Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Eleventh Circuit Vacates FTC LabMD Order but Does Not Challenge FTC Authority

Share

The U.S. Circuit Court of Appeals for the 11th Circuit vacated the LabMD Federal Trade Commission order but did not challenge the Commission’s ability to use its unfairness authority to challenge inadequate data security practices in  a closely watched case that tested the commission’s enforcement powers.

Background

The FTC issued a complaint against LabMD in 2013, alleging that the now-defunct clinical laboratory failed to reasonably protect the security of consumers’ personal data. It was the first litigated administrative data security action before the FTC. In 2016, an administrative law judge dismissed the complaint and found that complaint counsel had failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security practices constitutes an unfair practice and did not prove that the practices either caused or were likely to cause substantial consumer injury. The  FTC reversed the ALJ. The Commission’s unanimous opinion held that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information because of inadequate data security measures, was in and of itself a substantial injury under Section 5(n) of the FTC Act (the FTC’s unfairness authority).

The 2016 FTC order required LabMD to implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature and scope of respondent’s activities and include:

  • The designation of an employee to coordinate and be accountable for the program.
  • A risk assessment that considers, among other things, employee training and management, information systems, and prevention, detection and response to attacks, intrusions, or other system failures.
  • Design and implementation of reasonable safeguards to control identified risks.
  • Development of vendor oversight processes.
  • Evaluation and adjustment of program in light of testing and monitoring
Order found unenforceable

In its decision, the Eleventh Circuit found that the prohibitions contained in the FTC administrative cease and desist order were unenforceable because the order did not instruct LabMD to stop committing a specific act or practice. The court found that the order commanded LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness which a district court could not enforce under its contempt power. In short, the court appears to assert that LabMD was diagnosed with a cold and prescribed open heart surgery.

The Eleventh Circuit conflates an administrative FTC order with a district court injunction when it posits a scenario in which the FTC sought to enforce the order and, for purposes of its illustration, assumed that the order was a district court order–rather than an administrative order–having concluded that prohibitions contained in administrative orders and injunctions are the same. The court’s hypothetical scenario suggests that the FTC would enforce its administrative order in district court by alleging  that LabMD failed to implement a certain criteria as part of a data security program and as a result the data security program is not “reasonably designed.” The court has essentially imagined a battle of the experts at a show cause hearing where experts disagree.

The Eleventh Circuit concludes that the practical effect would be to put the district court in a position of managing LabMD’s business in accordance with the FTC’s wishes. However, there are significant differences in the enforcement of an FTC order, and a show cause hearing to enforce a district court injunction. Specifically, under the FTC Act, if a respondent violates a Commission administrative order, the FTC conducts an investigation of the potential violations and the respondent may be liable for civil penalties of up to $41,484 per violation.

Impact of Court’s decision

Many FTC data security settlements require the creation of comprehensive data security or privacy programs which are similar to what is required by the GLBA Safeguards Rule, the New York Cyber Regulations and to some extent, the EU’s General Data Protection Regulation.

On Wednesday, the Eleventh Circuit held that the FTC’s order was unenforceable, but it notably did not address whether the alleged data security lapses caused or is likely to cause substantial injury to consumers and constituted an unfair act or practice under Section 5 of the FTC Act.

Although the decision leaves intact the FTC’s authority to challenge data security practices as unfair it could provide fuel for respondents when negotiating data security settlements with the Commission. The court’s decision would have been far more devastating had it taken on the meaning of “likely to cause substantial injury” which is an element of unfairness.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

June 8, 2018
Written by: Discerning Data Editorial Board
Category: FTC
Tags: administrative data security action, data breach, data security, Eleventh Circuit, Federal Trade Commission, FTC, information security program, personal data, unfairness

Post navigation

Previous Previous post: Vermont First State to Pass Data Broker Law
Next Next post: Stay In Touch! Email Marketing After the GDPR

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT