Although the court did not limit the FTC’s legal authority to regulate data security, the Eleventh Circuit nonetheless ruled against the FTC—and in doing so may have limited the Commission’s ability to enforce broad remedial orders.
The court began its analysis by noting that the harm at issue in the case—the unauthorized disclosure of consumers’ personal information—occurred because a LabMD employee installed a peer‑to‑peer file‑sharing application on her work computer, against the company’s policy. The opinion suggests that the FTC could have crafted a sufficiently specific order to remedy this harm by requiring that LabMD eliminate the possibility that employees “could install unauthorized programs on their work computers.” Instead, the FTC went beyond this specific occurrence and alleged that LabMD’s data security practices were deficient as a whole. As the court put it: for the Commission, “it was LabMD’s multiple, unspecified failures to act in creating and operating its data-security program that amounted to an unfair act or practice.” And in order to remedy this perceived widespread failure, the FTC’s order included “sweeping prophylactic measures” that would have regulated “all aspects” of LabMD’s data security practices.
It was the vagueness—in the court’s view—of these prophylactic measures that resulted in the Eleventh Circuit vacating the FTC’s order for lack of specificity. The court found that the order would have required LabMD to satisfy “an indeterminable standard of reasonableness” rather than instructing the company “to stop committing a specific act or practice.” And in requiring that LabMD meet this standard, the order included “precious little about how this [would have been] accomplished.” As a consequence of failing to include greater specificity in the order, the Eleventh Circuit feared that it would have fallen on a federal district court in enforcement proceedings to give concrete meaning to the order’s requirements. But because the order was “devoid of any meaningful standard informing the court what constitutes a ‘reasonably designed’ data-security program,” the district court would have no way of determining whether LabMD was complying with the order.
It is not yet clear how the FTC will respond to this decision. The Commission might seek rehearing en banc or appeal the decision to the Supreme Court in order to address some of the questions left unanswered by the Eleventh Circuit’s opinion. For example, in reaching its conclusion, the court did not discuss the long-standing “fencing-in” doctrine—under which the FTC has historically justified its broad remedial orders—although the Commission raised the issue in its brief.
If the decision stands, however, it could affect the viability of some of the Commission’s remedial powers. Many of the consent orders that the FTC has required companies to adopt—particularly those involving data security but also some related to other issues—have included broad prophylactic remedies that are similarly premised on a reasonableness standard. In the wake of this decision, perhaps some of those companies may now wonder whether their orders are also unenforceable.