The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security.
As we previously reported, the FTC faulted LabMD for failing to have “basic” data security practices. The Commission found that this failure resulted in the unauthorized disclosure of personal information pertaining to 9,300 individuals. As a result, it ruled that LabMD’s data security practices amounted to “unfairness” under Section 5 of the FTC Act. And similar to many of the FTC’s other data security cases, it ordered LabMD to reform those practices
LabMD challenged the FTC’s order in federal court. Its primary argument was that the FTC exceeded its legal authority in finding that LabMD’s data security practices were unfair acts or practices under the FTC Act. After the Eleventh Circuit stayed enforcement of the FTC’s order, some observers believed that the court might agree with LabMD on this point. This would have created a circuit split with the Third Circuit, which upheld the FTC’s authority to regulate data security under the “unfair practices” prong of Section 5 of the FTC Act. However, the Eleventh Circuit did not address the FTC’s legal authority to regulate data security. Instead, the court assumed as true that LabMD’s failure to maintain reasonable data security was an unfair act or practice under Section 5.
Although the court did not limit the FTC’s legal authority to regulate data security, the Eleventh Circuit nonetheless ruled against the FTC—and in doing so may have limited the Commission’s ability to enforce broad remedial orders.
The court began its analysis by noting that the harm at issue in the case—the unauthorized disclosure of consumers’ personal information—occurred because a LabMD employee installed a peer‑to‑peer file‑sharing application on her work computer, against the company’s policy. The opinion suggests that the FTC could have crafted a sufficiently specific order to remedy this harm by requiring that LabMD eliminate the possibility that employees “could install unauthorized programs on their work computers.” Instead, the FTC went beyond this specific occurrence and alleged that LabMD’s data security practices were deficient as a whole. As the court put it: for the Commission, “it was LabMD’s multiple, unspecified failures to act in creating and operating its data-security program that amounted to an unfair act or practice.” And in order to remedy this perceived widespread failure, the FTC’s order included “sweeping prophylactic measures” that would have regulated “all aspects” of LabMD’s data security practices.
It was the vagueness—in the court’s view—of these prophylactic measures that resulted in the Eleventh Circuit vacating the FTC’s order for lack of specificity. The court found that the order would have required LabMD to satisfy “an indeterminable standard of reasonableness” rather than instructing the company “to stop committing a specific act or practice.” And in requiring that LabMD meet this standard, the order included “precious little about how this [would have been] accomplished.” As a consequence of failing to include greater specificity in the order, the Eleventh Circuit feared that it would have fallen on a federal district court in enforcement proceedings to give concrete meaning to the order’s requirements. But because the order was “devoid of any meaningful standard informing the court what constitutes a ‘reasonably designed’ data-security program,” the district court would have no way of determining whether LabMD was complying with the order.
It is not yet clear how the FTC will respond to this decision. The Commission might seek rehearing en banc or appeal the decision to the Supreme Court in order to address some of the questions left unanswered by the Eleventh Circuit’s opinion. For example, in reaching its conclusion, the court did not discuss the long-standing “fencing-in” doctrine—under which the FTC has historically justified its broad remedial orders—although the Commission raised the issue in its brief.
If the decision stands, however, it could affect the viability of some of the Commission’s remedial powers. Many of the consent orders that the FTC has required companies to adopt—particularly those involving data security but also some related to other issues—have included broad prophylactic remedies that are similarly premised on a reasonableness standard. In the wake of this decision, perhaps some of those companies may now wonder whether their orders are also unenforceable.