Privacy protection is an issue that will always be at the forefront of the legal world. Consumers expect that companies will protect their medical and other private identifying information. While the increase in digital data makes business dealings more efficient in many ways, it also unfortunately heightens the potential risk for privacy breaches. For decades, the Federal Trade Commission (“FTC”) has investigated and remedied privacy issues. While the FTC does not have explicit authority to regulate data privacy, it generally relies on Section 5 of the FTC Act to assert such authority. This lets the agency look into companies that engage in “unfair and deceptive acts and practices” relating to commerce.

If the FTC believes that there has been a data privacy breach within a company, it can file a legal proceeding and order the company to revamp its security programs. And that is exactly what the FTC did with LabMD. The FTC was notified that LabMD (a cancer diagnostic center) had private patient information stored in shared LimeWire files.

The agency determined that the company’s security measures were deficient and put private information at risk for public disclosure in violation of HIPAA. The FTC issued a cease and desist order that required LabMD to create a detailed security program that would reasonably protect confidential patient information. LabMD made a surprising move and challenged the order.

The 11^th Circuit Court made an even more surprising move when it ruled that the FTC’s security reform order was unenforceable. What is important is that the court never said that the FTC did not have authority to issue an order or that a data privacy reform was not warranted in this case. Instead, the court’s only reason for striking the order was because it was vague and did not command LabMD to make any specific changes to their cyber security program.

What does this mean for the future of data privacy enforcement?

Legal spectators are watching closely to see how the FTC will respond. The agency has already chosen not to appeal the LabMD ruling. The only clue we have into possible plans are broad statements from the FTC chairman about keeping data privacy a top priority. Here are some predictions about how the FTC might respond to this ruling:

1. Issue more detailed orders: The agency could continue investigating privacy breaches in the same manner, but change their approach at the resolution stage. This can be accomplished by providing clear detailed instructions about what steps a company must take to improve its cyber security program. Doing so would likely resolve any future court challenges since the LabMD court only had an issue with the vague nature of the FTC’s cease and desist order.
2. Lobby for direct authority: The FTC may lobby for explicit authority to conduct cyber privacy investigations. This would make the process more defined and provide the agency with clear laws to fall back on if a dispute arises. In fact, the FTC chairman has already requested that Congress amend the Administrative Procedure Act to grant the agency with power to issue cyber security rules and penalties.
3. Do nothing: The FTC may choose to delay making any decisions and see how future challenges play out in the courts.

How the FTC decides to respond to the LabMD ruling will shape the path for pending and future cyber security disputes. We may see a trend of companies more frequently challenging data privacy investigations. Companies now have precedent to use if they wish to challenge orders regarding data security reform. The attorneys representing Equifax in the highly publicized class action suit have already attempted to use the 11^th Circuit Court’s ruling to limit the FTC’s authority. Courts may be inclined to scrutinize FTC orders more harshly, especially if the orders do not provide a specific plan of action. It is more likely that the agency will decide to take action rather than keep quiet in order to continue its mission to protect private consumer information.