records can be recovered but respectfully reserve the right to seek further review should the Solicitor General determine that such review is warranted.”

This case illustrates how careless the federal government can be with the protection of government work – the use of a personal account and the subsequent years-long legal battle to recover Secretary Powell’s work-related emails are a failure of our government to follow both the FRA and the FOIA.  Secretary Powell should never have used a personal email account, and the State Department should have acted quicker to recover and preserve vital records of government business that were stored on a third-party commercial server.  If it is this difficult to recover materials that ultimately belong to the American people, the work of the government becomes more and more opaque and the gap between the American people’s knowledge and the federal government’s behavior only widens.

Mary Beth Gombita, Cause of Action Institute.