In a significant ruling that calls into question the Federal Trade Commission’s (“FTC”) authority to regulate a private company’s data security program, a federal appellate court of appeals ruled that the agency’s cease and desist order directing implementation of a data security program should be vacated as unenforceable. LabMD, Inc. v. Federal Trade Commission, No. 16-16270 (11th Cir. June 6, 2018).

In 2005, a billing manager of LabMD installed a peer-to-peer file sharing system that exposed to users a file containing personal information of 9,300 consumers. The information included names, dates of birth, social security numbers, and medical information. The file was accessed by a data security firm which brought the issue to LabMD’s attention in the hope that LabMD would retain the firm to correct the problem. When LabMD declined the offer, the security firm reported LabMD to the FTC. Notably, no other third parties accessed the files and there were no reports of identity theft.

In 2013, the FTC initiated its enforcement action alleging that LabMD had failed to use reasonable data security measures. Following a hearing before an Administrative Law Judge, the full Commission ruled that LabMD’s inadequate measures led to substantial injury to consumers and, thus, constituted an unfair practice under Section 5(a) of the FTC Act. As a remedy, the FTC ordered that LabMD implement a data security program reasonably designed to protect consumer information.

LabMD appealed claiming that the order was not enforceable because it was too vague. Notably, the appellate court did not review the Commission’s finding of liability. The Court assumed that “LabMD’s failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”

Despite this conclusion, the Court noted that a remedy from the Commission must meet the requirement of “reasonable definiteness.” Therefore, the Court ruled that the order was unenforceable because it contained no prohibitions or directives as to how to stop committing any specific acts.

Looking forward, the court’s holding leaves open the ability of the FTC to continue monitoring data security. At the same time, the court’s ruling does not detail the specific practices a company must adopt in order to meet the FTC’s definition of reasonableness. Continued enforcement from the FTC can be expected as it goes back to the drawing board to determine if it can more clearly identify specifics to include in its data security orders. Only through continued monitoring of future FTC orders will companies learn what these standards are.