In Bellwether Data Security Case, 11th Cir. Rejects FTC Order

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Barbara Yuill

The Eleventh Circuit vacated an FTC order that medical testing company LabMD Inc. rev up its data security program, ruling that the order lacked specifics and was unenforceable.

The Federal Trade Commission’s cease and desist order “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished,” the court wrote. “This is a scheme that Congress could not have envisioned.”

The protracted case has been a closely watched challenge to the agency’s authority to regulate data security practices under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270-D, 6/6/18 ).

The three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit did not rule on the FTC’s Section 5 data security authority, confining the decision to the cease and desist order.

“Although we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision,” an FTC spokesperson said in a June 6 email.

“We are gratified by and applaud today’s decision by the Eleventh Circuit, which confirms LabMD’s position that the order entered against LabMD by the FTC was fundamentally unlawful,” Douglas H. Meal, a partner with Ropes & Gray who represents LabMD, told Bloomberg BNA in an email.

The case started after the FTC said in a complaint that LabMD violated Section 5 by failing to provide reasonable and appropriate security for patient information. LabMD, which is now defunct, argued that the FTC did not have the authority under Section 5 to regulate its data security practices.

Eventually, the FTC found that LabMD lacked reasonable security on its computer network, needed to protect consumer sensitive data, in violation of Section 5. The agency ordered the company to employ reasonable security practices that complied with FTC standards of reasonableness, the court wrote.

LabMD argued that an FTC cease and desist order was “unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of” Section 5, according to the decision. The court agreed.

Judge Gerald Tjoflat wrote the decision, which was joined by Judge Charles R. Wilson and Judge Eduardo Robreno of the U.S. District Court for the Eastern District of Pennsylvania.

Ropes & Gray LLP represented LabMD.

To contact the reporter on this story: Barbara Yuill in Washington at byuill@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Tech & Telecom on Bloomberg Law