In a long-awaited decision ending the highly publicized cybersecurity case of Federal Trade Commission v. LabMD Inc., the Eleventh Circuit, on June 6, 2018, vacated an FTC cease-and-desist order that would have required LabMD, which had suffered a data breach caused by an employee who violated a company policy, to have undertaken a 20-year, multifaceted data security compliance program because it did not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).
On the face of it, the court’s opinion might appear to be a major defeat for the agency and a significant victory for the company and, derivatively, for health care providers as well as a broad range of other entities holding personally identifiable information that might face future FTC enforcement actions following data breaches. After all, the court’s essential holding, vacating the commission’s cease-and-desist order because it failed to enjoin any specific act or practice and, without statutory support, essentially delegated to the district court the management of a broad data security overhaul imposed upon LabMD, ended a protracted and bitter litigation battle between the parties by removing what had become a paralyzing sanction against the company. Moreover, the decision highlights the commission’s limited ability to penalize entities for first-time violations of Section 5. Indeed, the decision was met with words of triumph from the company and its supporters and a more pessimistic response from the FTC and several legislators and regulatory advocates.
No doubt the LabMD case will require the FTC staff to plead its future cases and craft its remedial orders with greater specificity, and to be less able to justify future data breach cases where the cited acts and practices are not demonstrable causes in fact of the breach. And no doubt the decision will cause at least some subject companies to defend themselves more vigorously in such cases and to be less likely to agree to onerous settlement agreements with the commission as many companies have done. Thus, it is reasonable to conclude that LabMD seems to weaken the commission, which now may be required to obtain augmented legislative authority to authorize general preventive measures, and to strengthen entities experiencing data breaches that now will be better able to defend themselves, at least in the Eleventh Circuit.
But there is a problem, and it is this: The panel undertook a cursory and questionable analysis of the scope of the FTC’s jurisdiction, and simply "assume[d] arguendo that the commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice" actionable under Section 5. Focusing on the clearly excessive scope of the cease-and-desist order, and reaching a logically supportable conclusion in vacating it, the court ignored what should be a more fundamental question, indeed a question that was central to LabMD’s actual argument to the court, i.e., may the commission bring such a case where there is no allegation that any consumer has been injured in fact? The decision implies that it may do so and indeed describes a scenario where the panel seemingly would have been amenable to upholding the commission. Moreover, the commission’s ability so to act finds further support in a recent D.C. Circuit case in which the FTC clearly won and LabMD clearly lost. ...