Eleventh Circuit Rules FTC’s Data Security Cease and Desist Order Against LabMD Is Unenforceable

In its June 6, 2018 decision, the Eleventh Circuit concluded that the Federal Trade Commission’s (“FTC”) Final Order against LabMD lacked adequate specificity and therefore was unenforceable. The Eleventh Circuit had previously issued a stay of enforcement of the FTC’s Final Order – as reported by this blog on November 16, 2016  – which had concluded that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n).

The FTC initiated an enforcement action against LabMD in August 2013, alleging that LabMD, which operated as a clinical laboratory testing center, failed to implement reasonable data security measures to protect patients’ sensitive personal information. LabMD’s alleged data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years, which allowed exposure of patient information on a peer-to-peer network accessible daily by millions of users. In July 2016, and on appeal following a hearing before an Administrative Law Judge, the FTC concluded that LabMD’s failures had caused, and were also likely to cause, substantial consumer injury, including identity theft and medical-identity theft, which constituted an unfair act or practice in violation of Section 5 of the FTC Act.

On appeal, the Eleventh Circuit addressed two issues raised by LabMD. First, the appeals court considered “whether LabMD’s failure to implement and maintain a reasonably designed data security program constituted an unfair act or practice within the ambit of Section 5(a).” On that point, the Court assumed “arguendo that the Commission [was] correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act and practice.” On the basis of that assumption, the Court considered “whether the Commission’s cease and desist order, founded upon LabMD’s general negligent failure to act, is enforceable.” In answering this question, the Court noted that the Order requires LabMD to overhaul and replace its data security program, but “says precious little about how that is to be accomplished.” While identifying certain general areas to be addressed, the Order failed to contain any prohibitions and “does not instruct LabMD to stop committing a specific act or practice.” Because the Order required LabMD “to meet an indeterminable standard of reasonableness,” the Court concluded it was unenforceable.

The LabMD matter has been viewed by many as a test case on the limits of the FTC’s data security enforcement authority under Section 5(a) of the FTC Act. Notably, although that issue was raised by LabMD as part of its appeal, the Eleventh Circuit did not resolve the issue. Nor did the Court address whether LabMD’s data security program and practices actually constituted an unfair act or practice. Regardless, the Eleventh Circuit’s decision continues to shine a spotlight on the FTC’s role in enforcing data security practices and should cause the FTC to provide more specific directives in the future concerning the security measures it believes constitute reasonable data security practices. Stay tuned to this blog for further developments.