On the heels of a majority of new commissioners being sworn in at the Federal Trade Commission (FTC), the 11th Circuit Court of Appeals recently issued a greatly anticipated milestone ruling, involving data privacy and cybersecurity programs, that could have long-lasting implications for the private sector and FTC alike. In early June 2018, the Court essentially gutted a cease and desist order issued by the FTC in 2016 against a cancer-screening business called LabMD for its sloppy cybersecurity program.
LabMD was the first litigated data security action before the FTC. Throughout its complicated procedural history leading to the 11th Circuit’s decision, the FTC’s enforcement action against LabMD achieved celebrity status among data privacy and cybersecurity attorneys because of the critical issues at stake:
- First, in a data breach case, what type of consumer injury gives rise to “unfairness” under Section 5 of the FTC Act?
- Second, what type of notice is the FTC required to provide regarding reasonable data security measures?
In the original proceeding before an Administrative Law Judge, the FTC’s complaint against LabMD was dismissed because there was no proof that unreasonable security practices, alone, would create a substantial likelihood of severe consumer injury under Section 5 of the FTC Act. The full FTC reversed the ALJ, ruling that LabMD failed to implement reasonable security measures to protect the sensitive consumer information on its computer network.” The FTC said this failure is “unfair” under Section 5 and, thus, created a substantial likelihood of consumer harm. It is this ruling that LabMD asked the 11th Circuit to vacate.
The Court’s opinion didn’t directly address the two critical questions at stake, but its holding indirectly answers them. The 11th Circuit vacated the FTC’s cease and desist order on the grounds that it constituted an overbroad and overreaching mandate for LabMD to completely “overhaul its data security program” without any guidance. The Court’s ruling validates LabMD’s argument, and that of several amici, that the cease and desist order is unenforceable because it does not direct LabMD to cease committing a specific unfair act or practice within the meaning of Section 5(a) and was, therefore, vague as to the specific practices needed to establish a reasonable data security program. The takeaway is that companies need a better idea of what is unfair and what data security measures are reasonable.
Although LabMD is now defunct, the ruling may have long-ranging implications including, at the least extreme, level setting a new FTC made up of new commissioners and staff that are relatively unfamiliar with data privacy and security issues. There is the possibility of challenges to pending cease and desist orders on similar grounds of vagueness. It is also possible that new cease and desist orders will be so prescriptive that there is little wiggle room for compliance. At the most extreme, if this decision is perceived to loosen oversight over privacy and cybersecurity practices, new debates and calls for federal privacy legislation or increased regulatory and rulemaking power by the FTC, to protect consumer privacy, may grow louder.
Until there is further clarity, companies should remain vigilant in creating and continuously monitoring a reasonable data security program based on acceptable industry standards or applicable laws and regulations. Please consult Michael Best’s Privacy and Cybersecurity practice group with any questions or for assistance.