The U.S. Court of Appeals for the Eleventh Circuit recently issued its opinion in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission (FTC) order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which time LabMD became defunct—and its holding, which has called into question the FTC’s authority to impose wide-ranging, comprehensive cybersecurity plans.
The LabMD matter dates to 2005, when LimeWire file sharing software was installed on a company computer, in violation of company policy. According to the Court, a LabMD employee inadvertently designated the contents of the “My Documents” folder for sharing. In doing so, the employee exposed a file containing the healthcare information of 9,300 patients. In February 2008, a computer security company, Tiversa, downloaded that file and used the healthcare information it contained to pitch its cybersecurity services to LabMD. When LabMD refused Tiversa’s services, Tiversa gave the information to the FTC.
Following an FTC investigation, enforcement actions before an ALJ and eventually the full Commission as well as stay proceedings, the Eleventh Circuit ultimately reversed the Commission’s ruling. According to the Court, the FTC had the authority to simply order LabMD to implement a program preventing employees from installing third-party software on their company computers, thus addressing the relevant data security incident. Instead, in the Eleventh Circuit’s view, the FTC’s order required the company’s data security program “to meet an indeterminable standard of reasonableness.” Thus, rather than “enjoin a specific act or practice,” the order mandated “a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” The practical result, observed the Court, “is that the district court is put in the position of managing LabMD’s business in accordance with the Commission’s wishes…as if the Commission was LabMD’s chief executive officer and the court was its operating officer.” The Court held that “this micromanaging is beyond the scope of court oversight contemplated by injunction law.”
The LabMD decision inevitably constrains the FTC’s authority to impose broad and comprehensive cybersecurity programs on defendants in the Eleventh Circuit, absent specific measures warranted by the circumstances of the infraction. That said, it would be a mistake to interpret the decision as preventing the FTC from regulating cybersecurity and data privacy. The Eleventh Circuit indeed recognized the FTC’s authority to do just that. Instead, LabMD requires the FTC to issue orders with greater specificity, depending on the facts of the case, and does not call into question the broader issue of whether the FTC can regulate data security at all.
For additional analysis and insights, read the LabMD Client Advisory here.