Last week, the Eleventh Circuit Court of Appeals issued a decision which severely weakens the power of the Federal Trade Commission (“FTC”) to impose cybersecurity obligations on businesses. See LabMD, Inc. v. Federal Trade Commission, No. 16-16270, 2018 WL 2714747 (11th Cir. Jun. 6, 2018). LabMD was a medical laboratory that conducted diagnostic testing for cancer. As a result, it was subject to the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) which imposed obligations to secure patients’ data on LabMD’s computer system. A billing manager at LabMD installed Limewire software on her computer (in violation of LabMD policy) which allowed her to share music files across the internet. Unfortunately, Limewire also allowed access to every file on her computer, including personal information on 9,300 consumers. A data security company, apparently as part of its marketing efforts, accessed the computer and downloaded the consumer information. It then offered its cybersecurity services to LabMD, but when LabMD declined, the security company forwarded its information to the FTC.
The FTC claimed that the failure to appropriately safeguard LabMD’s network was an “unfair act or practice” under the Federal Trade Commission Act. The FTC could have entered an order commanding LabMD to eliminate the possibility that employee could install unauthorized programs on their computer. Instead, the FTC went much further and entered an order regulating all aspects of LabMD’s data-security program. In short, LabMD was ordered to implement and maintain a data-security program “reasonably designed” to the Commission’s satisfaction.
The Eleventh Circuit found that the FTC’s broad, “reasonableness” requirement was too vague to permit enforcement. The FTC’s order can be enforced by the FTC itself or a reviewing court. But, in either instance, the FTC or reviewing court would essentially be forced to make a judgment call on whether a particular security measure was “reasonably designed.” As a practical, matter this meant that every hearing on “reasonableness” would be a specific modification to the FTC’s exceedingly general order. Thus, the Eleventh Circuit concluded:
The practical effect of repeatedly modifying the injunction at show cause hearings is that the district court is put in the position of managing LabMD’s business in accordance with the Commission’s wishes. It would be as if the Commission was LabMD’s chief executive officer and the court was its operating officer. It is self-evidence that this micromanaging is beyond the scope of court oversight contemplated by injunction law.
LabMD, 2018 WL2714747 at *12.
The LabMD decision has far-reaching implications. The FTC frequently touts its victories in requiring companies to comply with privacy dictates: FTC Privacy Wins. Now, the FTC’s compliance power is severely restricted (at least in the Eleventh Circuit). Rather than imposing general requirements on businesses, the FTC must dictate specific security measures that can be enforced by a reviewing court.
Perhaps more importantly, the LabMD decision also contains language suggesting that the FTC does not have the wide-ranging ability to regulate cybersecurity at almost any business. The FTC has taken the position that it can regulate cybersecurity any time there is a actual or likely “substantial consumer injury.” The Eleventh Circuit’s opinion, however, suggests the cybersecurity practice at issue must also violate a “well-established legal standard, whether grounded in statute, the common law or Constitution.” This part of the opinion is dicta, and is not a binding statement of law. Nevertheless, it provides businesses with another potential defense to FTC enforcement actions.
The LabMD opinion was issued by a three-judge panel of the Eleventh Circuit. Potentially, the FTC could ask for every judge in the Eleventh Circuit to review the case as part of an en banc proceeding. Or, the FTC might try to appeal to the United States Supreme Court. Thus, there is some chance that the opinion might change. For now, businesses have earned a big win against regulation by the FTC.