In the emerging world of data privacy breaches, new litigation makes clear that data breaches may ultimately destroy a business. In a recent case, the US Court of Appeals for the 11th Circuit ruled that the FTC has the authority to investigate data breaches until a final action is issued by the regulatory body. In the matter of LabMD v. FTC, LabMD discovered that it could not seek a judicial remedy to avoid an FTC enforcement action until a final action had been issued by the administrative agency. Though this outcome is interesting from a legal perspective, it also likely resulted in the destruction of LabMD’s business, further evidencing the importance of data security and the consequences for ignoring it.
LabMD is a laboratory that provides cancer testing services for doctors. Unfortunately, due to an employee mishap, LabMD’s files could be accessed by the LimeWire peer-to-peer network, which soon came to the FTC’s attention. The FTC initiated an investigation alleging that LabMD had inappropriately exposed the personal data of 10,000 consumers, and it proceeded to investigate LabMD’s purported breach for several years. After numerous administrative legal actions between the parties occurred, LabMD initiated an action in the US District Court seeking injunctive relief against the FTC’s actions on the legal theory that the FTC lacks authority to regulate data breaches. The 11th Circuit denied LabMD’s motion on the basis that it lacked subject matter jurisdiction over anything but a “cease and desist” order issued by the FTC.
In January 2014, LabMD announced that it would cease doing business because of the effects of the FTC enforcement action. LabMD continued to fight the FTC’s authority to police data breaches. In March 2014, LabMD filed suit in the district court for the Northern District of Georgia. The Northern District dismissed the case on the basis that the FTC had not issued a final agency action and, therefore, the Court lacked authority to enjoin the FTC’s actions. LabMD appealed to the 11th Circuit, which affirmed.
The LabMD case indicates that the FTC may have the authority to regulate and enforce penalties against companies responsible for data breaches under Section 5 of the Federal Trade Commission Act. This means that companies must take seriously their data security obligations or face potentially business-ending regulatory consequences.
The LabMD story illustrates the most severe consequence of a data breach — the complete destruction of a business. But even breaches that do not result in regulatory enforcement of this magnitude impose substantial direct and indirect costs on the companies involved. IBM’s annual Cost of a Data Breach Report consistently shows that the average total cost of a data breach runs into the millions of dollars, with costs continuing to accumulate for years after the initial event.
Direct breach costs include: forensic investigation to determine the scope and source of the breach; notification costs under state breach notification statutes (all 50 states now have mandatory notification requirements); credit monitoring and identity protection services for affected individuals; regulatory penalties and fines; legal fees for regulatory response and civil litigation defense; and remediation costs to fix the vulnerabilities that enabled the breach. Each of these cost categories can run into hundreds of thousands of dollars for even a mid-size breach.
The indirect costs of a breach are often larger than the direct costs. Customer churn following a publicized breach can be severe and lasting. Studies consistently show that consumers are significantly less likely to continue doing business with a company after a breach involving their personal data, and that trust — once lost — is slow to return. Reputational damage translates directly into revenue loss, customer acquisition difficulty, and reduced brand equity.
For publicly traded companies, breaches often trigger share price declines that can dwarf the direct regulatory and litigation costs. For private companies, a breach can make a contemplated sale or financing round significantly more difficult or expensive, as sophisticated buyers and investors treat data security practices as a material factor in their due diligence.
The LabMD case ultimately produced a significant precedent on the FTC’s authority in the data security space. The 11th Circuit ultimately vacated the FTC’s cease-and-desist order against LabMD on the merits — finding that the FTC’s order was unenforceable because it lacked specific practices that LabMD could implement — but did not rule that the FTC lacked authority to regulate data security under Section 5. The FTC’s authority to pursue data security enforcement actions remains intact, and the agency has continued to bring enforcement actions against companies with inadequate data security practices.
The FTC has since updated its substantive expectations for data security through its Safeguards Rule (for financial institutions subject to the Gramm-Leach-Bliley Act) and through its pattern of enforcement actions, which collectively establish that companies are expected to implement reasonable administrative, technical, and physical security measures appropriate to the sensitivity of the data they handle and the size and nature of their operations.
Beyond FTC enforcement, every state has enacted data breach notification statutes that impose specific obligations on businesses that experience breaches involving residents’ personal information. These statutes vary in their definitions of covered personal information, the notification timeline required, the content of required notifications, and the penalties for non-compliance. Michigan’s Identity Theft Protection Act, MCL § 445.61 et seq., requires notification to affected individuals “in the most expedient time possible and without unreasonable delay” after discovery of a security breach.
Businesses operating nationally must comply with the notification requirements of every state in which they have affected customers — not just the state where the business is located. The most stringent state statutes, including those of California, New York, and Illinois, impose obligations that go well beyond what federal law requires. A company that delays notification to assess the full scope of a breach may find itself in violation of multiple state statutes simultaneously.
The most effective way to manage data breach risk is to reduce the probability of a breach in the first place. A comprehensive data security program includes: data mapping to understand what personal information you collect, where it is stored, and who has access to it; access controls that limit employee access to personal data on a need-to-know basis; encryption of stored and transmitted personal data; regular security assessments and penetration testing; employee security awareness training; a vendor management program that assesses the security practices of third parties who handle your data; and an incident response plan that enables rapid containment and notification when a breach occurs.
The cost of implementing these measures is a fraction of the cost of responding to a breach. For businesses that handle significant volumes of sensitive consumer data, data security investment is not optional — it is a business necessity.
Revision Legal’s data privacy attorneys advise businesses on data security programs, breach notification compliance, FTC enforcement defense, and data breach litigation. If your business has experienced a breach or wants to proactively assess its data security legal obligations, contact us today for a consultation.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained