Antitrust and Unfair Competition Law
Eleventh Circuit Reverses FTC’s Data Security Order Against LabMD
Lydia Parnes and Edward Holman
Wilson Sonsini LLP
On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit issued its decision in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), a closely watched case in which LabMD challenged the Federal Trade Commissionâs authority to regulate the data security practices of private companies. The Eleventh Circuit declined to decide that issue, instead finding that the FTCâs order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The courtâs decision may nevertheless impact many of the FTCâs consent ordersâeven those not having to do with data security.
Background
The facts surrounding the FTCâs litigation history with LabMD are long and complex. See ALJ Initial Decision at 15-44, In the Matter of LabMD, Inc.; Opinion of the Commission at 2-8, In the Matter of LabMD, Inc.; LabMD, Inc. v. FTC, No. 16-16270, slip op. at 2-9 (11th Cir. June 6, 2018). The FTC filed an administrative complaint against LabMD in 2013 following an extensive investigation into the companyâs data security practices. FTC Complaint, In the Matter of LabMD, Inc. The investigation and complaint were precipitated by the alleged improper installation of LimeWire, a peer-to-peer file-sharing application, on a computer used by LabMDâs billing manager sometime in 2005. This eventually resulted in the acquisition of a company file containing the personal information of 9,300 consumers (known as the â1718 Fileâ because of its length) by a data security company, Tiversa, in 2008. LabMD, slip op. at 3. Tiversa offered to sell security remediation services to LabMD, but was rebuffed, and then shared the 1718 File with the FTC.Id. at 3-4. The FTCâs complaint alleged that LabMD had engaged in unfair acts or practices in violation of Section 5 of the FTC Act because it had failed to employ reasonable and appropriate measures to prevent unauthorized access to personal information.FTC Complaint at 5.
The FTCâs case was first decided in 2015 by an administrative law judge (ALJ), who dismissed the complaint following an administrative trial, holding that FTC staff had not proven that LabMDâs conduct caused, or was likely to cause, substantial consumer injury, and thus could not be declared âunfairâ under Section 5. ALJ Initial Decision at 92. The decision was then appealed to the full commission, which vacated the ALJâs decision. In its opinion, the FTC held that the âsubstantial injuryâ requirement for unfairness under Section 5 was met because (1) the unauthorized disclosure of the 1718 File itself caused intangible privacy harm and (2) the unauthorized exposure of the 1718 File for more than 11 months on LimeWire created a high likelihood of a large harm to consumers. Opinion of the Commission at 25. The FTC issued a final cease and desist order ârequiring that LabMD notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.âId. at 37. LabMD then petitioned the Eleventh Circuit to review the FTCâs decision and stay enforcement of the cease and desist order pending review, which the court granted in 2016.LabMD, Inc. v. FTC, 678 F. App’x 816 (11th Cir. 2016).
The Eleventh Circuitâs Decision
The key questions at issue before the Eleventh Circuit were whether (1) LabMDâs conduct and the exposure of the 1718 File actually caused or was likely to cause any injury to consumers sufficient to meet Section 5âs unfairness standard and (2) whether the commissionâs cease and desist order was enforceable. Many observers were expecting the Eleventh Circuit to substantively address the first question; instead, the court assumed âarguendoâ that the commission was correct in its determination that LabMDâs failure to design and maintain a reasonable data security program constituted an unfair act or practice. The court instead based its decision to vacate the cease and desist order solely on its view that the order is not sufficiently specific to be enforceable. To support its reasoning, the court walked through the FTCâs options for bringing claims against unfair acts or practices either administratively (as was done for LabMD) or in federal district court (as was done in the FTCâs case against Wyndham, see FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d, 799 F. 3d 236 (3rd Cir. 2015)), and then evaluated the commissionâs options for proceeding against a party that violates an order arising from either action. Specifically, the court found that whether a district court is evaluating an FTC complaint for violation of an administrative cease and desist order, or a contempt motion for an injunctive order, the specificity of the order âis crucial to both modes of enforcement.âLabMD, slip op. at 25. Thus, the court held that âthe prohibitions contained in cease and desist orders and injunctions must be specific. Otherwise, they may be unenforceable.â Id. at 27.
In applying this specificity requirement to the FTCâs cease and desist order against LabMD, the court found that, rather than containing any commands that the company stop committing any specific act or practice, the order âcommands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.â Id. To elaborate on this holding, the court walked through a hypothetical example where the FTC brings an action against LabMD for failing to implement a particular safeguard and therefore failing to implement a âreasonably designedâ information security program. In its example, the court found that, given that the order âis devoid of any meaningful standard informing the court of what constitutes a âreasonably designedâ data-security program,â it had to conclude that the FTC cannot prove LabMDâs violation by clear and convincing evidence. Id. at 28-29. To hold otherwise, the court found, would effectively and improperly modify the order via a show cause hearing, which may then be repeated over and over through future enforcement actions. âThe practical effect of repeatedly modifying the injunction at show cause hearings,â the court reasoned, âis that the district court is put in the position of managing LabMDâs business in accordance with the Commissionâs wishes,â and that this type of âmicromanaging is beyond the scope of court oversight contemplated by injunction law.âId. at 30. The court therefore held that the commissionâs order must be vacated because it is effectively unenforceable.
Implications
Where the FTC goes from here remains to be seen. The commission could potentially seek an en banc review by the Eleventh Circuit or appeal the decision to the U.S. Supreme Court. If the Eleventh Circuit decision stands, it could have downstream effects on the FTCâs remedial powers more generally. Specifically, the broad requirement to implement a comprehensive information security program contained in the LabMD order has become a common fixture of FTC data security settlements ever since the commission imposed the first such requirement in its agreement and consent order with Eli Lilly in 2002. Since then, the FTC has also included similarly worded requirements to implement comprehensive privacy programs in its privacy consent orders, such as the FTCâs settlement with Facebook in 2012.In the wake of the Eleventh Circuitâs decision, the FTC will have to evaluate how it can refine one of its most prominent enforcement tools in data security and privacy settlements. Also, companies under existing settlements that contain requirements to implement comprehensive security or privacy programs may now wonder whether those requirements are truly enforceable. Nevertheless, companies should not act as though they are now free from FTC oversight of their data security practices. While the FTC may have some enforcement challenges ahead of it, the commission is expected to continue to vigorously pursue data security issues going forward.