Appellate Court Curbs FTC's Authority to Regulate Corporate Data Security Programs
By Isaac Ellis and Donn Meindertsma
The Federal Trade Commission (FTC) enforces federal laws that prohibit companies from engaging in "unfair" trade practices. Several years ago, the FTC began pursuing enforcement actions against companies whose data security management was, in the FTC's view, inadequate. The FTC's theory is that lax data security protocols can be an unfair trade practice. Thus, the FTC took a lead federal government role in regulating cybersecurity in the private sector.
In 2013, that regulatory agenda ensnared an Atlanta-based medical diagnostics company, LabMD. After the FTC issued a sweeping order requiring LabMD to implement numerous data security measures, LabMD
fought back. Last week, LabMD scored a significant victory against the FTC in a decision by the U.S. Court of Appeals for the Eleventh Circuit.
Far from involving a high-profile data breach (such as the infamous 2017 Equifax breach), the events leading to the FTC’s pursuit of LabMD did not involve any intrusion or data theft. In 2005, an employee downloaded and used a peer-to-peer file sharing service known as LimeWire. Doing so violated LabMD's policies. Worse than that, the illicit program download enabled third parties to obtain a company data file that housed information on almost 10,000 consumers, such as names, birth dates, and social security numbers.
A data security firm, Tiversa Holding Corporation, obtained the exposed data and sensed a business opportunity. In connection with marketing its own digital security services to LabMD, Tiversa told LabMD it had obtained the customer data file. LabMD declined Tiversa's solicitation. Tiversa, in turn, gave the data file to the FTC. During ensuing FTC proceedings, one of the agency's commissioners shed additional light on Tiversa's role in the matter:
Tiversa is more than an ordinary witness, informant, or “whistle-blower.” It is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its
services to help organizations protect against similar infiltrations. Indeed, in the instant matter, an argument has been raised that Tiversa used its robust, patented peer-to-peer monitoring technology to retrieve the [Data] File, and then repeatedly solicited LabMD, offering investigative and remediation services regarding the breach.
The FTC investigated LabMD's data security practices and issued an administrative complaint against the company in August 2013. The complaint accused LabMD of committing an “unfair act or practice” prohibited under the FTC Act by “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” Yet, the FTC did not identify any specific act or
practice of LabMD that constituted an unfair practice. After some lengthy procedural volleyball, the full Commission ruled that LabMD had violated the FTC Act and issued a cease and desist order. That order required LabMD to implement a data security program that comported with the FTC’s standard of reasonableness. In addition, the order was to remain in effect for 20 years, effectively allowing the FTC to monitor and control LabMD's data security management practices for the next two decades.
The Eleventh Circuit's Ruling
LabMD petitioned the Eleventh Circuit to review and set aside the FTC's cease and desist order. At the heart of the appeal was the scope of the FTC’s ability to
enforce data security standards as an unfair trade practice. More precisely, the appeal presented two issues of interest to the business community: (1) whether the failure to implement and maintain a reasonably designed data security program can constitute an unfair trade practice; and (2) whether the FTC’s cease and desist order, which mandated a complete overhaul of the company’s data security measures, was enforceable.
The court declined to address the first question, other than to clarify that the FTC’s application of the unfairness standard must be rooted in “clear and well-established policies that are expressed in the Constitution, statutes, or the common law.” The court assumed for the sake of argument that this established source of law can include the common law of
negligence. Accordingly, the court assumed for purposes of its decision—without deciding one way or the other—that the FTC was correct that the failure to design and maintain a reasonable data security program could constitute an unfair act or practice. The court opted instead to address the merits of LabMD’s claim that the FTC’s cease and desist order was unenforceable because it lacked specificity.
The answer to the second question—whether the FTC's order was enforceable—was a resounding “no.” The court summarized the FTC's order as follows: "In effect, the [FTC] held that LabMD’s failure to act in various ways to protect consumer data rendered its entire data-security operation an unfair act or practice." In vacating the FTC’s order, the court focused on
the order's lack of clarity and precision. The court noted that enforcing the order as drafted would be an unmanageable task for any court. Critically, the order—even though supposedly a "cease and desist" order—did not instruct LabMD to stop doing anything. Instead, the FTC ordered LabMD to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”
The court posited a hypothetical to demonstrate why the FTC's order could not be enforced. As LabMD implemented discrete security measures in the future, how would a court determine whether LabMD had developed a sufficient data security management
program? Presumably the FTC and the company would each engage security experts who would repeatedly return to court to argue over the reasonableness and sufficiency of LabMD's actions. As the court put it, the FTC's order put the district court in the position of managing LabMD’s business at the whim of the FTC.
It would be as if the Commission was LabMD’s chief executive officer and the court was its operating officer. It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law.
For the Eleventh Circuit, the FTC’s vague reasonableness standard was a bridge too far.
While the Court’s opinion does not offer a tidy answer regarding whether and when a company's insufficient data security measures can constitute an unfair trade practice, it is safe to assume that the FTC has the power to investigate and attempt to remedy consumer data security issues. However, the FTC cannot simply demand that a company institute and maintain “reasonable” data security protocols. Instead, any enforcement orders must be clear and precise in instructing companies exactly what is required of them. In fact, the court hinted at what might have constituted a permissible order in LabMD's circumstances; specifically, a “narrowly drawn and easily enforceable
order…commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers.”
In short, companies should continue to take data security seriously and must remain alert to the risk that the FTC will attempt to enforce data protection standards through investigations and enforcement proceedings. Yet, the new court ruling demonstrates that there are limits to the FTC’s power to seek blanket overhauls of a company’s data protection program. It remains to be seen whether the FTC will pursue further review by the full Eleventh Circuit or the United States Supreme Court.
If you or your company has questions about data security, Conner &
Winters’ attorneys are more than happy to assist you in finding answers.
Note: This news alert should not be construed as legal advice and its receipt does not create an attorney-client relationship.