The U.S. Court of Appeals for the Eleventh Circuit recently released its highly anticipated decision in the long-running case pitting the now-defunct medical laboratory LabMD against the Federal Trade Commission (FTC), vacating the FTC's data security order. In reaching its conclusion, the court held that the order's requirement that LabMD establish a comprehensive information security program was unenforceable. This holding has broad implications for the FTC's remedial powers in data security and privacy actions going forward, as requirements to establish a comprehensive security or privacy program have become common in FTC security and privacy settlements over the past 16 years. If the court's decision stands, the FTC will likely need to enjoin specific acts or practices in its security and privacy orders, rather than relying on broad requirements that companies implement comprehensive security or privacy programs.

Background

The facts surrounding the FTC's litigation history with LabMD are long and complex.¹ In short, the FTC filed an administrative complaint against LabMD in 2013 following an extensive investigation into the company's data security practices.² The investigation and complaint were precipitated by the alleged improper installation of LimeWire, a peer-to-peer file-sharing application, on a computer used by LabMD's billing manager sometime in 2005. This eventually resulted in the acquisition of a company file containing the personal information of 9,300 consumers (known as the "1718 File" because of its length) by a data security company, Tiversa, in 2008.³ Tiversa offered to sell security remediation services to LabMD, but was rebuffed, and then shared the 1718 File with the FTC.⁴ The FTC's complaint against LabMD alleged that the company had engaged in unfair acts or practices in violation of Section 5 of the FTC Act because it had failed to employ reasonable and appropriate measures to prevent unauthorized access to personal information.⁵

The FTC's case was first decided in 2015 by an administrative law judge (ALJ), who dismissed the complaint following an administrative trial, holding that FTC staff had not proven that LabMD's conduct caused, or was likely to cause, substantial consumer injury, and thus could not be declared "unfair" under Section 5.⁶ The decision was then appealed to the full commission, which vacated the ALJ's decision. In its opinion, the FTC held that the "substantial injury" requirement for unfairness under Section 5 was met because (1) the unauthorized disclosure of the 1718 File itself caused intangible privacy harm and (2) the unauthorized exposure of the 1718 File for more than 11 months on LimeWire created a high likelihood of a large harm to consumers.⁷ The FTC issued a final cease and desist order "requiring that LabMD notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program."⁸ LabMD then petitioned the Eleventh Circuit to review the FTC's decision and stay enforcement of the cease and desist order pending review, which the court granted in 2016.⁹

The Eleventh Circuit's Decision

The key questions at issue before the Eleventh Circuit were whether (1) LabMD's conduct and the exposure of the 1718 File actually caused or was likely to cause any injury to consumers sufficient to meet Section 5's unfairness standard and (2) whether the commission's cease and desist order was enforceable. Many observers were expecting the Eleventh Circuit to substantively address the first question; instead, the court assumed "arguendo" that the commission was correct in its determination that LabMD's failure to design and maintain a reasonable data security program constituted an unfair act or practice. The court instead based its decision to vacate the cease and desist order solely on its view that the order is not sufficiently specific to be enforceable. To support its reasoning, the court walked through the FTC's options for bringing claims against unfair acts or practices either administratively (as was done for LabMD) or in federal district court (as was done in the FTC's case against Wyndham¹⁰), and then evaluated the commission's options for proceeding against a party that violates an order arising from either action. Specifically, the court found that whether a district court is evaluating an FTC complaint for violation of an administrative cease and desist order, or a contempt motion for an injunctive order, the specificity of the order "is crucial to both modes of enforcement."¹¹ Thus, the court held that "the prohibitions contained in cease and desist orders and injunctions must be specific. Otherwise, they may be unenforceable."¹²

In applying this specificity requirement to the FTC's cease and desist order against LabMD, the court found that, rather than containing any commands that the company stop committing any specific act or practice, the order "commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable."¹³ To elaborate on this holding, the court walked through a hypothetical example where the FTC brings an action against LabMD for failing to implement a particular safeguard and therefore failing to implement a "reasonably designed" information security program. In its example, the court found that, given that the order makes no mention of the particular safeguard and "is devoid of any meaningful standard informing the court of what constitutes a 'reasonably designed' data-security program," the court had no choice but to conclude that the FTC cannot prove LabMD's violation by clear and convincing evidence.¹⁴ To hold otherwise, the court found, would effectively and improperly modify the order via a show cause hearing, which may then be repeated over and over through future enforcement actions. Thus, the court held that "[t]he practical effect of repeatedly modifying the injunction at show cause hearings is that the district court is put in the position of managing LabMD's business in accordance with the Commission's wishes," and that "[i]t is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law."¹⁵ The court therefore held that the commission's order must be vacated because it is effectively unenforceable.

Implications

The Eleventh Circuit's holding stands as one of the most significant judicial data security decisions. The broad requirement to implement a comprehensive information security program contained in the LabMD order has become a common fixture of FTC data security settlements ever since the commission imposed the first such requirement in its agreement and consent order with Eli Lilly in 2002. Since then, the FTC has also included similarly worded requirements to implement comprehensive privacy programs in its privacy consent orders, such as the FTC's settlement with Facebook in 2012. The court's holding that such a "complete overhaul" is unenforceable creates two significant issues for the commission if upheld:

1. The FTC will have to evaluate whether it can salvage one of its most prominent enforcement tools in data security and privacy settlements by making program requirements more specific. Even if it can, companies engaging in data security or privacy settlement negotiations with the FTC are likely to be much more aggressive in pushing back on broad requirements in consent orders as a result of the court's decision.
2. The FTC now faces uncertainty as to whether it will be able to effectively enforce existing settlements that contain requirements to implement comprehensive security or privacy programs. Though the FTC could bring enforcement actions outside the Eleventh Circuit and not have district courts bound by the appellate court's decision, the holding will still offer substantial defensive weight for entities subject to existing FTC consent orders with such provisions.

Where the FTC goes from here remains to be seen. The commission could potentially seek an en banc review by the Eleventh Circuit or appeal the decision to the U.S. Supreme Court. If the court had made a substantive decision in LabMD's favor on the question of whether LabMD's conduct met the unfairness standard under Section 5, it is possible that the decision could have created a circuit split with the Third Circuit as a result of its decision in Wyndham, but since the court deferred on that question, Supreme Court review seems unlikely. If the Eleventh Circuit's decision stands, companies under investigation for data security or privacy issues should, on the one hand be in a better negotiating position should the FTC propose a consent package with broad remedial measures. On the other hand, the short term will present a time of greater uncertainty as the FTC attempts to draft new order provisions consistent with the court's holding in new orders.