The Court of Appeals for the Eleventh Circuit has overturned an FTC cease and desist order enjoining LabMD to install a reasonable data-security program, issued in response to the disclosure of a single computer file containing personal information regarding 9,300 customers. Agreeing with arguments from the now-defunct LabMD, the court determined “that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a)” of the Federal Trade Commission Act (15 U.S.C. § 5[a]).
The court, after recognizing that the FTC could have issued “a narrowly drawn and easily enforceable order…commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers,” overturned the cease-and-desist order that “continue[d] past” the single incident of wrongdoing, to broadly address “a litany of security measures that LabMD failed to employ, each setting out in general terms a deficiency in LabMD’s data-security protocol,” using the single, and only specific, incident “as an entry point to broadly allege that LabMD’s data-security operations are deficient as a whole.” Ultimately, the Eleventh Circuit found that the FTC order, flowing from this entry point, lacked the “specificity” and “reasonable definiteness…stated with clarity and precision” necessary to comply with basic due process rights.
A thorough analysis of the court’s reasoning and underlying legal authority provides a helpful tool in assessing the merits of future FTC enforcement actions addressing data privacy and security, as the FTC’s authority in this area is, in a word, unavoidable.
Evolution of FTC Enforcement Authority
The court began by recounting the development of the FTC’s authority, beginning with Federal Trade Commission Act of 1914 granting power to prohibit “unfair methods of competition,” allowing the FTC to develop the notion of “unfair” on a case-by-case basis. In 1938, the FTC’s authority was expanded by statutory amendment to prohibit “unfair…acts or practices” harmful to consumers, in addition to business entities. The FTC refined its “unfairness authority,” setting forth three factors for consideration as to whether an act or practice “(1) caused consumers, competitors, or other businesses substantial injury; (2) offended public policy as established by statute, the common law, or otherwise; and (3) was immoral, unethical, or unscrupulous” (29 Fed. Reg. 8324, 8355 [July 2, 1964]) — factors approved by the Supreme Court in 1972 (405 U.S. 233, 244 n. 5).
By letter in 1980, the FTC further refined its authority, setting forth a three-part test to define a qualifying injury: (1) must be substantial; (2) must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and (3) must be an injury that consumers themselves could not have avoided, later codified in Section 5(n) of the FTC Act. As for public policy, the FTC limited application to “clear and well-established” policies “declared or embodied in formal sources such as statues, judicial decisions, or the Constitution as interpreted by the courts, rather than being ascertained from the general sense of the national values.” (FTC Policy Statement on Unfairness, FTC [Dec. 17, 1980]). The third “unfairness” factor relating to immoral, unethical, or unscrupulous conduct was eliminated, as redundant of the first two. Under the current statute, the public policy consideration was further limited and “may not serve as a primary basis” for determining an unfair practice.
FTC’s Assessment of LabMD Practices and underlying Enforcement Action
In violation of LabMD’s internal policies, a billing manager installed the LimeWire peer-to-peer file-sharing program, granting access to the “My Documents” folder containing a 1,718-page file containing names, dates of birth, social security numbers, laboratory test codes and other information for 9,300 customers. A data security company, Tiversa Holding Corporation, after attempting to sell its services to LabMD, provided a copy of the “1718 file” to the FTC, which Tiversa had downloaded and used in connection with its marketing to LabMD.
The FTC’s complaint alleged that, despite having what the court characterized as a data-security program including “a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections” (Decision, n. 4), LabMD “did not” take seven data-security measures, which failures the FTC charged constituted “unfair acts or practices in violation of Section 5(a).” The Administrative Law Judge assigned to the matter dismissed the FTC’s complaint following an evidentiary hearing in July 2015, concluding the FTC had failed to prove LabMD committed unfair acts or practices, or that the “alleged failure to employ reasonable data security . . . caused or is likely to cause substantial injury to consumers” as required under the Act. The full Commission reversed the ALJ’s decision following a de novo review of the law and facts, finding LabMD “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network,” which “data security practices were unfair.”
The Court’s Criticisms of the FTC Order
The Eleventh Circuit, in its review of the order, first commented that “a narrowly drawn and easily enforceable order might have followed, commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers.” Instead, the court found, the FTC’s complaint “continued past this single allegation of wrongdoing,” i.e. “that LimeWire was installed in defiance of LabMD policy and caused the alleged consumer injury,” “to broadly allege that LabMD’s data-security operations are deficient as a whole.” The court made clear that, while the FTC’s complaint “alleges no unfair acts or practices engaged in by LabMD” “[a]side from the installation of LimeWire on a company computer,” the complaint broadly alleged “LabMD’s multiple, unspecified failures to act in creating and operating its data-security program…amounted to an unfair act or practice,” and attached a proposed order contained “sweeping prophylactic measures” “which would regulate all aspects of LabMD’s data-security program.” The court then noted that that the FTC proposed order, which was nearly identical to the enforcement order, “identifie[d] no specific unfair acts or practices from which LabMD must abstain and instead requires LabMD to implement and maintain a data-security program ‘reasonably designed’ to the Commission’s satisfaction.”
Measuring the FTC Order against the FTC Act
After highlighting these common-sense deficiencies within the FTC’s complaint and order, the court weighed the FTC’s conduct against the authority granted under Section 5(a), beginning with the identification of the “clear and well-established” policy offended by the supposed unfair act or practice. The court intuited that the FTC had relied on the “common law of negligence” creating a consumer right of privacy, the violation of which the court assumed, arguendo, was a legitimate basis for accountability under Section 5(a).
The court then turned to whether the Commission’s cease and desist order, “founded upon LabMD’s general negligent failure to act” is enforceable, beginning with a recognition that the FTC’s establishment of an unfair act or practice through case-by-case litigation “becomes in effect…an addendum to Section 5(a).” Under the facts, court determined that the order lacked any “specificity,” an element “crucial to…enforcement.” As the court explained, “[T]he remedy the complaint seeks must comport with this requirement of reasonable definiteness…stated with clarify and precision” as well as “fundamental postulates of our legal order forbid[ding] the imposition of a penalty for disobeying a command that defies comprehension.” In light of these fundamental jurisprudential concerns, the court held that the FTC’s “cease and desist order contains no prohibitions,” ” says precious little about how this is to be accomplished” and “does not instruct LabMD to stop committing a specific act or practice,” rendering the order “unenforceable.” The FTC’s order mandating “a complete overhaul of LabMD’s data-security program” was, in the court’s opinion, “a scheme Congress could not have envisioned.”
First and foremost, there appears to be no dispute that the FTC has authority to address data security and privacy issues under its mandate to prohibit unfair acts and practices.
Secondly, while the FTC has authority, it is circumscribed by not only the FTC Act’s statutory language, but also by fundamental jurisprudence, including due process rights, and “fundamental postulates of our legal order forbid[ding] imposition of a penalty for disobeying a command that defies comprehension.”
Thirdly, and as previously reported, with a full FTC Board now seated, we will keep a close eye as to whether a new focus and finer tailoring of FTC orders will be forthcoming in the area of data privacy and security.