11th Circuit Vacates LabMD Enforcement Order; Casts Doubt on Decades of FTC Cybersecurity Enforcement Practices
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives.
Until last week, that is. On June 6, 2018, the Eleventh Circuit vacated an FTC enforcement order requiring LabMD to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In particular, the court held that this order was insufficiently specific – and therefore unenforceable – because it “does not instruct LabMD to stop committing a specific act or practice” and instead “commands LabMD to overhaul and replace its data-security program to meet an indeterminate standard of reasonableness.” As laid out below, in reaching this decision, the Eleventh Circuit not only sidestepped, but also avoided even mentioning, a recent precedent from a sister Circuit that had upheld the FTC’s authority to regulate information security practices in the manner similar to how it did with respect to LabMD. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). The Eleventh Circuit’s surprising decision thus has potentially wide-ranging implications for the FTC’s enforcement powers going forward. Indeed, for the hundreds of companies under active FTC consent decrees—often extending into two decades of future compliance requirements—the door may be open to wage a serious challenge.
The Facts of the Case. LabMD, Inc. v. FTC is a case with a long and tortured history, and so we provide only a brief summary of the essential facts here. The FTC initially filed the Complaint at the heart of the case after an extensive investigation into a tip provided by a data security research company that LabMD had made sensitive customer information available on Limewire, a peer-to-peer file sharing system. In particular, the FTC alleged that LabMD’s data-security program was inadequate and thus constituted an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a). After the Eleventh Circuit rejected LabMD’s attempt to enjoin the proceedings (and LabMD voluntarily dismissed a similar action in U.S. District Court for the District of Columbia), it also rejected the company’s collateral attack on the proceedings on the grounds that the FTC complaint was not a final agency action. See Lab MD, Inc. v. FTC, 776 F.3d 1275 (11th Cir. 2015).
A trial before an administrative law judge (ALJ) thereafter commenced, with the ALJ ultimately dismissing the FTC’s complaint on the grounds that the Commission had failed to prove that the failure to employ reasonable data security caused or was likely to cause harm to consumers. The FTC appealed, and the Commission found that LabMD’s security practices were unfair and that the exposure of the customer information on a peer-to-peer sharing site was likely to cause substantial injury. The Commission also rejected LabMD’s arguments that the FTC’s unfairness standard was void for vagueness or that the Commission failed to provide fair notice of what constituted appropriate data-security practices under Section 5. The Commission thus issued the cease and desist order referenced above, which LabMD immediately challenged, and the Eleventh Circuit stayed the FTC’s ability to enforce the order pending LabMD’s review. See Lab MD, Inc. v. FTC, 678 Fed. Appx. 816 (11th Cir. 2016).
The Eleventh Circuit’s Decision. LabMD advanced two primary challenges to the Commission’s decision, and the Eleventh Circuit discussed both of them.
Scope of FTC’s Section 5 Unfairness Authority. First, the court addressed LabMD’s argument that the FTC exceeded its Section 5 unfairness authority when it issued an order requiring the company to implement and maintain a reasonably designed data-security program. As noted above, the scope of the Commission’s ability to target data security practices under its Section 5 unfairness authority has been the subject of intense scholarly and practitioner focus in recent years; there was thus hope that the Eleventh Circuit might provide guidance on this key issue. And the court did spend multiple pages of its opinion on the topic – noting, among other things, that the FTC must “find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes, or the common law”; that the “Commission’s decision in this case does not explicitly cite the source of the standard of unfairness it used in holding that LabMD’s failure to implement and maintain a reasonable designed data-security program constituted an unfair act or practice”; and that it was nonetheless “apparent” that the source of the Commission’s decision was the “common law of negligence” – and, specifically, the right of individuals to be free from an unintentional invasion of their privacy. But this discussion was no more than dicta, however, as the court decided to sidestep the issue of the FTC’s cybersecurity authority by simply assuming for the purposes of this case “that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a).”
The reason for this unusual move – i.e., addressing the Commission’s authority before rendering the discussion dicta – is not apparent from the face of the decision. It perhaps suggests that the Eleventh Circuit was uncomfortable with the FTC’s actions in this case, but that it saw what it believed to be a potentially narrower ground for addressing them than ruling on the scope of the Commission’s authority. Sidestepping this issue also saved the Eleventh Circuit from creating a square split with the Third Circuit, which definitely ruled that the FTC could impose data security standards under its Section 5 unfairness authority in Wyndham.
But if these were, in fact, the court’s motivations, it picked an unusual way to go about achieving them. The court could have avoided a conflict with Wyndham simply by focusing on an issue it did in granting LabMD’s stay pending appeal – whether the act or practice at issue was “likely to cause substantial injury to consumers.” Moreover, even if the court thought enforceability was a narrower ground that the scope of the FTC’s authority, its decision nonetheless potentially undermined the primary requirement in almost all of the FTC’s existing cybersecurity orders: a comprehensive information security program reasonably designed to protection personal information.
Enforceability of Order. As noted at the outset, the Eleventh Circuit found persuasive LabMD’s second argument – i.e., that the Commission’s order was “unenforceable” because it fails to provide sufficiently specific guidance to courts on what acts and practices are prohibited.
In reaching this decision, the court first noted that 15 U.S.C. § 57a authorizes the FTC to prescribe rules “which define with specificity” unfair acts or practices within the meaning of Section 5. The court further noted that, rather than proceeding through formal rulemaking, the FTC Act also authorized the Commission to develop standards under Section 5 by bringing enforcement actions before an ALJ (as it did in this case) or a district court. For both modes of enforcement, the Court emphasized that, much like with respect to rulemaking, the “concept of specificity is crucial.” Citing the Supreme Court’s decision in FTC v. Colgate-Palmolive Co., 380 U.S. 374, 392 (1965), the Eleventh Circuit noted that an individual cease-and-desist order’s prohibitions must be stated with clarity and precision, as the imposition of penalties for “violating an imprecise cease and desist order – up to $41,484 per violation or day in violation – may constitute a denial of due process.”
The court then proceeded to evaluate the FTC’s LabMD order against this backdrop by “imagin[ing] what would take place if the Commission sought the order’s enforcement.” In such a scenario, the court envisions that the Commission would call an expert to testify to the fact that LabMD’s information security practices were not “reasonably designed” to protect customer information, while LabMD would call an expert who disagreed. Since the order is “devoid of any meaningful standard informing the court of what constitutes a ‘reasonably-designed’ data-security program,” the Eleventh Circuit noted, it would have “no choice” in such a scenario “but to conclude that the Commission has not proven – and indeed cannot prove – LabMD’s alleged violation by clear and convincing evidence,” the standard for upholding a civil contempt order. See McGregor v. Chierico, 206 F.3d 1378, 1383 (11th Cir. 2000). It follows, the court held, that the Commission’s order is unenforceable.
Consequences. As noted above, while the Eleventh Circuit may have thought its focus on the enforceability of a specific order was a narrower ground than ruling on the scope of the Commission’s Section 5 authority, its decision raises significant questions about the FTC’s regulation of information security – and other – practices. The Commission often requires companies to put in place reasonable data security practices, and the LabMD order is thus not unique in that regard. Indeed, the Federal Government has often framed cybersecurity directives in terms of reasonable protections – such as the information security requirements under the Gramm-Leach-Bliley Act. The Eleventh Circuit’s decision could thus have implications beyond the FTC, and could (counter-intuitively) lead to enforcement agencies getting more, rather than less, involved in cybersecurity practices, by putting in place more prescriptive orders and being put in the position of having to enforce on the basis of technical, rather than holistic, considerations.
All of which leads to the question: Where do we go from here? The FTC’s first order of business will be to decide whether to seek rehearing en banc from the Eleventh Circuit and/or certiorari before the Supreme Court. Although the Third Circuit did not directly address the enforceability of an existing order in Wyndham, it did hold that the FTC Act’s standard that the Commission may only take action against an “act or practice [that] causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition” provided Wyndham with sufficient notice that its cybersecurity practices might fall short of what the statute requires, and that this in turn allowed the FTC to put a cease-and-desist order in place. Given this decision – which essentially held that “reasonableness” was sufficiently precise to provide notice of a violation – the FTC could credibly claim that there is, at the least, great tension between the Circuits on this issue. Moreover, the FTC might further note that the LabMD court relied on a “negligence” analogy to “assume” the FTC had authority under Section 5 and that “reasonableness” is a venerable concept in the common law of torts – in other words, the Eleventh Circuit itself essentially recognized that “reasonableness” was a sufficiently precise standard to allow enforcement.
Of course, there are considerations that might weigh against seeking certiorari, as well. In particular, an adverse Supreme Court decision on either of the two questions at issue in LabMD could have dramatic consequences for the Commission (and potentially other civil enforcement agencies). Consideration will thus have to be given to other questions presented by the Eleventh Circuit’s decision. Would a cease-and-desist order pass muster while retaining some flexibility if the FTC provided more guidance by, for example, referring to a standard cybersecurity framework like the one promulgated by NIST? Or will the FTC be able to accomplish similar ends to what it does now by, rather than directing companies to put in place “reasonable” practices, directing them to conduct risk assessments (perhaps by third parties) and to prepare a plan for Commission review and approval?
A final question concerns the Congress. While the FTC, the Securities and Exchange Commission, HHS, Banking regulators, the CFPB, numerous States, and others take steps to regulate corporate cybersecurity practices, Congress has largely stood to the side. To date, the major piece of federal cybersecurity legislation, the Cybersecurity Act of 2015, has focused on encouraging information sharing among private and federal entities, rather than addressing appropriate cybersecurity practices. If the Eleventh Circuit’s decision has the practical effect of curtailing the ability of the Commission to take action concerning information security practices, will this prompt a legislative response? If so, would the focus of this response be solely the FTC? Or might Congress decide to sweep more broadly to consider other aspects of cyber and information security?
The answers to these – and other – questions will emerge with time. Until then, however, it is safe to say that the Eleventh Circuit has significantly shaken up the FTC’s growing emphasis on consumer cybersecurity practices – and potentially the federal response to such practices more broadly.