On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most important issue in the case: LabMD’s contention that the FTC lacks jurisdiction to enforce allegations that inadequate data security constitutes an unfair act or practice under Section 5 of the FTC Act (15 U.S.C. § 45(a)).
In 2005, a billing manager at LabMD downloaded the peer-to-peer file-sharing application LimeWire, inadvertently enabling the sharing of some files, including one that contained the personal information of 9,300 consumers. In 2008, an entity specializing in data security found this file and attempted to use it to pitch its data security services to LabMD. After negotiations between the data security vendor and LabMD fell through, in 2009, the data security vendor shared the file with the FTC, prompting a lengthy investigation. In August 2013, the FTC issued an administrative complaint against LabMD, alleging that its failure to provide reasonable and appropriate security for personal information on its computer networks amounted to an unfair act or practice.
The legal battle over the FTC’s complaint against LabMD has bounced around the court system for some time. It seemed LabMD had made some progress in its defense when, in July 2015, an administrative law judge (ALJ) dismissed the FTC’s complaint for failure to prove that LabMD’s allegedly inadequate data security amounted to an unfair act or practice. In July 2016, the FTC reversed the ALJ’s findings, reinstated the complaint against LabMD, and issued a cease and desist order, requiring LabMD to implement a data security program sufficient to meet the FTC’s standards, thus setting the stage for the appeal to the 11th Circuit.
The 11th Circuit’s decision sidesteps any determination on whether inadequate data security practices are tantamount to an unfair act or practice under FTC jurisdiction. Instead, the decision vacates the order on the grounds that a cease and desist order cannot mandate such a large undertaking without giving specifics for how it is to be accomplished. The order is unenforceable because it does not prohibit LabMD from doing something, or instruct it to stop a specific action.
While the court’s finding may leave much to be desired on the underlying issue of whether the FTC can bring a complaint against a company for failure to maintain adequate data security programs and practices, it does highlight the importance for companies to be vigilant in implementing data security programs and policies. Here, the point of compromise was one employee’s actions in disobeying company policy and downloading a file-sharing program onto a company workstation, opening the door for the FTC to review and critique its entire data security program. In its opinion, the court suggests it might have taken a different stance if the FTC’s complaint and order had stopped at enjoining LabMD to eliminate any possibility that an employee could install unauthorized programs on workstations. The court appears to take issue with the lack of specificity in blaming LabMD’s entire data security program for posing a risk to personal information. It will be interesting to see how the opinion influences investigations and complaints by the FTC and state attorneys general (whose consumer protection authority is based on so-called state “Mini-FTC Acts”) regarding allegedly inadequate data security programs moving forward.
The FTC and state AGs have ramped up their actions in pursuing companies who they believe have lax data security policies that could lead to the compromise of consumers’ personal information. With the continued media focus on data security incidents, as well as the growing threats from cybercriminals (both foreign and domestic), it is unlikely to slow anytime soon, even with this decision. That said, the decision does open the door for companies to challenge the breadth of the FTC’s orders going forward.