We have been watching the LabMD/FTC case for a long time. We have written about it [view related posts here], read the book about it that was hand delivered to our office by the CEO of LabMD, debated it in privacy law class and marveled at the energy and focus of Mike Daugherty over the years to fight what he believed to be an injustice against him and his company by the federal government.
The case has taken many turns and at times is very hard to follow. Suffice it to say that the FTC alleged that LabMD did not have sufficient security measures in place to protect the information of patients and started an enforcement action against it. The facts of the case are fit for a mini- series, with characters you can’t make up. To try to make a long story short, the FTC proceeded in an enforcement action, the administrative law judge found in favor of LabMD, the full Federal Trade Commission reversed the ALJ’s decision and the FTC issued an order directing LabMD to create and implement a variety of security measures. LabMD appealed to the 11th Circuit Court of Appeals.
Yesterday (6/6/18), the 11th Circuit Court of Appeals issued its decision on the appeal and found in favor of LabMD. The 11th Circuit stated “LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.”
This case has great significance to the ability of the FTC to enforce data security against companies. The FTC alleges that Section 5 of the FTC Act gives it authority to enforce data security measures, and alleged that LabMD committed an unfair act or practice by engaging in practices that failed to reasonably secure the information of patients. The 11th Circuit found that the FTC failed to allege specific unfair acts or practices engaged in by LabMD. It further found that the FTC failed to “explicitly cite the source of the standard of unfairness it used in holding LabMD’s failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice.”
Finally, the Court held that the prohibitions set forth in the FTC’s cease and desist order were not specific, and therefore, unenforceable.
This long-awaited opinion has wide reaching implications for companies facing enforcement actions by the FTC now and no doubt long into the future.