On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).
The case stems from allegations that LabMD, a now-defunct clinical laboratory for physicians, failed to protect the sensitive personal information (including medical information) of consumers, resulting in two specific security incidents. One such incident occurred when a third party informed LabMD that an insurance-related report, which contained personal information of approximately 9,300 LabMD clients (including names, dates of birth and Social Security numbers), was available on a peer-to-peer (“P2P”) file-sharing network.
Following an FTC appeal process, the FTC ordered LabMD to implement a comprehensive information security program that included:
- designated employees accountable for the program;
- identification of material internal and external risks to the security, confidentiality and integrity of personal information;
- reasonable safeguards to control identified risks;
- reasonable steps to select service providers capable of safeguarding personal information, and requiring them by contract to do so; and
- ongoing evaluation and adjustment of the program.
In its petition for review of the FTC order, LabMD asked the Eleventh Circuit to decide whether (1) its alleged failure to implement reasonable data security practices constituted an unfair practice within the meaning of Section 5 of the FTC Act and (2) whether the FTC’s order was enforceable if it does not direct LabMD to stop committing any specific unfair act or practice.
The Eleventh Circuit assumed, for purposes of its ruling, that LabMD’s failure to implement a reasonably designed data-security program constituted an unfair act or practice within the meaning of Section 5 of the FTC Act. However, the court held that the FTC’s cease and desist order, which was predicated on LabMD’s general negligent failure to act, was not enforceable. The court noted that the prohibitions contained in the FTC’s cease and desist orders and injunctions “must be stated with clarity and precision,” otherwise they may be unenforceable. The court found that in LabMD’s case, the cease and desist order contained no prohibitions nor instructions to the company to stop a specific act or practice. Rather, the FTC “command[ed] LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.” The court took issue with the FTC’s scheme of “micromanaging,” and concluded that the cease and desist order “mandate[d] a complete overhaul of LabMD’s data-security program and [said] precious little about how this [was] to be accomplished.” The court also noted that the FTC’s prescription was “a scheme Congress could not have envisioned.”