Court Declines to Uphold an FTC Order Because It Sets an "Indeterminable Standard of Reasonableness": The Decision May Affect Banking Agency Cease and Desist Orders

On June 7, in LabMD, Inc. v. FTC, the U.S. Court of Appeals for the Eleventh Circuit set aside a cease and desist order imposed by the Federal Trade Commission (the "FTC") on LabMD, Inc. ("LabMD"). The cease and desist order, rather than identifying "specific unfair acts or practices from which LabMD must abstain,"1 would have required the company to create and implement various protective measures that, in the court's view, "would regulate all aspects of LabMD's data security program."2 The court does not reach the most closely followed issue presented by this case--whether LabMD's negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a) of the Federal Trade Commission Act--but rather, assumes this issue arguendo in order to consider the enforceability of the order.3

In considering the issue of enforceability, the court notes that "the cease and desist order contains no prohibitions" but instead "commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness."4 Highlighting the "problems that enforcing the order would pose,"5 the court opines that "the prohibitions contained in cease and desist orders must be specific"6 or otherwise the "court is put in the position of managing [a company's] business in accordance with [a regulator's] wishes."7

The court's reasoning is notable for its potential application to the terms of enforcement orders routinely issued against banks and other institutions by a multitude of other agencies, including the Federal Reserve, the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Bureau of Consumer Financial Protection. The language called out by the court as impermissibly vague and thereby creating "enforceability problems"8 is similar to language often used in orders issued by the Federal bank regulatory agencies (generally upon consent) that essentially require a company to revise an entire program or system so that it is "reasonably designed"9 to answer a broadly stated goal to the satisfaction of the agency, followed by a list of "equally vague items which must be included" in the redesigned system or program.10

If the Eleventh Circuit's reasoning in the LabMD case is extended to remedial orders issued by other agencies in the Eleventh Circuit or elsewhere, there would be a significant effect on the scope and specificity of enforcement orders toward more specific standards and away from broad discretion to the agency involved to determine if compliance with order provisions is adequate. Because banking and other supervised institutions infrequently challenge enforcement orders, it may be quite some time before the impact of the LabMD decision is clarified.