The U.S. Circuit Court of Appeals for the 11th Circuit vacated the LabMD Federal Trade Commission order but did not challenge the Commission’s ability to use its unfairness authority to challenge inadequate data security practices in  a closely watched case that tested the commission’s enforcement powers.

Background

The FTC issued a complaint against LabMD in 2013, alleging that the now-defunct clinical laboratory failed to reasonably protect the security of consumers’ personal data. It was the first litigated administrative data security action before the FTC. In 2016, an administrative law judge dismissed the complaint and found that complaint counsel had failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security practices constitutes an unfair practice and did not prove that the practices either caused or were likely to cause substantial consumer injury. The  FTC reversed the ALJ. The Commission’s unanimous opinion held that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information because of inadequate data security measures, was in and of itself a substantial injury under Section 5(n) of the FTC Act (the FTC’s unfairness authority).

The 2016 FTC order required LabMD to implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature and scope of respondent’s activities and include:

• The designation of an employee to coordinate and be accountable for the program.
• A risk assessment that considers, among other things, employee training and management, information systems, and prevention, detection and response to attacks, intrusions, or other system failures.
• Design and implementation of reasonable safeguards to control identified risks.
• Development of vendor oversight processes.
• Evaluation and adjustment of program in light of testing and monitoring

Order found unenforceable

In its decision, the Eleventh Circuit found that the prohibitions contained in the FTC administrative cease and desist order were unenforceable because the order did not instruct LabMD to stop committing a specific act or practice. The court found that the order commanded LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness which a district court could not enforce under its contempt power. In short, the court appears to assert that LabMD was diagnosed with a cold and prescribed open heart surgery.

The Eleventh Circuit conflates an administrative FTC order with a district court injunction when it posits a scenario in which the FTC sought to enforce the order and, for purposes of its illustration, assumed that the order was a district court order–rather than an administrative order–having concluded that prohibitions contained in administrative orders and injunctions are the same. The court’s hypothetical scenario suggests that the FTC would enforce its administrative order in district court by alleging  that LabMD failed to implement a certain criteria as part of a data security program and as a result the data security program is not “reasonably designed.” The court has essentially imagined a battle of the experts at a show cause hearing where experts disagree.

The Eleventh Circuit concludes that the practical effect would be to put the district court in a position of managing LabMD’s business in accordance with the FTC’s wishes. However, there are significant differences in the enforcement of an FTC order, and a show cause hearing to enforce a district court injunction. Specifically, under the FTC Act, if a respondent violates a Commission administrative order, the FTC conducts an investigation of the potential violations and the respondent may be liable for civil penalties of up to $41,484 per violation.

Impact of Court’s decision

Many FTC data security settlements require the creation of comprehensive data security or privacy programs which are similar to what is required by the GLBA Safeguards Rule, the New York Cyber Regulations and to some extent, the EU’s General Data Protection Regulation.

On Wednesday, the Eleventh Circuit held that the FTC’s order was unenforceable, but it notably did not address whether the alleged data security lapses caused or is likely to cause substantial injury to consumers and constituted an unfair act or practice under Section 5 of the FTC Act.

Although the decision leaves intact the FTC’s authority to challenge data security practices as unfair it could provide fuel for respondents when negotiating data security settlements with the Commission. The court’s decision would have been far more devastating had it taken on the meaning of “likely to cause substantial injury” which is an element of unfairness.