Antitrust Law Daily FTC order requiring LabMD to overhaul data security practices unenforceable
News
Thursday, June 7, 2018

FTC order requiring LabMD to overhaul data security practices unenforceable

By Nicole D. Prysby, J.D.

Because an FTC cease and desist order contained no prohibitions, but merely commanded a company to overhaul and replace its data-security program to meet an unstated standard of reasonableness, the order was unenforceable, held the U.S. Court of Appeals in Atlanta. Following a data security breach of consumer personal information, the FTC brought an enforcement action against LabMD, alleging that its failure to implement reasonable security practices was an unfair act or practice under FTC Act Section 5(a). In the resulting cease and desist order, the FTC required LabMD to implement a data security program that met the FTC’s standard of reasonableness. LabMD argued that the order did not direct it to cease committing an unfair act or practice within the meaning of Section 5(a). The court agreed, finding that because the order did not enjoin a specific act or practice, it had no specific standard that would allow a court to determine whether LabMD had violated the order. Therefore, the order was unenforceable (LabMD, Inc. v. FTC, June 6, 2018, Tjoflat, G.).

Background. Sometimes in 2005, an employee of LabMD installed a peer-to-peer file sharing application on her work computer, in violation of LabMD’s security policy. A data security company was able to use the peer-to-peer software to download other files from the employee’s machine, including a file with the personal information of more than 9,000 consumers. The data security company offered its services to LabMD. LabMD declined and removed the peer-to-peer software from the employee’s computer. In 2009, the data security company delivered the file with consumer data to the FTC. The FTC issued a complaint against LabMD, but the complaint did not allege practices LabMD had engaged in, rather, data security measure that it had failed to perform. LabMD asserted that the FTC had no authority to regulate how it handled personal information stored on its network.

Following a trial in front of an administrative law judge, in which the ALJ found that the FTC failed to prove that LabMD had committed unfair acts or practices, the FTC appealed to the full Commission, which reversed the ALJ’s decision. The FTC issued a cease and desist order to LabMD, directing LabMD to create and implement a variety of broad protective data security measures. LabMD petitioned the court to vacate the order, arguing that the cease and desist order was unenforceable because it did not direct the company to cease committing an unfair act or practice within the meaning of Section 5(a).

Unfair act or practice. The court first considered whether LabMD’s failure to design and implement a reasonable data security program was an unfair act or practice under Section 5(a). The FTC argued that it was, because the failure caused substantial injury to consumers’ right of privacy. Although the FTC did not cite the source of the unfairness, the court determined that the FTC had based its decision using the common law of negligence as the established policy creating a standard for unfairness. In other words, the law of negligence is a source that provides a standard for determining whether an act or practice is unfair. Therefore, a corporation that negligently infringes the consumer interest against unintentional invasion may be held accountable under Section 5(a). The court declined to decide the issue, but assumed it to be true so that it could address LabMD’s second argument regarding whether the cease and desist order was enforceable.

Enforceability of cease and desist order. The court reviewed the FTC’s options for litigating an unfair act or practice. The FTC may choose to litigate the issue in front of an ALJ (resulting in a cease and desist order) or before a federal district judge (resulting in an injunction). If a cease and desist order is violated, the FTC would bring a civil penalty action in federal district court. If an injunction is violated, the FTC may invoke the district court’s civil contempt power. But while the FTC Act does not address what content must go into a cease and desist order, the prohibitions in such an order would need to be clear and precise for a district court to impose civil penalties for violation. Similarly, specificity would be required in an injunction.

The court found that the cease and desist order contained no prohibitions, it merely commanded LabMD to overhaul and replace its data-security program to meet an unstated standard of reasonableness. That command is unenforceable, because it would be unenforceable if the FTC sought enforcement of the order by a district court. Because the order did not enjoin a specific act or practice, but required LabMD to implement a "reasonably-designed" security program, it had no specific standard that would allow a court to determine whether LabMD had violated the order. And to find a violation, the court would need to modify the cease and desist order to include the implementation of specific practices, effectively managing the company’s overhaul of its data security program. Because the order would be unenforceable under a district court’s contempt power, and the standards governing the coercive enforcement of injunctions and cease and desist orders are the same, the order was unenforceable.

The case is No. 16-16270.

Attorneys: Douglas Harlan Meal (Ropes & Gray, LLP) for LabMD, Inc. Matthew Michael Hoffman for the FTC.

Companies: LabMD, Inc.

MainStory: TopStory Privacy ConsumerProtection FederalTradeCommissionNews AlabamaNews FloridaNews GeorgiaNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More