On June 6, the U.S. Court of Appeals for the 11th Circuit vacated an FTC cease and desist order (Order) that directed a Georgia-based medical testing laboratory to overhaul its data security program, ruling that the Order was unenforceable because it lacked specifics on how the overhaul should be accomplished. In 2013, the FTC claimed that the laboratory’s violation of Section 5(a) of the FTC Act constituted an “unfair act or practice” by allegedly failing to implement and provide reasonable and appropriate data security for patient information. The now defunct laboratory argued, among other things, that the FTC did not have the authority under Section 5 to regulate how it handled its data security measures. But the three-judge panel chose not to rule on the broader question about the scope of the FTC’s Section 5 data security authority, choosing to focus its decision on the Order. As previously covered in InfoBytes, in 2016 the FTC reversed an Administrative Law Judge’s Initial Decision to dismiss the 2013 FTC complaint, ordering the laboratory to, among other things, employ reasonable security practices that complied with FTC standards.
After the Order was issued, the laboratory asked the 11th Circuit to decide whether the FTC’s Order was “unenforceable because it does not direct it to cease committing an unfair ‘act or practice’ within the meaning of Section 5(a).” The 11th Circuit agreed to stay enforcement of the Order and ultimately permanently vacated it. “In the case at hand, the cease and desist order contains no prohibitions,” the panel wrote. “It does not instruct [the laboratory] to stop committing a specific act or practice. Rather, it commands [the laboratory] to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” The court concluded that “[t]his is a scheme that Congress could not have envisioned.”