Appeals Court Curbs FTC’s Enforcement of Security Standards–LabMD v. FTC
This is an FTC enforcement action against LabMD. A LabMD billing manager installed a peer-to-peer file-sharing application called LimeWire and designated the “my documents” folder on her computer for sharing. This folder contained a 1,718 page file with names, dates of birth, social security numbers, lab test codes, and health insurance company information, of LabMD customers. A security remediation firm noticed this and tried to pitch LabMD for work. LabMD rebuffed the sales pitch, and the security firm sent the 1,718 page file to the FTC.
The FTC issued an administrative complaint alleging LabMD committed an unfair act or practice by failing to adequately safeguard personal information on its networks. After discovery, LabMD brought a motion for summary judgment. The Commission denied the motion, and the matter proceeded to an evidentiary hearing. After the hearing, the ALJ dismissed the FTC’s complaint, finding that the FTC did not adequately allege injury or the likelihood of injury. On appeal, the full Commission reversed, finding that LabMD failed to implement reasonable security measures. Specifically, the Commission found that substantial injury was met due to the unauthorized disclosure of the file and mere exposure which would be likely to cause substantial injury. The FTC then issued an order requiring LabMD to maintain “reasonable” (but unspecified) data security measures until 2036 (or later if the FTC files a complaint alleging a violation of the order).
LabMD appealed to the Eleventh Circuit, which issued this much-anticipated decision.
Although LabMD raised a variety of challenges in its brief, the opinion focuses on the enforceability of the FTC’s order. It first looks at the history of FTC Act section 5(a) and the FTC’s mandate to regulate unfair trade practices. In the 1970s, the FTC went on a detour to ban advertising directed at children on the basis that it was immoral and unethical. This resulted in an outcry, and a slightly scaled back interpretation of what is unfair and subject to regulation by the FTC.
The court assumes that exposure of the files in question satisfy the requisite harm requirement (although it later equivocates slightly). It focuses on the ensuing order. The complaint itself takes a broad approach, saying that LabMD’s data-security program was deficient. It doesn’t focus on the specific installation/use of LimeWire and requires that this be prevented in the future:
[t]he proposed cease and desist order . . . the FTC ultimately issued, identifies no specific unfair acts or practices from which LabMD must abstain and instead required LabMD to implement and maintain a data-security program “reasonably designed” to the Commission’s satisfaction.
The court focuses on specificity and finds it lacking, both in the complaint and the ensuing order. Given that a party can be subject to penalties and contempt for violating the order, failure to specify exactly what conduct is prohibited creates a due process problem. Specificity is required by numerous rules, including the federal rule governing injunctions. The court goes on to play out an enforcement scenario where the FTC alleges a violation of the order and both parties offer up competing expert opinions on whether the company’s practice was reasonable. The order itself would offer no way to resolve these competing claims. To the extent a court agreed with the FTC and found the company in contempt, it would have modified the injunction on the fly. This can continue on and produce a scenario where the court is put in the position of managing LabMD’s business in accordance with the Commissions’ wishes . . . It would be as if the Commission was LabMD’s chief executive officer and the court was its operating officer. It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law.
The facts of this case should be disseminated widely in corporate circles. It is a cautionary tale! A billing manager’s installation of widely used software resulted in a five year long investigation and, according to LabMD, ultimately was responsible for shutdown of the company. This is a mishap that can happen in any organization.
I can envision a discussion within the FTC looking at the good, the bad and the ugly of this decision.
The good: The court did not take issue with the FTC’s framing of harm and ability to proceed in the first place.
The bad: The opinion scales back the FTC’s practical ability to act as roving enforcer of what it thinks is acceptable data security practice. The opinion also launches a sophisticated attack on the FTC’s power, and its cite to the FTC’s regulation of children’s advertising is code that it thinks the FTC is regulating well beyond the scope of its mandate. The Chamber of Commerce has to be overjoyed in reading this opinion.
The ugly: The FTC decides to appeal to SCOTUS.
I’m constantly amazed how the FTC got to this point. The FTC’s titular obligation is to regulate trade. Along the way, the FTC interpreted “trade” to mean “privacy.” The FTC immersed itself in Internet privacy enforcements and self-branded as the nation’s premier privacy enforcement agency (a/k/a the Federal Privacy Commission). In my opinion, the FTC’s zeal for privacy enforcement came at the partial expense of actually enforcing, you know, trade. The FTC embraced the privacy beat so enthusiastically that it lost some focus on false advertising. THEN, in a second move, the FTC interpreted “privacy” to mean “security,” and the FTC invested in busting victims of security breaches for not avoiding their victimization. Because of these two moves, at the expense of enforcing against deceptive marketplace advertising, the FTC has made a federal case out of a single thoughtless employee who installed and misconfigured a popular software program in violation of its employer’s stated policy. Worse, this enforcement action dates back to at least 2009–nearly a decade ago. #SMH
Irrespective of this LabMD ruling, the FTC can enforce deficient security practices using its deception authority (including, sometimes, jaw-droppingly tendentious readings of companies’ privacy policies); and in some cases there may be statutory security mandates that the FTC can enforce as well. In contrast, when the FTC relies solely on its “unfairness” authority, it’s usually reaching.
Though couched in big thoughts, the court’s opinion is fairly narrow. The court requires the FTC’s remedial orders to describe with requisite specificity what conduct the defendant must stop. The court says the FTC failed to do that here because:
the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.
This is an embarrassing rebuke of the FTC’s enforcement effort, but to what effect? The court doesn’t say that the FTC lacked unfairness authority to bring the enforcement action against the defendant; and the FTC can easily cure the court’s problem by coming up with more specific orders in future injunctions. So the ruling is more of a speedbump for future FTC enforcement actions than a real handcuff on those actions.
It’s worth noting that 100% of the FTC commissioners who have worked on the LabMD matter over the past decade have turned over. Will the new FTC commissioners prioritize privacy and security enforcements as enthusiastically as their predecessors? If they do not, then this ruling may have even less impact.
Case citation: LabMD v. FTC, No. 16-16270 (11th CIr. June 6, 2018)