The Eleventh Circuit’s ruling in LabMD v. FTC vacated a cease and desist order from the Federal Trade Commssion (FTC) because it lacked specificity regarding the data security standards the FTC was enforcing.

In 2005, LabMD allowed an employee to install file-sharing software on an office computer. This led to a data breach of over 9,000 patients’ sensitive information. After an investigation, the FTC found this constituted an “unfair act or practice” under Section 5(a) of the FTC Act. The FTC issued a cease and desist order, which required LabMD to overhaul its entire data security program, invoking a standard of reasonable protection of consumer data. LabMD argued the order was unenforceable because it did not direct LabMD to cease an unfair act or practice.

The Eleventh Circuit agreed with LabMD and vacated the order. The court found that a narrower cease and desist order that required LabMD to stop employees from installing unauthorized programs on office computers would have been enforceable as opposed to a complete overhaul of the data security program. The court also noted that the order did not give specific guidelines on how to meet the reasonableness standard that the FTC had invoked.

Experts in the field had hoped the Eleventh Circuit would address LabMD’s argument that data security breaches are outside the FTC’s jurisdiction under the unfairness prong of the FTC Act, an argument the Third Circuit rejected in FTC v. Wyndham Worldwide Corporation. The court did not address the issue, instead deciding the case on the enforceability of the cease and desist order.

TIP: The FTC maintains authority to regulate companies’ data security practices under the unfairness prong of the FTC Act. Companies are advised to maintain reasonable security practices and to monitor any upcoming decisions on the FTC’s enforcement practices.