The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.
To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program. Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.
Finding that LabMD is likely to succeed on the merits of its appeal and that LabMD would be irreparably harmed by enforcement, the Eleventh Circuit granted LabMD’s motion for a stay of the FTC order. Even with Chevron deference to the FTC’s judgment, the court held that LabMD would likely succeed on the merits because there are “compelling reasons why the FTC’s interpretation may not be reasonable.” The court found that it was “not clear” that 15 U.S.C. § 45 could reasonably be read to cover intangible harms like the ones cited by the FTC or that “likely to cause” in the statute could reasonably “include something that has a low likelihood.” As to irreparable injury, the court found that the cost of complying would be detrimental to LabMD, and even if LabMD ultimately prevailed, it would not be able to recover the costs from the FTC due to sovereign immunity. In addition, the court found there would be no harm to any party if the order was stayed and that public interest on the matter was neutral. In light of these factors, the court granted LabMD’s motion and stayed enforcement of the FTC order pending the outcome of LabMD’s appeal.
The stay again throws significant doubt on the FTC’s information security enforcement practices, providing further fodder for critics who claim the FTC enforces vague standards that are impossible to fully anticipate. Fighting perceptions of unclear guidance, the FTC has recently issued guidance and blog posts, convened roundtables or other educational initiatives to push out its security expectations.