June 15, 2018
In a landmark decision, the United States Court of Appeals for the Eleventh Circuit vacated a Federal Trade Commission (“FTC”) cease and desist order which directed LabMD, a relatively small and now-defunct cancer testing laboratory, to create and implement a variety of protective measures with respect to its data security practices. LabMD is usually described as being defunct due to the expense of defending against the FTC action.
By way of background, in 2005, a LabMD billing manager installed a peer-to-peer file sharing program known as Limewire on his company computer, in contravention of company policy. Subsequently, the billing manager accidentally shared 1,718 pages of sensitive HIPAA-protected patient information for approximately 9,300 customers. Resultantly, the FTC filed an administrative complaint against LabMD in August of 2013, alleging that LabMD committed an “unfair act or practice” within the meaning of section 5(a) of the FTC Act. This culminated in the FTC’s issuance of an order compelling LabMD to create and implement generally described data security policies and procedures intended to protect sensitive consumer information. LabMD appealed the order to the 11th Circuit on December 27, 2016, asserting that the FTC’s order was unreasonably vague. On June 6, 2018, the 11th Circuit agreed, finding that the FTC order merely generally instructed LabMD to implement an undefined data-security program that was required to meet an undefined standard of reasonableness. The Eleventh Circuit explained that FTC orders must be written with the specificity required for a district court injunction order. Stated differently, the FTC order must put the enjoined party on notice of what the enjoined party is permitted or otherwise required to do with a level of discernable particularity.
In sum, the 11th Circuit’s decision is significant because the FTC is required to provide specific instructions as to how to remedy a violation of the FTC Act, as opposed to providing indefinite guidelines—at least in the cyber security arena. Moreover, this decision is important because it did not state that the FTC cannot require a cyber security framework as a general proposition. The issue not specifically addressed, but generally recognized in the security industry and lurking in this decision, is that it is difficult to specifically define what constitutes “reasonable security.” This uncertainty does not eliminate the need for companies to implement data security prevention and response plans. The number of data breaches occurring in the United States increases each year, and while the perception may be that smaller companies with less data have less to worry about by way of data breaches because they have “little” client data, or “only” employee data, this is misguided. An estimated 62% of all cyber breaches occur in small and mid-market companies. The primary causes of data breaches are employee or contractor mistakes, such as stolen and lost laptops, and procedural error, as was the case with LabMD. In light of the 11th Circuit’s opinion, it is more pertinent than ever to implement a data security plan. For more information regarding implementing data security plans, review A Primer on FTC Cybersecurity Enforcement.