In LabMD v. FTC, the Eleventh Circuit vacated an order requiring a company to implement a data security program “reasonably designed” to protect information.  Following the LabMD decision, the FTC announced a series of public hearings addressing topics including data security and privacy.  During the first of those hearings, on Thursday, September 13, FTC Deputy Director for Economic Analysis James Cooper said the country is at an “inflection point” regarding data privacy and security enforcement and questioned whether the FTC needs to “rethink” its regulatory framework.

In June, the United States Court of Appeals for the Eleventh Circuit issued its opinion in LabMD, Inc. v. Federal Trade Commission,[i] narrowing the Federal Trade Commission’s ability to issue broad remediation orders in response to alleged data-security deficiencies.  In LabMD, the court vacated an FTC order requiring LabMD to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”[ii]  The court held that the FTC’s order was unenforceable for failing to prohibit any specific acts or practices.[iii]  The opinion raises questions about numerous FTC data-security orders entered in adversarial proceedings and about the enforceability of such broad remediation orders moving forward.  That said, the court declined to resolve a challenge to the FTC’s authority to commence proceedings to remediate cybersecurity deficiencies in the absence of a statutory or common-law predicate that confers this authority.  A ruling on that issue was unnecessary given the court’s holding that the remediation order was unenforceable.  This leaves a Third Circuit decision recognizing the FTC’s authority to regulate in this space as the only circuit decision published on this question, and the FTC will thus remain an active regulator of cybersecurity while this question continues to be litigated. 

Factual Background of LabMD Decision    

In 2007 and 2008, the computer of a billing manager for LabMD, Inc. contained a 1,718-page file with the personal information of 9,300 consumers, including names, Social Security numbers, and medical and health insurance information.[iv]  Contrary to company policy, the billing manager’s computer was connected to LimeWire, a peer-to-peer file sharing network, and the employee designated for sharing his “My Documents” folder, in which the 1,718-page file was stored.[v]  In February 2008, data security company Tiversa Holding Corp. used LimeWire to download the file and began marketing its security services to LabMD based on its discovery of the file.  When LabMD refused to buy Tiversa’s remediation services, Tiversa reported LabMD’s allegedly poor security structure to the FTC.[vi]

The FTC investigated the incident and issued an administrative complaint against LabMD listing a number of data security measures that the company allegedly failed to perform.  After much litigation brought the issue before the full Commission for a ruling, the FTC found that LabMD failed to implement “reasonable security measures” to protect consumer information, which in turn constituted an “unfair act or practice” under Section 5(a) of the FTC Act.”[vii]  The Commission further held that the evidence established actual substantial injury, or the likelihood thereof, because the unauthorized disclosure of the consumer information file caused intangible privacy harm, and the mere exposure of the consumer information file on LimeWire was likely to cause substantial injury.[viii]  The Commission rejected LabMD’s argument that the FTC’s reasonableness standard for determining what data-security practices were “unfair” was void for vagueness.[ix]

The Commission entered an order enjoining LabMD to “establish and implement, and . . . maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”[x]  The order contained no prohibitions or specific measures or protocols for LabMD to adopt.  The order instead stated that the data security program shall “contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers.”[xi]

Eleventh Circuit’s LabMD Opinion

LabMD petitioned for review in the United States Court of Appeals for the Eleventh Circuit.[xii]  On appeal, LabMD argued, among other things, that the Commission lacked authority under Section 5 of the FTC Act to hold that LabMD’s data security practices were unfair, and that the Commission’s injunction was impermissibly vague.[xiii]

The Eleventh Circuit agreed with LabMD’s vagueness argument, concluding that the Commission’s order of injunctive relief was unenforceable because it did not direct LabMD to cease committing any unfair act or practice within the meaning of Section 5.[xiv]  The court explained that the Commission’s Order “does not instruct LabMD to stop committing a specific act or practice,” but rather “commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”[xv]  Any attempt to enforce the FTC’s Order for alleged deficiencies by LabMD, the Eleventh Circuit noted, would lead to district court proceedings in which LabMD and the FTC would present competing experts as to what constitutes “reasonable” data security practices—essentially placing the district judge in the position of managing LabMD’s cyber security program according to the FTC’s ongoing demands.[xvi]  Accordingly, the Eleventh Circuit vacated the order.

The Eleventh Circuit sidestepped the larger question of whether the FTC’s Section 5 mandate to enjoin unfair practices extends to data security. Although the court did not decide the issue, it did provide several pages of dicta regarding the question, offering considerable context for discussion.  The court first summarized the FTC’s statutory authority to investigate and enjoin unfair practices under Section 5, noting that a finding of “unfairness” requires (1) a substantial injury, (2) that is not outweighed by any countervailing benefits to consumers or competition, and (3) that could not reasonably have been avoided.  Focusing on the second factor, known as the public policy factor, the court emphasized that a finding of unfairness cannot be premised on abstract or general values and instead must be grounded on a specific statute, judicial decision, or Constitutional provision.[xvii]  The Eleventh Circuit offered one on its own, pointing to common-law negligence in administering a deficient security program.  The court carefully stopped short of concluding that common-law negligence is a sufficient ground for a finding of unfairness, and instead simply assumed arguendo that it is, before moving on and vacating the remediation order on vagueness grounds.[xviii]

Import of the Eleventh Circuit’s LabMD Decision

The Eleventh Circuit’s decision not to reach the larger question of the FTC’s authority to regulate data security has disappointed many who were hoping for resolution of this issue.  The decision leaves a single circuit court ruling on this issue—a 2015 Third Circuit decision rejecting a party’s arguments that Section 5 did not give the FTC power to remedy allegedly deficient data-security practices.[xix]  In the absence of a ruling to the contrary by another circuit, regulated entities can expect that the FTC will remain an active regulator in the data security space, although the Section 5 question will continue to be litigated until additional circuit courts—and perhaps the Supreme Court—provide additional clarity.

Still, the LabMD opinion takes the interesting approach of offering an analytical roadmap to this important issue, even though it ultimately passes on a decision.  The court’s instruction that the FTC must predicate any findings of unfairness upon a specific statute, court decision, or Constitutional provision offers ammunition to those who continue to challenge FTC’s assertion that it has broad authority to regulate data security incidents.  At the same time, the FTC might reject this language as only dicta, or it might adopt the court’s reasoning and attempt to ground future enforcement actions on purported findings of common-law negligence in a company’s failure to maintain a secure data privacy environment.  The FTC also might try to rely on its authority to regulate “deceptive” practices by challenging companies that have made representations in privacy policies or other forward-facing statements.

As to the narrower issue of the scope of FTC remediation orders, LabMD may impact the FTC’s practice of issuing broad data security orders, at least in the Eleventh Circuit and possibly beyond, as discussed below.   The FTC may attempt to define specific prohibited or required acts or practices in more granular detail, or define “reasonable” cybersecurity standards in more precise technological terms going forward.  The Eleventh Circuit’s approach may be more unworkable than intended, as it can be impractical to craft a remediation order that prospectively addresses all possible security concerns, when a broader reference to recognized industry standard such as those published by the National Institute of Standards and Technology (“NIST”) offer a practical solution.  Indeed, during the FTC’s September 13 hearing regarding Competition and Consumer Protection, discussed further below, former Commissioner Ohlhausen encouraged people to “pay attention to” the efforts of NIST, among other actors, to pass a uniform privacy framework.  And, the FTC Act allows parties to challenge Commission orders in any circuit where “the act or practice in question was used” or in any circuit where the party “resides or carries on business.”[xx]  For many large businesses today, the FTC Act’s petitioner-friendly jurisdictional grant could potentially allow the Eleventh Circuit’s ruling to effectively have a nationwide effect.

Finally, the Eleventh Circuit’s decision may call into question the FTC’s ability to seek sanctions and civil monetary penalties for certain alleged violations of data security consent orders the FTC has already issued.  Many of the FTC’s recent data security consent orders contain requirements almost identical to those contained in the order struck down in LabMD.[xxi]  Although parties accepting consent orders issued by the Commission generally waive their right to challenge the validity of the Commission’s order,[xxii] parties facing civil actions brought by the FTC for penalties for alleged violations of consent orders are likely to cite LabMD in negotiating a favorable resolution with the Commission.  Specifically, parties may argue that, pursuant to precedent requiring “clear and convincing evidence that a lucid and unambiguous consent order has been violated,”[xxiii] the FTC cannot establish a violation of a consent order’s requirement that a party must maintain “a comprehensive information security program that is reasonably designed to protect” consumer information. 

The FTC’s Response to the LabMD Decision

Following the LabMD decision, the FTC announced it would hold 15 to 20 public hearings over the next few months regarding “Competition and Consumer Protection in the 21st Century.”^[xxiv]  The topics to be addressed by the hearings include data security and privacy, among other items.^[xxv]  According to FTC Deputy Director for Economic Analysis James Cooper, the goal of the hearings is to continue the FTC’s tradition of “calibrat[ing] its enforcement” and to “balance consumer interests and privacy and data security with the remarkable benefits . . . that the digital economy provides.”  Therefore, the FTC’s stated goal is to “identify opportunities to develop the law consistent with its enforcement authority.”^[xxvi]

The FTC held the first of the scheduled hearings on September 13, 2018 at Georgetown University Law Center.^[xxvii]  In his opening statement during the hearing, FTC Chairman Joseph Simons said  the FTC’s “most significant and difficult consumer protection issues often revolve around the use and abuse of technological capabilities” not previously imagined.  No clear consensus emerged during the first hearing, but commentators identified problems with the current regulatory regime, such as the lack of predictability or overarching federal privacy framework.  Former FTC Commissioner Maureen Ohlhausen, who served as Acting FTC Chairman until April 2018 and stepped down from the FTC in late September 2018, argued in favor of the FTC’s case-by-case approach because it allows for greater flexibility in enforcement, and reduced the need to predict the future to design regulations.  Further, she noted that the FTC’s unfairness authority “works particularly well” where there hasn’t been a promise made to the consumer, but there is an “expectation that consumers won’t be injured through data collection and use.”  It is likely that future hearings—especially the hearings on Privacy, Big Data, and Competition scheduled for November 6-7, 2018—will further inform and illuminate the FTC’s plans for changes to data security and privacy enforcement.^[xxviii]

The FTC held the first of the scheduled hearings on September 13, 2018 at Georgetown University Law Center.^[xxvii]  In his opening statement during the hearing, FTC Chairman Joseph Simons said  the FTC’s “most significant and difficult consumer protection issues often revolve around the use and abuse of technological capabilities” not previously imagined.  No clear consensus emerged during the first hearing, but commentators identified problems with the current regulatory regime, such as the lack of predictability or overarching federal privacy framework.  Former FTC Commissioner Maureen Ohlhausen, who served as Acting FTC Chairman until April 2018 and stepped down from the FTC in late September 2018, argued in favor of the FTC’s case-by-case approach because it allows for greater flexibility in enforcement, and reduced the need to predict the future to design regulations.  Further, she noted that the FTC’s unfairness authority “works particularly well” where there hasn’t been a promise made to the consumer, but there is an “expectation that consumers won’t be injured through data collection and use.”  It is likely that future hearings—especially the hearings on Privacy, Big Data, and Competition scheduled for November 6-7, 2018—will further inform and illuminate the FTC’s plans for changes to data security and privacy enforcement.^[xxviii]

[i] LabMD, Inc. v. F.T.C., 894 F.3d 1221 (11th Cir. June 6, 2018).

[ii] Id. at 1236.

[iii] Id. at 1224.

[iv] Id.

[v] Id.

[vi] Id. at 1224–25.

[vii] Id. at 1226–27.

[viii] Id.

[ix] Id. at 1227.

[x] Id. at 1236.

[xi] Id.

[xii] Pursuant to 15 U.S.C.  § 45(c), a party may appeal an order of the Commission in any Court of Appeals for “any circuit where the method of competition or the act or practice in question was used or where” the party “resides or carries on business.”  15 U.S.C. § 45(c).

[xiii] See generally, Brief of Petitioner, LabMD v. F.T.C., 2016 WL 7474626 (Dec. 27, 2016).

[xiv] LabMD, Inc., 894 F.3d at 1236–37.

[xv] Id. at 1236.

[xvi] Id. at 1236–37.

[xvii] Id. at 1229 n.24.

[xviii] Id. at 1237.

The FTC has not offered any substantive reaction to the Eleventh Circuit’s ruling.  According to Reuters, the Commission said in a statement that it was “disappointed” by the ruling, but that it “will continue to do everything [it] can to protect consumer privacy,” and that it is “evaluating [its] next steps in response to this decision.”  https://www.reuters.com/article/us-ftc-datasecurity-labmd/u-s-agency-loses-appeal-over-alleged-labmd-data-security-lapses-idUSKCN1J22XD.  The FTC could seek rehearing en banc before the Eleventh Circuit and/or seek review before the Supreme Court, but it has not indicated that it will do so.

[xix] F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 243–49 (3d Cir. 2015).

[xx] 15 U.S.C. § 45(c). 

[xxi] For example, the FTC’s consent orders for Uber, Lenovo, and Facebook all purport to require the respondent to establish, implement, or maintain “a comprehensive information security program that is reasonably designed” to “protect the security, confidentiality, and integrity of personal information” of consumers, or some close facsimile. https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_revised_decision_and_order.pdf (Uber shall “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to. . . protect the privacy and confidentiality of Personal Information.”); https://www.ftc.gov/system/ files/documents/cases/152_3134_c4636_lenovo_united_states_decision_and_order.pdf (Lenovo shall “establish and implement, and thereafter maintain a comprehensive software security program that is reasonably designed to . . . protect the security, confidentiality, and integrity of covered information.”); https://www.ftc.gov/sites/ default/files/documents/cases/2012/08/120810facebookdo.pdf (Facebook, same as Lenovo).

[xxii] See 16 C.F.R. § 2.32 (“Every agreement in settlement of a Commission complaint shall . . . waive further procedural steps and all rights to seek judicial review or otherwise to challenge or contest the validity of the order.”).

[xxiii] Porrata v. Gonzalez-Rivera, 958 F.2d 6, 8 (1st Cir. 1992).

[xxiv] Federal Trade Commission, Federal Trade Commission Announces Hearings on Competition and Consumer Protection in the 21st Century, https://www.ftc.gov/system/files/attachments/hearings-competition-consumer-protection-21st-century/hearings-announcement_0.pdf. While the FTC has not explicitly stated that the hearings are a direct response to the LabMD decision, they appear to be at least somewhat motivated by a desire to find an objective guiding framework for future data privacy enforcement.

[xxv] Id. at 4.

[xxvi] Id. at 1.

[xxvii] FTC Hearing #1: Competition and Consumer Protection in the 21st Century, https://www.ftc.gov/news-events/events-calendar/2018/09/ftc-hearing-1-competition-consumer-protection-21st-century.

[xxviii] Federal Trade Commission, Hearings on Competition and Consumer Protection in the 21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-protection.