Is Inadequate Data Security an Unfair Trade Practice?

doctors office

In LabMD, Inc. v. Federal Trade Commission, Case No. 16-16270 (decided June 6, 2018) the United States Court of Appeals for the Eleventh Circuit addressed the enforcement of an FTC order finding that a business’s allegedly inadequate data security practices were unfair trade practices under Section 5(a) of the Federal Trade Commission Act.

LabMD operated a medical laboratory that conducted diagnostic testing for cancer. Contrary to LabMD policy, an employee installed on a company computer a file-sharing application. That application allowed an outside party to download a file that contained the personal information of thousands of customers.

The FTC initiated an administrative case against LabMD alleging that it had committed an unfair act or practice prohibited by Section 5(a) of the Federal Trade Commission Act. The FTC alleged that LabMD had committed an unfair act or practice by failing to provide reasonable and appropriate security for personal information on its computer networks. After litigation before an administrative law judge and the FTC, the FTC entered an order finding that LabMD’s data security practices were unfair under Section 5 and ordered LabMD to “install a data-security program that comported with the FTC’s standard of reasonableness.” Opinion, p. 8. LabMD petitioned the United States Court of Appeals for the Eleventh Circuit to review the FTC’s decision. The Court granted the petition and vacated the FTC’s order.

The Court side-stepped the legal issue of whether the failure to maintain a reasonable data-security program could violate Section 5(a) of the Federal Trade Commission Act. Instead, the Court focused on whether the FTC order was enforceable. The Court noted that the order did not prohibit any specific act or practice. Instead, it demanded that LabMD replace its data security program with one that the FTC deemed “reasonable.” However, in the Court’s view, such an order was unenforceable. Attempts to enforce such an order would generate further litigation about whether or not a security practice was reasonable because nothing in the FTC order provides “any meaningful standard informing the court of what constitutes a ‘reasonably designed’ data-security program.” Opinion, p. 29. In the absence of specific standards, the Commission’s order was unenforceable.

This case certainly is not the last word on efforts by the Federal Trade Commission to address data security. However, if the FTC intends to pursue such cases, it will need to develop specific, enforceable data security standards.

The Opinion is available at http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf