June 8, 2018
On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit issued its long-awaited decision in LabMD, Inc. v. Federal Trade Commission. The court vacated a cease and desist order issued by the Federal Trade Commission related to LabMD's data-security practices. The court held that the order was unenforceable because it did not direct LabMD to stop committing any specific act or practice. The court stopped short of deciding whether the FTC has authority under Section 5(a) of the Federal Trade Commission Act to bring enforcement actions based on an alleged failure to implement and maintain reasonable data security.
The court's decision responds to a petition by LabMD to vacate the order that resulted from an administrative complaint filed by the FTC in August 2013. The complaint alleged that, contrary to company policy, a LabMD employee installed a peer-to-peer sharing application on a computer that allowed consumer data to be exposed and further alleged that LabMD engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for consumers' personal information on LabMD's computer networks. In its answer to the complaint and a motion to dismiss, LabMD called into question whether its alleged failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice under Section 5(a), thereby questioning the FTC's authority to bring the action against LabMD. When the FTC appealed the Administrative Law Judge's decision regarding the administrative complaint to the full Commission, the Commission vacated the ALJ's decision and declared that the allegations constituted an unfair act or practice under Section 5(a) because such failure caused substantial injury to consumers' right of privacy.
In addressing LabMD's appeal of the FTC's decision, the 11th Circuit panel noted that the decision did not explicitly cite a source of the standard of unfairness it used reaching that finding, but determined that the source was common law negligence. The court stated that, under a negligence theory, a consumers' right of privacy is protected against unintentional invasion. While the court did not address the merits of this theory, the court assumed for the purpose of its decision that the FTC was correct and LabMD's negligent failure to design and maintain a reasonable data-security program invaded consumers' right of privacy and therefore constituted an unfair act or practice.
The court then addressed whether the FTC's order was enforceable. In doing so, the court reviewed the FTC's authority to establish an unfair act or practice through litigation in one of two forums - before an ALJ or before a federal district judge. Regardless of the forum, the court observed that specificity in the prohibitions contained in a cease and desist order or an injunction is crucial to enforceability.
Here, the FTC's cease and desist order commanded LabMD to overhaul and replace its data-security program to meet what the court called "an indeterminable standard of reasonableness." The court went on to question how a district court could hold that LabMD violated the order's injunctive provisions based on the FTC's vague requirement that LabMD establish, implement and maintain a comprehensive security program reasonably designed to protect the security, confidentiality and integrity of consumers' personal information. The court posited a scenario where the FTC sought to enforce the order in a district court and a battle of expert witnesses ensued over whether LabMD's data security practices were reasonable. The court concluded that such a battle would be impossible to resolve because nothing in the order indicates which expert would be correct. Based on this, the court concluded that the FTC could never win on its own motion to enforce the order. In fact, the court stated that for the court to determine that LabMD violated the order by failing to implement a necessary data security practice, the district court would be required to micromanage an injunction that would require repeated modification.
In holding that the order is unenforceable, the court referred to the order's "sweeping prophylactic measures to collectively reduce the possibility of employees installing unauthorized programs on their computers and thus exposing consumer information." Because the FTC failed to enjoin a specific act or practice and instead mandated a complete overhaul of LabMD's data-security program while saying little about how such overhaul was to be accomplished, the order cannot be enforced.
Notably, the court observed that had the complaint alleged only that the peer-to-peer sharing application was installed in defiance of LabMD's policies and that act caused alleged consumer injury, a narrowly drawn and easily enforceable order may have followed requiring LabMD to eliminate the possibility that employees could install unauthorized programs on their computers. The complaint went beyond that single allegation, however, and used the installation of the peer-to-peer sharing application as an entry point to broadly allege that LabMD's data-security operations were deficient as a whole.
The 11th Circuit's decision raises many questions about data security unfairness claims. What are the implications for enforcement of the FTC's other data security orders that are similarly structured? Can the FTC bring data security unfairness claims if the allegations and injunctions are drawn narrowly? Has the court added a new required element for unfairness in stating that the action be "grounded in well-established legal policy," an element that is not included in Section 5(n) of the FTC Act? The impact of this decision will be seen in the FTC's actions in the coming months, including whether the FTC seeks cert to bring this case to the Supreme Court.
Our thanks to Becki Kuehn, Michael Goodman and Katie Hawkins with Hudson Cook, LLP for providing this summary. If you have questions, please feel free to contact Becki at rkuehn@hudco.com, Michael at mgoodman@hudco.com or Katie at khawkins@hudco.com.