The U.S. Court of Appeals for the Eleventh Circuit on June 6 issued its long-awaited decision in LabMD v. Federal Trade Commission, vacating a Federal Trade Commission cease and desist order directing LabMD to overhaul its data security program because the allegedly deficient program constituted an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act. The court found that the FTC’s cease and desist order lacked the specificity necessary to be enforceable, which may constrain the FTC’s ability in the future to impose sweeping privacy and security program requirements in its enforcement actions.
LabMD is a now-defunct medical laboratory that conducted diagnostic testing. In 2005, a peer-to-peer file sharing application was installed on LabMD’s network which permitted other users of the peer-to-peer service to browse shared files on the network, including a file with the personal information of over 9,300 patients. In 2008, a security consulting company known as Tiversa found the file and offered to sell its security services to LabMD in return for not disclosing the data leak. After negotiations between Tiversa and LabMD fell through, Tiversa shared the file with the FTC.
Following a lengthy investigation, the FTC issued an administrative complaint in 2013 and in 2016 ordered LabMD to implement a data security program that comported with FTC standards of reasonableness. LabMD petitioned the Eleventh Circuit to review the decision, claiming that the cease and desist order was unenforceable because “the order [did] not direct it to cease committing an unfair ‘act or practice’ within the meaning of Section 5(a).”
Eleventh Circuit Opinion
The Eleventh Circuit granted LabMD’s petition for review and vacated the FTC’s order, finding that even assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a), the FTC’s cease and desist order was unenforceable for vagueness.
Calling the concept of specificity “crucial” to enforcement, the court observed that both the FTC Rules of Practice and Federal Rule of Civil Procedure 65(d)(1) reference certain specificity requirements including clarity, conciseness and reasonable detail. In this case, the court found that although the FTC’s cease and desist order mandated a complete overhaul and replacement of LabMD’s data-security program, it also failed to prohibit LabMD from engaging in any specific acts or practices. The order provided no details on how the overhaul would be accomplished or assessed, effectively charging the district court with overseeing the process. For these reasons, the court held that the FTC’s order was unenforceable, as FTC orders “must comport with the requirement of reasonable definiteness.”
The LabMD decision has significant implications for companies faced with investigations and enforcement actions by the FTC’s Division of Privacy and Identity Protection. In the past, companies negotiating consent orders with the FTC had to deal with a largely non-negotiable condition that they agree to the creation of a comprehensive privacy or security program. These privacy and security programs do not prohibit the specific conduct that gave rise to the FTC investigation, rather they impose on companies an obligation to put in place broad prophylactic measures. The Eleventh Circuit’s ruling gives companies under investigation leverage to push back against these conditions. Not only does the LabMD decision require the FTC to identify the specific acts or practices that are the subject of any complaint or cease and desist order, it also limits the FTC in designating acts and practices as unfair to those that are considered unfair “under a well-established standard, whether grounded in statute, common law, or the Constitution.” In doing so, the LabMD decision rejected the FTC’s broad position that it may bring an action based solely on a substantial consumer injury.
The LabMD decision highlights the importance of being diligent in adopting vigorous company data security policies and programs. Although the FTC has not defined what constitutes a reasonable data security program, companies should consider adopting the following measures to reduce the likelihood of an FTC enforcement action:
- Cybersecurity Training: Educate employees on appropriate security conduct, such as verifying the source of an unknown email before opening an attachment or clicking on a link and not downloading unauthorized software.
- Vulnerability Management: Conduct vulnerability scans and penetration testing to identify potential vulnerabilities and patch all know vulnerabilities as soon as practicable.
- Password Control: Manage passwords to ensure that they are adequately strong, not shared, and changed on a quarterly basis.
- Access Controls: Limit access to sensitive personal or confidential information only to those individuals who require it to perform their duties.
- Encryption: Ensure that any personal, sensitive or confidential information is encrypted.
- Network monitoring: Employ scanning software on your network to detect the presence of potential malware.
- Antivirus: Employ up-to-date antivirus programs to prevent potential malware infections.
- Application Whitelisting: List the legitimate applications that may run on your network and block unauthorized programs.
- Vendor Due Diligence: Conduct thorough diligence on the data security practices, policies and procedures of vendors who access your data or systems.
- Incident Response: Develop, update and test your incident response plan.
* Sarah Lightstone is a summer associate in Fenwick's litigation group.