The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach. The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems. Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back. It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC. This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures. Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough. Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently.
Putting it into Practice: The FTC is certainly not backing down. In fact, it recently announced a series of hearings to explore next steps in its enforcement of privacy and data security, among other things. We expect after this LabMD decision that the agency, if it’s going to issue orders requiring company action, will be more specific in what it mandates.