LabMD Sues FTC Lawyers
The LabMD saga has been a fascinating one.
In 2016, LabMD was accused by the FTC of exposing sensitive patient information due to less than adequate data security practices. LabMD then requested that the court reconsider its decision that two Federal Trade Commission lawyers had qualified immunity from liability for filing the lawsuit against LabMD. LabMD sues FTC lawyers, arguing that the FTC lawyers engaged in a “deliberate and successful effort to cause the Commission to authorize an enforcement action” premised upon false facts. LabMD lost that argument.
Perhaps the most interesting part of the LabMD saga is that the FTC took a hit in attempting to regulate by consent decree. A close second is the whether the nation’s regulatory approach to cybersecurity is working.
The FTC demands that business implement reasonable measures to eliminate data vulnerabilities. However, regulatory settlements are hardly defined, substantive legal requirements.
The U.S. Court of Appeals for the Eleventh Circuit’s decision has significant implications for the FTC’s approach to cybersecurity. The court stated that the FTC’s order “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” In fact, the court stated that the FTC could have drafted a narrowly drawn and easily enforceable order regarding data security.
“The Commission’s decision in this case does not explicitly cite the source of the standard of unfairness it used in holding that LabMD’s failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice,” the court said.
The Eleventh Circuit found that the FTC’s order was not enforceable. The ruling calls into question prior data security orders regarding accusations of lax security practices that contain no prohibitions, or instructions about overhauling practices to satisfy an elusive reasonableness standard. Concrete data security policies may follow, including uniform federal data breach and privacy legislation.
The FTC is now going to be forced to tailor its orders that impose obligations on companies that are alleged to have failed to safeguard consumer data. It is also likely to think twice before initiating legal action under the “unfairness” prong of Section 5 of the FTC Act based upon ambiguous justification where there exists no concrete injury.