Labmd, Inc. v. Fed. Trade Comm'n
894 F.3d 1221 (2018)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
A Federal Trade Commission cease and desist order is unenforceable if it does not prohibit a specific act or practice, but instead commands a company to overhaul its operations to meet an indeterminate standard of reasonableness.
Facts:
- LabMD, Inc., a medical laboratory specializing in cancer diagnostics, maintained sensitive personal and medical information for thousands of consumers on its computer network.
- In 2005, contrary to LabMD policy, a billing manager installed the peer-to-peer file-sharing application LimeWire on a company computer.
- The employee configured the application to share the contents of her 'My Documents' folder over the network.
- This folder contained a 1,718-page file with the personal information of approximately 9,300 consumers, including names, Social Security numbers, dates of birth, and laboratory test codes.
- In February 2008, Tiversa Holding Corporation, a data security firm, discovered and downloaded this file via the LimeWire network.
- Tiversa then attempted to sell its data remediation services to LabMD, which refused the offer.
- In 2009, after LabMD's refusal, Tiversa provided the file containing consumer data to the Federal Trade Commission (FTC).
- LabMD has since ceased operations but continues to exist as a corporate entity responsible for securing the patient data it retains.
Procedural Posture:
- The Federal Trade Commission (FTC) filed an administrative complaint against LabMD, Inc., alleging its data security practices constituted an 'unfair act or practice' in violation of Section 5(a) of the FTC Act.
- The case was tried before an Administrative Law Judge (ALJ).
- The ALJ dismissed the complaint, concluding the FTC failed to prove that LabMD's alleged security failures caused or were likely to cause substantial consumer injury.
- The FTC, as complainant, appealed the ALJ's decision to the full Commission.
- The full Commission, reviewing the case de novo, reversed the ALJ's decision, found LabMD's data security practices were unfair, and issued a final cease and desist order against LabMD.
- LabMD, Inc., as petitioner, petitioned the U.S. Court of Appeals for the Eleventh Circuit to review and vacate the Commission's final order.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Is a Federal Trade Commission cease and desist order that requires a company to implement a 'reasonably designed' comprehensive information security program, without prohibiting any specific act or practice, sufficiently specific to be enforceable?
Opinions:
Majority - Tjoflat, Circuit Judge
No. A cease and desist order is unenforceable if it does not direct the subject to cease committing a specific, identifiable unfair act or practice. The FTC's order fails this standard because it commands LabMD to implement a 'reasonably designed' data-security program, which is an indeterminate and vague standard. The court reasoned that both FTC cease and desist orders and judicial injunctions are coercive orders that require specificity to be enforceable and to comport with due process. An order must be precise enough for a party to understand its obligations and for a court to determine compliance, especially given the severe civil penalties for violations. The FTC's order against LabMD contained no specific prohibitions; it did not order LabMD to stop allowing file-sharing software or to cease any other particular action. Instead, it mandated a complete overhaul of LabMD's security program to meet a subjective standard of 'reasonableness.' Enforcing such an order would improperly place a district court in the role of micromanaging LabMD's business operations, adjudicating battles of experts over what is 'reasonable' in perpetuity. Because the order lacks the requisite specificity and proscribes no particular conduct, it is unenforceable and must be vacated.
Analysis:
This decision significantly curtails the FTC's ability to police corporate data security through its Section 5 'unfairness' authority. It establishes that the FTC cannot rely on issuing broad, forward-looking remedial orders that mandate general standards of conduct like 'reasonableness.' The ruling forces the Commission to be more specific in its enforcement actions, requiring it to identify and prohibit discrete, wrongful acts or practices rather than simply declaring an entire data-security program deficient. This raises the bar for the FTC in data security cases, potentially requiring it to either promulgate more specific data security rules or to focus its litigation efforts on concrete, prohibited behaviors rather than systemic failures.
