On June 6, 2018, the US Court of Appeals for the Eleventh Circuit ruled in favor of LabMD in the medical testing company’s closely watched challenge to the Federal Trade Commission’s (“FTC”) data security enforcement action. While assuming that the FTC was correct that LabMD’s allegedly unreasonable security practices constituted an unfair act or practice in violation of Section 5 of the Federal Trade Commission Act, the court held that the FTC’s cease-and-desist order lacked adequate specificity and thus was unenforceable.
The FTC initiated its enforcement action against LabMD in August 2013. It alleged that LabMD had failed to use reasonable data security measures, resulting in the exposure of consumers’ personal information through a file sharing service. In July 2016, after adjudication before an administrative law judge, the full Commission concluded that LabMD’s inadequate data security measures led to substantial injury to consumers that was not reasonably avoidable and thus constituted an unfair act or practice under Section 5(a) of the Federal Trade Commission Act.1 The FTC ordered relief including that LabMD implement a comprehensive data security program reasonably designed to protect consumer information, undergo biennial data security assessments by an independent third-party professional and notify affected individuals whose health information had been made public.2
LabMD petitioned the US Court of Appeals for the Eleventh Circuit for review of the July 2016 opinion and order. The company broadly challenged the FTC’s rulings, including with respect to the FTC’s authority to enter the order against LabMD, the merits of the FTC’s decisions and the adequacy of the FTC’s cease-and-desist order. On the last point, LabMD argued that even if a lack of data security led to the breach and, therefore, violated the FTC Act, the FTC’s order was not enforceable because it was impermissibly vague.
The Court of Appeals explained the standards governing actions for unfairness, including that “an act or practice’s ‘unfairness’ must be grounded in statute, judicial decisions—i.e., the common law—or the Constitution. An act or practice that causes substantial injury but lacks such grounding is not unfair within Section 5(a)’s meaning.”3 However, the Court of Appeals ultimately assumed “arguendo that the Commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data-security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”4 With this assumption, the court left one key question for its analysis: whether the FTC’s order was enforceable.5 The court answered that question in the negative, agreeing with LabMD that the FTC’s order was unenforceable because it was not sufficiently specific.
The court explained that the FTC order “mandates a complete overhaul of LabMD’s data security program” but “says precious little about how this is to be accomplished.”6 While the order identified certain general data security areas for LabMD to address, the court noted that the order “contains no prohibitions” and “does not instruct LabMD to stop committing a specific act or practice.”7
The court concluded that this general approach meant that it would be difficult for the FTC to provide clear and convincing evidence to demonstrate that any security measures subsequently implemented by LabMD were not “reasonably designed” to protect security. Still, such a determination would have to be made by a district court in a challenge by the FTC to any data security measures implemented by the company. As a result, according to the court, the FTC order “effectually charges the district court with managing LabMD’s business in accordance with the Commission’s wishes.”8 This, the Eleventh Circuit found, “was a scheme Congress could not have envisioned.”9 Instead, the Court of Appeals concluded, because the FTC required LabMD “to meet an indeterminable standard of reasonableness,” the FTC’s order was unenforceable.10
The Eleventh Circuit’s decision did not resolve important questions about the limits of the FTC’s authority to police data security practices or confirm whether LabMD’s security practices constituted an unfair act or practice under Section 5(a) of the FTC Act. The decision nonetheless could prove very consequential, particularly to the extent that—assuming the opinion is not reversed in further appellate proceedings—the FTC increases the level of specificity it includes in data security orders and thereby adds more detail to what it believes constitute reasonable security practices.