Without a specific practice to banish, Commission's order is held 'unenforceable'

Epic

In early June, the Federal Trade Commission (FTC or Commission) suffered a defeat at the hands of the 11th Circuit, when the court vacated an order it had lodged against LabMD, a now-defunct cancer detection center.

This dispute goes way back in FTC years, back to 2013, when the original complaint was filed. If you look at the Commission's action summary, you'll get a feel for just how many times this particular ball has been kicked back and forth.

Trojan Remorse

At some point in the mid-2000s, a LabMD employee installed LimeWire, a peer-to-peer (P2P) file-sharing application, on her work computer. LimeWire, one of the many P2P file-sharing services that became popular in the early aughts, connected to a network of millions of users. From 2007 to 2008, the employee's use of the application exposed to this network a sensitive file saved on her hard drive that contained the personal information of thousands of LabMD customers.

Although it is unclear how many times the file was shared over LimeWire, or if it was ever shared at all, a third-party consultant began contacting LabMD about the exposure. The consultant offered to take care of the security breach, but LabMD rebuffed the company's advances.

In response, the consultant, in early 2009, downloaded the file from LimeWire and forwarded it to the FTC for review. The Commission's complaint, which alleged that LabMD engaged in "unfair practices" because it had failed to implement a security plan that reasonably protected the patients, was filed in 2013. The case went back and forth until June 2018, when the latest appeal hit the 11th Circuit.

The Takeaway

Under the circuit court's consideration was an enforcement action brought by the Commission. The action, which had been approved by the FTC in 2016, mandated that LabMD "install a data-security program that comported with the FTC's standard of reasonableness" as a response to an unfair lack of security measures taken by the company.

The appellate court held that even if LabMD's failure to enact a security policy was the cause of harm to the exposed customers, "the Commission's cease and desist order is nonetheless unenforceable." While the court assumed that the FTC was correct in concluding that LabMD's allegedly inadequate security standards constituted an unfair act or practice under Section 5 of the FTC Act, the order maintained that the cease-and-desist order did not "enjoin a specific act or practice," but rather mandated "a complete overhaul of LabMD's data-security program and says precious little about how this is to be accomplished" and thus, by lacking sufficient specificity, was unenforceable.

We're waiting for news on what the FTC's next step might be – perhaps the case will find its way to the Supreme Court. In any event, the broad measures mandated by the Commission in many of its actions may come under new scrutiny in the wake of this decision. In light of this decision, the FTC may change how it proceeds in cease-and-desist orders in data breach cases. The 11th Circuit specifically criticized the Commission for not setting forth specific prohibitions and instructing LabMD to cease specific acts or practices. The court found that by taking a generalized approach to mandating a requirement that LabMD implement measures "reasonably designed" to protect data security, a challenge to LabMD's compliance would essentially leave the district court "managing the overhaul," a result the court held was "a scheme Congress could not have envisioned." "It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law[,]" the court held.

The FTC may simply appeal and hope that the Supreme Court will hear the case and take the FTC's side, or we may start seeing greater technical specification from the Commission as to what constitutes reasonable data security requirements when it settles cases and enters into consent orders, or issues cease-and-desist orders. However, companies should not look to this decision as degrading the FTC's authority to bring unfairness actions under Section 5 based on allegedly inadequate security in the wake of a data breach, but rather as a purely technical decision regarding the proper scope of injunctive relief, and the courts' contempt powers to enforce consent and cease-and-desist orders.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.