In the latest episode of a long running saga, the Eleventh Circuit has ruled against the Federal Trade Commission (FTC) in its years-long battle with LabMD Inc. The Court vacated the FTC’s order requiring LabMD to implement a data security program. But it failed to decide a key issue: LabMD’s insistence that in the absence of a consumer injury, the FTC has no jurisdiction to regulate inadequate data security as an unfair act or practice under Section 5 of the FTC Act (15 U.S.C. § 45(a)).
Nevertheless, the ruling marks a significant milestone with profound implications for the FTC’s regulation of data security. It particularly undermines the Commission’s traditional reliance on consent decrees to impose sweeping long term mandates.
The controversy originated in 2008, when a cybersecurity company found a data security issue in LabMD’s systems. After unsuccessfully attempting to negotiate a consulting arrangement with LabMD, the company went to the FTC, triggering an investigation. The FTC directed LabMD to implement a security program. The ensuing dispute ultimately culminated in LabMD’s appeal to the Eleventh Circuit.
The Eleventh Circuit held that the FTC’s order was too vague to be enforceable. It noted that the order required a “complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” The Commission could not issue such a directive without clarifying specific requirements that LabMD would have to meet. Notably, the court found that the FTC could prohibit particular policies or procedures, but not require LabMD “to meet an indeterminable standard of reasonableness.”
While the scope of the FTC’s cybersecurity jurisdiction remains open, the Eleventh Circuit’s holding does highlight the need for vigilance in cybersecurity programs. The whole saga originated in a single employee’s use, in violation of company policy, of a file-sharing program on a company-owned computer. That one instance, combined with the dubious intervention of a would-be cybersecurity vendor, culminated in a comprehensive FTC investigation of LabMD’s entire cybersecurity program.
Indeed, the Eleventh Circuit observed that the FTC would have been on safe ground had it confined itself to LabMD’s failure to enforce the prohibition on file-sharing programs. In that case, “a narrowly drawn and easily enforceable order might have followed, commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers.” Instead, the FTC listed a number of practices that it contended fell short of providing reasonable security.
This final directive was a step that was too far for the Court. It observed that LabMD’s purported Section 5 problems rested on vague and unspecified failures rather than particular unfair acts and practices. To the extent the FTC had relied on an apparent theory of general negligence, without connecting it to specific errors or omissions, the order was unenforceable.
The decision is a largely symbolic victory for LabMD. The company shut down years ago because of the FTC’s enforcement action. But the ruling raises fundamental questions about the FTC’s authority to bring additional enforcement actions on the basis of cybersecurity practices it considers unreasonable. At a minimum, it can expect to be challenged for failure to identify specific flaws, vulnerabilities and deficiencies in future actions.
The decision also calls into question the future enforceability of 60 cybersecurity-related settlements that other companies have entered into with the FTC. Virtually all of those decrees substitute general reasonableness language for the specifics that the Eleventh Circuit required in the LabMD case. And the FTC has a history of taking alleged violations of consent decrees seriously.
Perhaps most fundamentally, the LabMD decision appears to significantly undermine the FTC’s views of its sweeping cybersecurity jurisdiction under the “unfairness” prong of Section 5 of the FTC Act. It is a testament to either the resilience of the American legal system or the power of the administrative superstate that the FTC’s cybersecurity powers derive from a single, brief phrase in a 1914 statute: “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” By contrast, the European Union’s month-old General Data Protection Regulation runs into thousands of words. But the LabMD decision signals that the era of relying on a single century old phrase may be coming to an end.
The Eleventh Circuit held that the FTC “must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes or the common law.” What those standards are, and how they evolve, will doubtless be the subject of litigation in the years to come.