Eleventh Circuit Invalidates FTC Cease and Desist Order Requiring “Reasonable” Cybersecurity Measures
The Eleventh Circuit Court of Appeals has rejected a cease and desist order issued by the Federal Trade Commission to a laboratory company for its “inadequate” data security program as unenforceable, because the order did not specify prohibited behaviors, but rather commanded the company to overhaul its data security program and adhere to an “indeterminable standard of reasonableness.”
The FTC issued a cease and desist order which found that a medical laboratory’s data security program was inadequate after a billing manager unwittingly shared HIPAA-regulated confidential patient documents—including names, dates of birth, social security numbers, laboratory test codes, health insurance company names, addresses, and policy numbers—by connecting her work computer to a music-sharing platform. In the court’s formulation, the order required the company to “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”
The court declined to consider whether the laboratory’s unintentional invasion of consumers’ privacy constituted a violation of Section 5(a) of the FTC Act, which prohibits “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” The FTC based its cease and desist order on the idea that the lab violated Section 5(a) when it “unintentional[ly]” invaded consumers’ right to privacy. Rather, the court assumed for the sake of the argument that the lab (1) “fail[ed] to design and maintain a reasonable data-security program,” and (2) violated consumers’ right of privacy in a way which constituted an unfair act or practice in violation.
Even if a violation had occurred, however, the court held that the cease and desist order was not enforceable as written. The court noted that the FTC Rule of Practice governing administrative complaints requires the commission to include in its complaints “[a] clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” The court found that in order to achieve reasonable definiteness, the prohibitions of a cease and desist order must be stated “with clarity and precision.” Citing case law for the proposition that injunctions must be specific to be enforceable, the court suggested that “the imposition of penalties upon a party for violating an imprecise cease and desist order may constitute a denial of due process.”
Because the FTC’s order here was not reasonably definite—lacking specificity and containing “no prohibitions”—it was not enforceable. Accordingly, the court granted the company’s petition for review and vacated the FTC’s order.
The case, LABMD, Inc. v. Federal Trade Commission, is available here.