11th Circuit to FTC: General Prescriptions of “Reasonableness” in Data Security Are Unreasonably Vague
By Behnam Dayanim and Edward J. George
In 2008, Tiversa, a data security company, contacted LabMD, informing the lab that Tiversa had found a LabMD document containing personal information for approximately 9,300 patients, including names, social security numbers, addresses, and health insurance information on a peer-to-peer file sharing network. The file had been inadvertently shared with the network by a LabMD employee who improperly downloaded the file-sharing software onto her work computer. Tiversa offered LabMD data security services, and after LabMD declined to pay, Tiversa reported LabMD to the FTC. (The precise motivation behind Tiversa’s actions and the nature of its conduct itself have been the focus of acrimonious and long-running litigation between it and LabMD.)
Relying on information provided by Tiversa, the Commission launched an investigation into LabMD’s data practices in 2010, and in 2013 the FTC voted to issue a complaint. LabMD contested the agency’s determination it was at fault, and in 2013, the FTC filed an administrative complaint against LabMD, alleging that it had engaged in unfair data security practices. The administrative law judge (ALJ) ruled that the FTC needed to prove how LabMD’s practice causes or is likely to cause substantial injury to consumers. The judge found that the burden was on the agency to prove that the alleged failure to employ reasonable and appropriate data security caused or is likely to cause, substantial injury to consumers.
The FTC appealed to the full Commission, and the Commission held that the ALJ applied the wrong standard for unfairness and that a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low. As a result, the Commission found LabMD failed to provide reasonable security for the sensitive information on its servers and its failure was likely to cause substantial injury to its consumers.
The Commission issued a cease-and-desist order that, in the words of the 11th Circuit, “identifie[d] no specific unfair acts or practices from which LabMD must abstain and instead require[d] LabMD to implement and maintain a data-security program ‘reasonably designed’ to the Commission’s satisfaction.”
LabMD appealed the order to the 11th Circuit, arguing, among other things, that the order was unreasonably vague and, thus, violated its due process rights.
The 11th Circuit Decision
The 11th Circuit struck down the FTC order as unreasonably vague. The court characterized the order as requiring the Commission and the courts to micro-manage LabMD’s data security program, raising the specter of multiple and repeated “show-cause” hearings each time the agency viewed the company’s efforts as insufficient. In the court’s view, the order provided insufficient guidance so as to put LabMD on notice of what it must do to comply.
The court did not take issue with the agency’s authority to have pursued LabMD, or the theory under which it did so; however, its requirement that the agency mandate specific measures in its orders presents the agency with a stark choice: (i) lay down clear markers through enforcement actions, which may subject the agency to challenge on the basis that those markers are not reflected in any rule or regulation, or (2) initiate a formal rulemaking process to develop those markers, with all that implies.
The court’s decision is even more significant in that the FTC under current law largely lacks the authority to impose fines for unfair or deceptive security practices. Instead, its tool of choice has been the cease-and-desist order or injunction. Violation of that order or injunction then entitles the agency to levy monetary penalties.
That limitation already has led to calls from some in Congress for statutory changes to grant the FTC more expansive authority. The court’s decision may lend momentum to those efforts.
Regardless, absent some sort of legislative change, the net result of the court’s decision for companies and for data security may be unfavorable. If the agency reacts as the court has directed by imposing specific security requirements, businesses may find themselves forced to comply with obligations that are not suited to their industries or that are outdated or counter-productive. The FTC’s “unreasonableness” approach, while undoubtedly vague, has provided important flexibility both to the regulator and to business. The 11th Circuit’s decision, while on its face a victory for a small business in the face of a powerful regulator, ultimately may come to be a ruling businesses rue.