MONTH-IN-BRIEF (Jun 2018)
11th Circuit Vacates FTC Order Against LabMD as Unenforceable
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Eleventh Circuit has vacated an order of the Federal Trade Commission (FTC) in an enforcement action that charged now-defunct medical laboratory LabMD, Inc. with having a security program that was so inadequate it constituted an “unfair act or practice” under the Federal Trade Commission Act. LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018). A LabMD billing employee had downloaded peer-to-peer file-sharing software on a computer, allegedly permitting external persons to access a file that contained personal information for 9,300 customers. An administrative law judge dismissed the FTC’s complaint, but the full Federal Trade Commission reversed on appeal, citing numerous security measures that LabMD failed to execute, and entered a cease-and-desist order that required LabMD to implement a reasonable security program.
The court of appeals assumed arguendo that LabMD’s negligence in implementing a data security program was an unfair practice but found the FTC’s order was unenforceable. Rather than directing LabMD to stop committing a specific act, the order directed it to implement a security program that met an undefined standard of reasonableness. The order’s lack of specificity would require an enforcing court to micromanage LabMD’s business to the FTC’s satisfaction. While the order did not invalidate the FTC’s authority to regulate security, it is likely to change the level of detail the FTC will require in future enforcement orders.