Yesterday the 11th U.S. Circuit Court of Appeals in Atlanta vacated a Federal Trade Commission (FTC) cease and desist order directing a medical testing company to overhaul its data security program on the grounds that the order was overbroad and failed to enjoin any specific act or practice. This ruling means that going forward (at least in the States overseen by the 11th Circuit, including Florida, Georgia and Alabama), and unless and until a higher court decides otherwise or Congress acts to alter the FTC’s rulemaking and enforcement authority, the FTC will have to provide far more carefully-tailored orders to companies it finds to have committed unfair trade practices via data breaches or a failure to maintain adequate data security practices.
Over the past decade, the Federal Trade Commission (FTC) has utilized Section 5 of the FTC Act to bring over 50 enforcement actions against companies for breaches of data security. Company failures to protect consumer data were viewed as unfair business practices under the FTC’s interpretation of Section 5. One such company, LabMD, a now-defunct medical testing laboratory, was ordered by the FTC to conduct a complete overhaul of its data security systems following a breach that resulted in the exposure of patient health records and personal information. LabMD argued, and the 11th Circuit agreed, that the FTC’s order was overbroad and unenforceable.
While a three-judge panel of the court assumed for the sake of argument that “the commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice under Section 5,” the panel also decided that the FTC’s subsequent cease and desist order was not enforceable because it failed to enjoin and specific act or practice.
“Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress count not have envisioned.”
The 11th Circuit’s holding binds the federal district courts in Florida, Georgia, and Alabama and applies only to cases that are decided in those courts. It remains to be seen whether federal District and Appellate courts outside those States follow the 11th Circuit’s lead in future decisions regarding the range of the FTC’s authority in data breach enforcement actions. In addition, the FTC may yet seek further review of the decision by the entire panel of 11th Circuit or the U.S. Supreme Court.