FTC’s Cybersecurity Remedial Authority Limited

by David A. Katz, Marshall L. Miller, and Jonathan Siegel

The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised.  LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB).  The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents.

In LabMD, a company employee installed a file-sharing program known as LimeWire on her computer, inadvertently enabling other users of LimeWire to access company data, including a file containing sensitive customer information.  After administrative proceedings, the FTC found that by failing to have an adequate security program to protect sensitive customer information, LabMD had engaged in an “unfair act or practice” prohibited by the FTC Act.  The FTC issued a cease-and-desist order requiring LabMD to “establish and implement . . . a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of [customer data].”

On review, the Eleventh Circuit assumed — without deciding — that a company’s negligent failure to maintain a reasonable data security program could, under certain circumstances, constitute an unfair act or practice.  The court nevertheless vacated the FTC’s cease-and-desist order as unenforceable, holding that the prohibitions or requirements in an FTC order must be specific and cannot impose vague requirements turning on “an indeterminable standard of reasonableness.” 

The long-term impact of LabMD will depend on whether courts outside the Eleventh Circuit follow its lead and whether the Supreme Court weighs in.  But, in the meantime, companies responding to FTC cyber enforcement investigations now possess stronger arguments against broad FTC remedial orders.  Moreover, LabMD’s narrowing of the FTC’s remedial authority erects a new hurdle for the agency to surmount in its efforts to regulate cyber and data security through its traditional case-by-case enforcement approach.

David A. Katz is a partner, Marshall L. Miller is of counsel, and Jonathan Siegel is an associate at Wachtell, Lipton, Rosen & Katz

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.