In LabMD, Inc. v. Federal Trade Commission, 2018 WL 3056794 (11th Cir. June 6, 2018), the Eleventh Circuit vacated an FTC cease and desist order, finding that the order was unenforceable because it lacked the required specificity that would enable the order to be enforced by a court.
LabMD is a now-defunct medical laboratory. Given the nature of its work, LabMD was subject to data-security regulations issued under HIPPAA. LabMD employed a data-security program in an effort to comply with those regulations. Sometime in 2005, contrary to LabMD policy, a LabMD billing manager downloaded LimeWire, an application commonly used for sharing and downloading music and videos on the Internet. The billing manager shared the contents of her “My Documents” folder on LimeWire, thus sharing a 1,718-page file with the personal information of 9,300 customers, including names, dates of birth, social security numbers, laboratory test codes, and, for some, health insurance company names, addresses, and policy numbers.
The FTC launched an extensive investigation, and ultimately issued an administrative complaint against LabMD and assigned an ALJ to the case. The complaint alleged that LabMD had committed an “unfair act or practice” prohibited by Section 5(a) by “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” Rather than allege specific acts or practices that LabMD engaged in, however, the FTC’s complaint set forth a number of data-security measures that LabMD failed to perform.
Section 5(a) of the FTC Act authorizes the FTC to protect consumers by “prevent[ing] persons, partnerships, or corporations . . . from using unfair . . . acts or practices in or affecting commerce.” The Act does not define the term “unfair.” Congress intentionally left development of the term “unfair” to the Commission through case-by-case litigation.
After a hearing before the full FTC Commission, the FTC found that LabMD “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network.” Therefore, LabMD’s “data security practices were unfair under Section 5.”
The Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures.
LabMD appealed to the Eleventh Circuit, and, in an opinion authored by Judge Tjoflat, the Eleventh Circuit vacated the cease and desist order, finding it to lack specificity. The Court pointed to the FTC’s broad complaint, which “use[d] LimeWire’s installation, and the [patient] File’s exposure, as an entry point to broadly allege that LabMD’s data-security operations are deficient as a whole.” The cease and desist order then sought to “regulate all aspects of LabMD’s data security program,” and “identifies no specific unfair acts or practices from which LabMD must abstain and instead requires LabMD to implement and maintain a data-security program ‘reasonably designed’ to the Commission’s satisfaction.”
The Court held such a broad cease and desist order to be unenforceable, as it did not enjoin a specific act or practice. Instead, it “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” Because the order lacked specificity that would allow a court to enforce the cease and desist order without impermissibly modifying the order in its interpretation of the order, the Court invalidated the cease and desist order as unenforceable.