Appellate Court Directs FTC to Be More Specific in its Data-Security Orders

 
June 12, 2018

In a closely watched data-security case, the U.S. Court of Appeals for the Eleventh Circuit vacated as unenforceable a cease and desist order issued by the U.S. Federal Trade Commission (FTC) against LabMD, Inc. According to the court, the order required LabMD to overhaul its data-security program, but provided insufficient guidance to the defendant on what a “reasonable” program would look like. The court therefore vacated the FTC’s order. This OnPoint discusses the Eleventh Circuit’s opinion and its broader implications for data-security enforcement by the FTC. 

Factual and Procedural Background 

LabMD is a now-defunct medical laboratory that previously conducted diagnostic testing for cancer. In 2005, contrary to company policy, a peer-to-peer file-sharing application was installed on a computer used by LabMD’s billing manager, exposing to users of the application a file containing personal information of 9,300 consumers, including their names, dates of birth, social security numbers, specific lab and medical tests conducted by LabMD, and other sensitive information. The file was accessed by a data security firm, which unsuccessfully sought to offer its remediation services to LabMD. No other third parties accessed the file during the eleven months it was exposed. Nor were there any reports of identity theft or other inappropriate uses of the exposed information. 

In August 2013, the Commission issued an administrative complaint against LabMD, alleging that it had committed an “unfair act or practice” under Section 5 of the FTC Act by engaging in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information stored on its computer networks. The administrative law judge hearing the case ruled for LabMD, concluding that the FTC complaint counsel had failed to prove that LabMD’s actions (or inaction) caused or was likely to cause substantial injury to consumers, as required under the FTC Act.

The full Commission reversed the ALJ’s decision in July 2016, finding that LabMD’s data-security practices were unfair under Section 5. In particular, the Commission concluded that LabMD failed to adequately secure its computer network, employ suitable risk-assessment tools, provide data-security training to its employees, and adequately restrict and monitor the computer practices of those using its network. It found that substantial injury was established in two ways: one, the unauthorized disclosure of the consumer information itself caused intangible privacy harm; and two, the mere exposure of the consumer information was likely to cause substantial injury. 

The Commission also rejected LabMD’s arguments that the Section 5 “unfairness” standard—which, according to the Commission is a “reasonableness” standard—is void for vagueness and that the FTC failed to provide fair notice of what data-security practices were adequate under Section 5. The Commission explained that it imposed on LabMD the same basic data security standard the agency has consistently articulated for nearly fifteen years, which requires firms maintaining personal information to implement reasonable and appropriate measures to prevent or minimize the harm to consumers from unauthorized disclosure of such information. Vacating the ALJ’s decision, the Commission entered an order requiring LabMD to establish and maintain a data-security program reasonably designed to protect consumers’ personal information. LabMD petitioned the Eleventh Circuit to review the Commission’s decision. 

The Eleventh Circuit’s Decision 

The Eleventh Circuit vacated the FTC’s remedial order. The court explicitly limited its analysis to the cease and desist order issued by the Commission. It did not review the Commission’s finding of liability under Section 5; rather, the court “assume[d] arguendo that the Commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data-security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”2 

The court ruled that the Commission’s cease and desist order was unenforceable. As noted by the court, the order contains no prohibitions or instructions to LabMD to stop committing any specific acts or practices. Rather, it requires LabMD to overhaul and replace its data-security program to meet “an indeterminable standard of reasonableness.”3 Moreover, given the lack of guidance in meeting this standard, the order “effectually charges the district court with managing the overhaul.”4 According to the Eleventh Circuit, “[t]his command is unenforceable.”5 

In reaching this conclusion, the court focused on the concept of “specificity,” which, according to the court, applies equally to cease and desist orders issued by the Commission itself and injunctions sought by the Commission from a federal court. Although the FTC Act is silent on what must be included in a cease and desist order, the court explained that the remedy sought by the Commission must comport with the requirement of “reasonable definiteness” that applies to complaints issued by the agency under the FTC rules of practice. The court found that the imposition of penalties upon a party for violating “an imprecise cease and desist order”—up to $41,484 per violation or day in violation, under the FTC Act—may constitute a denial of due process.6 As a result, prohibitions in a cease and desist order “must be stated with clarity and precision.”7 

The court concluded that the “broad” remedial order issued by the Commission failed the test of specificity because it provided LabMD with insufficient information on how to avoid violating the order and thereby incurring potentially significant monetary penalties. The court therefore vacated the Commission order. 

Impact and Future Considerations 

The Eleventh Circuit’s decision represents a potential setback, or, at best, a mixed result, for the FTC’s data-security enforcement program. Importantly for the agency, the court did not question the Commission’s authority to bring data-security cases under the FTC Act. The decision on the enforceability of the order, however, may implicate the ability of the FTC to establish liability in the first instance. Although it assumed liability had been proven in this case, the court described as “indeterminable” the reasonableness standard the FTC expected LabMD to meet to comply with the order. Because reasonableness is the same standard the FTC claims it applies in assessing liability in data-security cases, the Eleventh Circuit’s criticisms of that standard in the remedy context could influence other courts in their liability determinations. 

More immediately, the court’s decision will make it more difficult for the FTC to enforce its existing data-security orders. The order vacated by the Eleventh Circuit is very similar to other recent data-security orders issued by the Commission, including one levied against Uber Technologies, Inc. earlier this year.8 Following this decision, the Commission is likely to re-evaluate the specific requirements it imposes in its data-security orders. The agency may, for example, seek to more closely tailor its remedial orders to the violations that it finds. This would be a welcome development. Increased specificity in FTC orders would benefit those firms seeking to remain in compliance, as well as others looking to steer clear of an FTC investigation or enforcement action. 

Still, the LabMD decision does little to address the substantial uncertainty surrounding the Commission’s reasonableness standard in the area of data security. Questions remain as to what specific practices companies must undertake to meet the agency’s reasonableness standard. Further, the courts have not clearly defined the substantial injury the FTC must prove to establish a practice as unfair. In LabMD, there was no evidence of identity theft or financial harm from misuse of the exposed consumer information. But, because the Eleventh Circuit did not address the liability issue, the case law remains unsettled on whether a company can be found to violate the FTC Act through mere exposure of sensitive consumer information. 

The challenges presented by the Eleventh Circuit decision notwithstanding, the newly constituted Commission is expected to continue its vigorous data-security enforcement program. In his Senate confirmation hearing, now-Chairman Joseph Simons expressed his view that consumers need even more protection from data breaches and signaled his openness to the FTC being able to directly fine companies for their data-security practices.9 

Footnotes 

1) To be “unfair” under Section 5(n) of the FTC Act, the act or practice must cause or be likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).
2) LabMD, Inc. v. FTC, No. 16-16270, slip op. at 17-18 (11th Cir. June 6, 2018).
3) Id. at 27.
4) Id. at 31.
5) Id. at 27.
6) Id. at 25-26.
7) Id. at 25.
8) See Uber Technologies, Inc., FTC Docket No. 152-3054, Revised Decision and Order, Apr. 11, 2018, Click for decision.
9) See Daniel R. Stoller, FTC Nominees Highlight Privacy, Data Security Enforcement, Bloomberg Law, Feb. 14, 2018, Click for original article.

Subscribe to Dechert Updates