Earlier this month, in a much anticipated decision, the 11th U.S. Circuit Court of Appeals vacated the Federal Trade Commission’s (FTC) cease and desist order against LabMD, Inc. A summary of the relevant factual background and the FTC’s cease and desist order from 2016 can be found here.
The 11th Circuit concluded that the FTC’s order was unenforceable because it did not enjoin a specific act or practice, but rather, required a “complete overhaul of LabMD’s data-security program” without providing sufficiently specific guidance for how to comply with the order. Among other things, the 11th Circuit criticized the requirement that LabMD “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers” because the order was “devoid of any meaningful standard informing the court [or LabMD] of what constitutes a ‘reasonably designed’ data-security program.” The 11th Circuit also observed that other provisions of the order “fail[ed] to state with specificity the actions LabMD must take to bring its program into compliance with the order.”
Although LabMD is now a defunct, non-operating company, it awaits whether the FTC will appeal the 11th Circuit’s decision to the United State Supreme Court or decide to end this ongoing, years-long saga. In the meantime, the recent 11th Circuit decision provides companies with helpful precedent to defend themselves against future data security actions brought by the FTC under Section 5(a).
The 11th Circuit Decision
LabMD appealed the FTC’s order to the 11th Circuit and argued that the order was unenforceable “because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a)” of the FTC Act. The 11th Circuit granted LabMD’s petition for review.
The 11th Circuit began with a brief discussion of the FTC’s complaint against LabMD, observing that “[r]ather than allege specific acts or practices that LabMD engaged in, … the FTC’s complaint set forth a number of data-security measures that LabMD failed to perform.” After outlining the procedural background of the case, the 11th Circuit characterized the FTC order as “enjoining LabMD to install a data-security program that comported with the FTC’s standard of reasonableness,” and that “[i]n effect, the [FTC] decision held that LabMD’s failure to act in various ways to protect consumer data rendered its entire data-security operation an unfair act or practice.”
The 11th Circuit criticized the FTC’s approach of identifying a couple of problems—i.e., LimeWire’s installation on a company computer and resulting exposure of the 1718 file—and using them as “an entry point to broadly allege that LabMD’s data-security operations are deficient as a whole.” Because FTC complaints must “inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law,” 16 C.F.R. § 3.11, the 11th Circuit reasoned that “[i]t follows that the remedy the complaint seeks must comport with this requirement of reasonable definiteness.” Quoting Supreme Court precedent in FTC v. Colgate-Palmolive Company, an FTC order’s “prohibitions should be clear and precise in order that they may be understood by those against whom they are directed … [so as] to avoid raising serious questions as to their meaning and application.” Otherwise, the imposition of sanctions or penalties for contempt may deny a party due process.
The 11th Circuit observed that the FTC’s cease and desist order did not contain any prohibitions or instruct LabMD to cease any specific act or practice. Instead, the FTC order “commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.” This command rendered the FTC order unenforceable because, as the 11th Circuit explained through a hypothetical, the lack of “any meaningful standard informing the court of what constitutes a ‘reasonably designed’ data-security program” would, in practicality, require a court to repeatedly modify the injunction at future show cause hearings and effectively result in the court and FTC managing and operating the company. Because “[i]t is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law[,]” the FTC order was unenforceable.
What the 11th Circuit Did Not Decide
Notably, the 11th Circuit did not decide whether a company’s negligent failure to implement and maintain a reasonable data-security program may constitute an unfair act or practice under Section 5(a). Instead, the 11th Circuit assumed, without deciding, that such a failure may constitute an unfair act or practice under Section 5(a).
The 11th Circuit also did not address other issues raised by LabMD’s appellate brief, such as whether the FTC exceeded its legal authority or the order was unsupported by substantial evidence.
At first glance, the 11th Circuit’s decision appears to have dealt a blow to the FTC’s ability to impose penalties and other affirmative obligations on companies to generally improve their data security programs. The 11th Circuit repeatedly criticized the FTC’s failure to identify any specific unfair act or practice committed by LabMD. But most importantly, the FTC’s order lacked specific prohibitions or mandates imposed on LabMD that could be complied with; the requirement of implementing and maintaining a “reasonably designed” data-security program was apparently insufficient guidance. In light of the 11th Circuit’s decision, vagueness and specificity arguments will likely gain renewed vigor in disputes with the FTC.
But this likely will not mean that the FTC will become less vigilant in investigating and sanctioning companies for data security problems (in fact, the FTC arguably also strengthened its position with the 11th Circuit’s assumption—without deciding—that negligent failure to maintain a reasonable data-security program may constitute an unfair act or practice under Section 5(a)). Instead, future FTC actions under Section 5(a) may simply become more specific and targeted, and the resulting sanctions and cease and desist orders may be more specific as to what is required. Whether that means the FTC will simply seek overly specific (and arguably onerous) mandates in future cease and desist orders remains to be seen.
It should also be noted that the make-up of the FTC has changed almost completely since it issued the LabMD order in 2016, with four of the five current commissioners having been sworn in just last month, in May 2018.
Regardless of the outcome in LabMD, Inc. v. Federal Trade Commission, data security remains a significant issue, and will only become more important throughout the 21st century. Accordingly, companies should remain diligent in implementing and maintaining their data-security programs, including following the FTC’s “Stick With Security” principles, which are discussed in more detail here, here, here, here, here, here, here, and here.