In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information. The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information. A federal appeals court has now cast doubt on the viability of such orders. In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance.
The LabMD Ruling
The FTC brought an enforcement action in 2013 against LabMD, a now-defunct medical laboratory that previously conducted diagnostic tests for cancer, alleging that it had committed an “unfair act or practice” by failing to implement adequate cybersecurity measures to protect sensitive consumer information. The complaint alleged that a LabMD employee had installed on a company computer a peer-to-peer file sharing application called Limewire. Through Limewire, personal information of 9,300 consumers stored on LabMD’s system—including patient names, date of birth, social security numbers, health insurance policy numbers, and laboratory test codes—was inadvertently exposed to other users. A data security company downloaded the information through Limewire and provided it to the FTC after LabMD refused its offers to provide data security remediation services.
The FTC’s complaint alleged that LabMD committed an unfair practice or act by failing to provide reasonable security for consumer data stored on its network, and thus caused a substantial risk of injury to consumers in violation of § 5(a) of the Federal Trade Commission Act (“FTCA”). After a trial, an Administrative Law Judge (“ALJ”) dismissed the FTC’s complaint on the grounds that the FTC had failed to prove that LabMD’s actions caused or was likely to cause injury to consumers. The ALJ rejected the FTC’s evidence that exposure of personal information increased the likelihood of identity theft as speculative because it failed to show that any consumer had in fact been victimized by identity theft as a result of the disclosure or anything more than a theoretical risk of future identity theft.
On appeal by the FTC, the Commission unanimously reversed the ALJ’s opinion. It held that the harm to consumer privacy from an unauthorized disclosure of sensitive health information inherently constitutes a substantial injury under the FTCA, and that the disclosure created a significant risk of medical identity theft. It entered a cease-and-desist order that required LabMD to implement “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers,” as well as obtain periodic independent assessments of its implementation of the program and notify the affected consumers.
LabMD appealed the Commission’s order to the Eleventh Circuit, which vacated the order. The Court assumed arguendo that failure to maintain an adequate data security program could constitute an “unfair act or practice” under Section 5(a) of the FTCA, as the Third Circuit previously held in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), based on negligence principles. However, the Court held that the order was unenforceable because it failed to provide any “meaningful standard” for determining “what constitutes a ‘reasonably designed’ data security program.” Rather than enjoining a specific act or practice, the order called for a broad overhaul of defendant’s data security program. Thus, as a practical result, “the district court [would be] put in the position of managing LabMD’s business in accordance with the Commission’s wishes,” a situation which the Court found is “beyond the scope of court oversight contemplated by injunction law.”
The most immediate result of the decision is to limit the FTC’s options for relief in privacy and data security enforcement actions (at least within the Eleventh Circuit). Absent Supreme Court intervention, many of the FTC’s prior consent decrees risk being found at least partly unenforceable. And, in future actions, the FTC will need to identify specific infringing conduct and propose particular practices or policies to remedy breaches of data security, rather than broadly requiring implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information.
Notably, the Eleventh Circuit did not decide that the FTC lacked jurisdiction under the FTCA to bring enforcement actions based on alleged failures to maintain adequate data security programs. As a practical matter, however, the FTC may face challenges in seeking to impose specific equitable remedies for such failures in light of LabMD (the FTC generally lacks jurisdiction to seek monetary relief other than for violations of prior orders or settlements). As the FTC has explained:
[T]he touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors.
Imposing specific data security requirements may be feasible in certain instances, but in many cases doing so may be unreasonable and impractical, particularly in light of the fast-moving changes in cybersecurity and data privacy risks, as well as the absence of harmonized data security standards in the U.S. Time will tell whether the Eleventh Circuit’s decision curtails FTC enforcement actions going forward, or whether the FTC will shift course and focus on seeking more particularized data security requirements in response to alleged violations of the FTCA.
 LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16270, — F. 3d –, 2018 WL 2714747, at *1 (11th Cir. 2018).
 Id. at *16-18.
 Id. at *11.
 Id. at *12.