Privacy and Data Security – FTC Loses Appeal Over Data Security Order

The Federal Trade Commission (FTC) has been increasingly more aggressive in terms of privacy and data security investigations and enforcement for more than a decade.

In 2013, the FTC sued LabMD alleging that lax data security practices had resulted in the exposure of sensitive information about thousands of consumers. LabMD denied wrongdoing and argued that the FTC did not possess the authority to dictate the handling of personal information.

Following a request by LabMD, the U.S. Court of Appeals for the 11th Circuit has agreed to vacate the FTC order directing LabMD to overhaul its data security program. In doing so, the court found the order to be unenforceable and criticized that lack of specificity regarding how the data security changes should be implemented, and specific acts or practices enjoined. The court deferred to the Commission on the broader question regarding its data security authority.

The order “… does not enjoin a specific act or practice. Instead it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished,” the judges wrote in their opinion.

The FTC said in a statement: “Although we are disappointed by the appeals court’s ruling, we will continue to do everything we can to protect consumer privacy. We are evaluating our next steps in response to this decision.”

The court also stated that “[n]othing in the FTC Act addresses what content must go into a cease and desist order. However, a complaint must contain “[a] clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” 16 C.F.R § 3.11. It follows that the remedy the complaint seeks must comport with this requirement of reasonable definiteness. Moreover, given the severity of the civil penalties a district court may impose for the violation of a cease and desist order, the order’s prohibitions must be stated with clarity and precision.”

In fashioning and enforcement of an injunction consequent to an action brought in district court under Section 13(b), Federal Rule of Civil Procedure 65(d)(1) requires that an injunctive order state the reasons for its coercive provisions, state the provisions specifically, and describe the acts restrained or required in reasonable detail.

An order’s prohibitions should be clear and precise in order that they may be understood by those against whom they are directed.

In the case at hand, the cease and desist order possessed no prohibitions. It failed to instruct LabMD to stop committing a specific act or practice in terms of their data security. Rather, it commanded LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command was found unenforceable.

The FTC sought an order requiring LabMD to show cause why it should not be held in contempt for violating the following injunctive provision:

[T]he respondent shall . . . establish and implement, and thereafter

maintain, a comprehensive information security program that is

reasonably designed to protect the security, confidentiality, and

integrity of personal information collected from or about consumers

. . . . Such program . . . shall contain administrative, technical, and

physical safeguards appropriate to respondent’s size and complexity,

the nature and scope of respondent’s activities, and the sensitivity of

the personal information collected from or about consumers . . . .

LabMD’s expert who testified that the data-security program it implemented complied with the injunctive provision at issue, and that “X” is was not necessary with respect to a reasonably designed data-security program. The Commission’s expert disagreed. The court ruled that nothing in the order indicates which expert is correct or provides any meaningful standard pertaining to a “reasonably designed” data security program.

The court concluded that the FTC failed to prove, and could not prove, LabMD’s alleged violation by clear and convincing evidence.

In sum, even if LabMD’s negligently failed to implement and maintain a reasonable data security program, constituting an unfair act or practice under Section 5(a), the FTC’s cease and desist order was found, nonetheless, to be unenforceable.

Please see here for a recent blog post concerning a stipulated modification to a privacy-related consumer protection order.

Contact FTC advertising compliance lawyer Richard Newman at rnewman@hinchnewman.com to discuss the implementation of preventative telemarketing compliance protocols, or if your company is the subject of an FTC enforcement action or investigation (CID).

Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35^th Floor, New York, NY 10005 | (212) 756-8777.