LabMD, a now-defunct cancer-screening lab based in Georgia, has spent a decade fighting the Federal Trade Commission (“FTC”). Last week, LabMD won the fight. In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit invalidated an FTC order against LabMD requiring the company to implement a data-security program that satisfied the FTC’s standard of “reasonableness.” The Court ruled that the FTC cannot broadly command a business to overhaul its data-security program, but must provide clear and precise directions about how to achieve compliance. This decision (here) will likely curtail the FTC’s ability to regulate companies’ data-security practices in the future.

The LabMD saga began when someone (likely a LabMD employee) installed a file-sharing program on a LabMD employee’s computer. The program gave outsiders access to the personal information of approximately 9,300 of LabMD’s customers. After an extensive investigation, the FTC issued an administrative complaint alleging that “LabMD had committed an ‘unfair act or practice’ prohibited by Section 5(a) [of the Federal Trade Commission Act (“Act”)] [11 U.S.C. §45(a)] by ‘engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information of its computer networks.’” Notably, the FTC’s complaint failed to identify LabMD’s specific violations, and instead alleged that LabMD had failed to provide reasonable and appropriate security for personal information on its computer networks. After multiple motions and appeals, the FTC issued a cease and desist order requiring LabMD to “install a data-security program that comported with the FTC’s standard of reasonableness.”

LabMD fought the FTC’s order and ultimately appealed to the Eleventh Circuit. LabMD’s appeal raised two critical questions:

  1. Was LabMD’s alleged failure to implement and maintain a reasonably designed data-security program an “unfair act or practice” within the meaning of Section 5(a)? The Eleventh Circuit avoided ruling on this issue by assuming that LabMD’s failure to implement a proper data-security program invaded customers’ privacy rights and was an unfair act or practice under Section 5(a). Before doing so, however, the Court clarified that the test for a Section 5(a) unfair act or practice requires that the injury: (1) cause a substantial injury that is not outweighed by benefits to the consumers; and (2) be grounded in well-established legal principle, such as negligence or violation of applicable statute.
  2. Was the FTC’s cease and desist order, founded upon LabMD’s general negligent failure to act, unenforceable because it failed to identify specific acts or practices that LabMD was required to stop and did not contain clear and precise requirements for LabMD to achieve compliance? Indeed, the order simply required LabMD to broadly revamp its data-security program in a way the FTC found “reasonable.” The Eleventh Circuit held in favor of LabMD, explaining that the FTC’s order should have been more specific, such as requiring the company to prevent future installation of unauthorized computer programs. Without more specificity, the FTC’s order – and “reasonableness” standard – was too vague and therefore unenforceable. The Court therefore granted LabMD’s petition and vacated the FTC’s order.

What does this opinion mean for the future? It means that FTC orders on data-security must outline clear and precise requirements for businesses so that district courts can enforce the orders. The FTC cannot broadly order a company to revamp its entire data-security program to align with the FTC’s “reasonableness” standard. It also opens the door for companies to argue that an alleged unfair practice is not sufficiently grounded in well-established legal principle.

LabMD’s decade-long challenge of the FTC’s regulatory authority is being praised by some as heroic. Indeed, the Eleventh Circuit’s decision last week sends a clear message to the FTC that its authority is limited and that its cease and desist orders must clearly specify any prohibited conduct.

– Keesal, Young & Logan Cybersecurity and Privacy Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.