Eleventh Circuit Reverses FTC’s Data Security Order Against LabMD

Lydia Parnes and Edward Holman
Wilson Sonsini LLP

On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit issued its decision in LabMD, Inc. v. FTC, No. 16-16270 (11^th Cir. June 6, 2018), a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Eleventh Circuit declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security.

Background

The facts surrounding the FTC’s litigation history with LabMD are long and complex. See ALJ Initial Decision at 15-44, In the Matter of LabMD, Inc.; Opinion of the Commission at 2-8, In the Matter of LabMD, Inc.; LabMD, Inc. v. FTC, No. 16-16270, slip op. at 2-9 (11th Cir. June 6, 2018). The FTC filed an administrative complaint against LabMD in 2013 following an extensive investigation into the company’s data security practices. FTC Complaint, In the Matter of LabMD, Inc. The investigation and complaint were precipitated by the alleged improper installation of LimeWire, a peer-to-peer file-sharing application, on a computer used by LabMD’s billing manager sometime in 2005. This eventually resulted in the acquisition of a company file containing the personal information of 9,300 consumers (known as the “1718 File” because of its length) by a data security company, Tiversa, in 2008. LabMD, slip op. at 3. Tiversa offered to sell security remediation services to LabMD, but was rebuffed, and then shared the 1718 File with the FTC.Id. at 3-4. The FTC’s complaint alleged that LabMD had engaged in unfair acts or practices in violation of Section 5 of the FTC Act because it had failed to employ reasonable and appropriate measures to prevent unauthorized access to personal information.FTC Complaint at 5.

The FTC’s case was first decided in 2015 by an administrative law judge (ALJ), who dismissed the complaint following an administrative trial, holding that FTC staff had not proven that LabMD’s conduct caused, or was likely to cause, substantial consumer injury, and thus could not be declared “unfair” under Section 5. ALJ Initial Decision at 92. The decision was then appealed to the full commission, which vacated the ALJ’s decision. In its opinion, the FTC held that the “substantial injury” requirement for unfairness under Section 5 was met because (1) the unauthorized disclosure of the 1718 File itself caused intangible privacy harm and (2) the unauthorized exposure of the 1718 File for more than 11 months on LimeWire created a high likelihood of a large harm to consumers. Opinion of the Commission at 25. The FTC issued a final cease and desist order “requiring that LabMD notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.”Id. at 37. LabMD then petitioned the Eleventh Circuit to review the FTC’s decision and stay enforcement of the cease and desist order pending review, which the court granted in 2016.LabMD, Inc. v. FTC, 678 F. App’x 816 (11th Cir. 2016).

The Eleventh Circuit’s Decision

The key questions at issue before the Eleventh Circuit were whether (1) LabMD’s conduct and the exposure of the 1718 File actually caused or was likely to cause any injury to consumers sufficient to meet Section 5’s unfairness standard and (2) whether the commission’s cease and desist order was enforceable. Many observers were expecting the Eleventh Circuit to substantively address the first question; instead, the court assumed “arguendo” that the commission was correct in its determination that LabMD’s failure to design and maintain a reasonable data security program constituted an unfair act or practice. The court instead based its decision to vacate the cease and desist order solely on its view that the order is not sufficiently specific to be enforceable. To support its reasoning, the court walked through the FTC’s options for bringing claims against unfair acts or practices either administratively (as was done for LabMD) or in federal district court (as was done in the FTC’s case against Wyndham, see FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d, 799 F. 3d 236 (3rd Cir. 2015)), and then evaluated the commission’s options for proceeding against a party that violates an order arising from either action. Specifically, the court found that whether a district court is evaluating an FTC complaint for violation of an administrative cease and desist order, or a contempt motion for an injunctive order, the specificity of the order “is crucial to both modes of enforcement.”LabMD, slip op. at 25. Thus, the court held that “the prohibitions contained in cease and desist orders and injunctions must be specific. Otherwise, they may be unenforceable.” Id. at 27.

In applying this specificity requirement to the FTC’s cease and desist order against LabMD, the court found that, rather than containing any commands that the company stop committing any specific act or practice, the order “commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” Id. To elaborate on this holding, the court walked through a hypothetical example where the FTC brings an action against LabMD for failing to implement a particular safeguard and therefore failing to implement a “reasonably designed” information security program. In its example, the court found that, given that the order “is devoid of any meaningful standard informing the court of what constitutes a ‘reasonably designed’ data-security program,” it had to conclude that the FTC cannot prove LabMD’s violation by clear and convincing evidence. Id. at 28-29. To hold otherwise, the court found, would effectively and improperly modify the order via a show cause hearing, which may then be repeated over and over through future enforcement actions. “The practical effect of repeatedly modifying the injunction at show cause hearings,” the court reasoned, “is that the district court is put in the position of managing LabMD’s business in accordance with the Commission’s wishes,” and that this type of “micromanaging is beyond the scope of court oversight contemplated by injunction law.”Id. at 30. The court therefore held that the commission’s order must be vacated because it is effectively unenforceable.

Implications

Where the FTC goes from here remains to be seen. The commission could potentially seek an en banc review by the Eleventh Circuit or appeal the decision to the U.S. Supreme Court. If the Eleventh Circuit decision stands, it could have downstream effects on the FTC’s remedial powers more generally. Specifically, the broad requirement to implement a comprehensive information security program contained in the LabMD order has become a common fixture of FTC data security settlements ever since the commission imposed the first such requirement in its agreement and consent order with Eli Lilly in 2002. Since then, the FTC has also included similarly worded requirements to implement comprehensive privacy programs in its privacy consent orders, such as the FTC’s settlement with Facebook in 2012.In the wake of the Eleventh Circuit’s decision, the FTC will have to evaluate how it can refine one of its most prominent enforcement tools in data security and privacy settlements. Also, companies under existing settlements that contain requirements to implement comprehensive security or privacy programs may now wonder whether those requirements are truly enforceable. Nevertheless, companies should not act as though they are now free from FTC oversight of their data security practices. While the FTC may have some enforcement challenges ahead of it, the commission is expected to continue to vigorously pursue data security issues going forward.