Although the Federal Trade Commission (FTC) has the authority to investigate data breaches, some entities they have investigated have pushed back against the regulator. In 2013, FTC filed a complaint against LabMD for allegedly failing to protect consumer’s data. When the government found for itself in a proceeding by an administrative law judge, LabMD sued the FTC in federal court. Ropes & Gray summarize the case before the Eleventh Circuit:
On Sept. 4, 2018, the deadline expired for the Federal Trade Commission (“FTC”) to petition the U.S. Supreme Court to review LabMD v. FTC, the first-ever court decision overturning an FTC cybersecurity action. In that ruling, the U.S. Court of Appeals for the Eleventh Circuit held that an order entered by the FTC requiring medical laboratory LabMD to implement a “reasonably designed” cybersecurity program was unenforceable because, rather than enjoining a specific act or practice, the order mandated a complete overhaul of the company’s data security program and said little about how this was to be accomplished. LabMD v. FTC, 891 F.3d 1286 (11th Cir. 2018). The Eleventh Circuit’s decision also recognized that there are only limited circumstances in which the agency can declare an act “unfair” under Section 5 of the FTC Act (15 U.S.C. § 45) and impose a remedy upon making such a declaration. Even though the decision strikes a significant blow to its cybersecurity enforcement program, the FTC did not petition the Eleventh Circuit for rehearing, and now, as noted, it has also declined to seek Supreme Court review.
Now MGM Resorts International is suing the FTC. They are asking federal court in Washington, D.C. to block a probe into the impact on data security of the dramatic hack that hobbled the casino operator last year and cost them millions of dollars. Reuters explains:
MGM said it was seeking quash the FTC’s demands for information because the operator was not a financial institution and therefore was not subject to FTC rules governing consumer financial data.
The lawsuit also argued that, because FTC Commissioner Lina Khan was reportedly checking in to an MGM hotel, opens new tab when the hack knocked out its systems, she was personally involved in the matter and should recuse herself.
The Las Vegas Review-Journal has additional details on the lawsuit and takeaways from the litigation.