A New Era in FTC Data Security Oversight?

The U.S. Court of Appeals for the Eleventh Circuit has issued a ruling that may drastically change the nature of the relief that the Federal Trade Commission (“FTC”) seeks to impose on companies it alleges to have had inadequate data security measures in place. Specifically, on June 6, 2018, the Court issued a long-awaited decision in LabMD, Inc. v. Federal Trade Commission (“LabMD”), upending an FTC order requiring LabMD to overhaul its data security program. The Court held that, because the order was overbroad and lacked specifics, it was unenforceable. The decision suggests that FTC data security orders must be more limited and precise.

We describe the case background, the Court’s decision, and its likely impact below.

Case Background

The FTC initiated its action against LabMD in 2013, alleging that the now-defunct medical laboratory committed an “unfair act or practice” in violation of Section 5 of the FTC Act by failing to reasonably secure consumers’ personal information on its computer networks.[1] The complaint arose from an incident in which a LabMD employee installed a public file sharing service on a company computer, thereby allowing third-party access to consumers’ personal information.[2]

Although the Administrative Law Judge assigned to the case dismissed the complaint, the reviewing FTC Commission reversed, entering an order requiring LabMD to implement a “reasonable” comprehensive data security program.[3] The order did not require LabMD to abstain from specific unfair acts or practices, but, rather, required it to implement measures addressing all aspects of its data security program.[4]

LabMD appealed.

The Eleventh Circuit’s Decision

The Eleventh Circuit addressed two primary issues: (1) whether the failure to implement and maintain a reasonable security program constitutes an unfair act or practice under Section 5; and (2) if so, whether the FTC’s order enjoining LabMD to implement a “reasonable” security program was enforceable.

The Court punted on the first question and said “no” to the second.

1. The FTC’s Authority to Enforce Data Security Compliance

The Court did not decide whether LabMD’s alleged failure to implement and maintain a reasonable security program was unfair under Section 5. It instead assumed the Commission was correct: that LabMD’s alleged failure was “unfair” and that the FTC was accordingly authorized to address it.

2. Enforceability of the FTC’s Cease and Desist Order

The Court did not shy away from the second question. It held that the FTC’s command that LabMD “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness” was “unenforceable.”[5] The Court’s decision is grounded in two primary concerns:

• Overbreadth. The Court noted that the FTC’s order contained no prohibitions, nor did it require LabMD to abstain from a specific act or practice. Instead, the order mandated “a complete overhaul of LabMD’s data-security program,”[6] untethered to the security incident that precipitated the FTC’s complaint.
• Lack of specificity. The Court also noted that the order required LabMD to “maintain a comprehensive information security program,” but said “precious little about how this is to be accomplished.”[7] Without specific standards to enforce, the FTC—and a district court in contempt proceedings—would have to continually modify the order to meet the FTC’s evolving conception of “reasonableness.” “It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law,”[8] the Court held.

The Court accordingly vacated the Commission’s order, releasing LabMD from the injunction.

Potential Impact of the Decision

While LabMD does not go so far as to question the FTC’s authority to use Section 5 to address allegedly inadequate data security measures, the decision may change the extent and manner of FTC consent orders.

As to the extent of FTC consent orders, LabMD suggests that they must be tethered to the alleged security flaw they are designed to address. An order to undertake a sweeping overhaul of a company’s data security program in response to a single incident may be unenforceable.

As to the manner of FTC enforcement, LabMD appears to require the FTC to include more detailed, specific data security guidance in its orders to clarify how a company must comply. The FTC has historically shied away from specifying required security measures, however, given how quickly technology changes, opting instead to impose a “reasonableness” standard. To withstand scrutiny under LabMD, the FTC may choose to adopt a middle ground: impose relief with enough specificity that a company understands what it must do without specifying precise measures. This may be a difficult line to walk.

The terms of the LabMD order were typical of the consent decrees and orders the FTC has issued to date to address alleged data security flaws. It remains to be seen whether other companies challenge their own similar orders under LabMD, or if the FTC appeals the decision to the Supreme Court. But, as it stands, the decision suggests that the FTC’s future data security orders will have to be more limited and precise.

[1] LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16270, 2018 WL 2714747, at *2 (11th Cir. June 6, 2018).

[2] Id. at *1.

[3] Id. at *4.

[4] Id. at *6.

[5] Id. at *11.

[6] Id. at *12.

[7] Id.

[8] Id.