The long-anticipated decision in LabMD v. FTC has finally arrived. The 11th Circuit held that the FTC’s cease-and-desist order against LabMD is unenforceable:
In sum, assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a), the Commission’s cease and desist order is nonetheless unenforceable. It does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned.
To get to this outcome, the court posited a scenario where the FTC haled LabMD into District Court to enforce the cease-and-desist order. The court reasoned that the ensuing battle of experts that would be required to inform the court as to whether LabMD’s data security practices were reasonable based on some specific design issue (which the court called “x” and “y”) would be impossible to resolve because “[n]othing in the provision . . . indicates which expert is correct. The provision contains no mention of ‘x’ [that is, whatever specific data security feature the FTC chose to challenge] and is devoid of any meaningful standard informing the court of what constitutes a ‘reasonably designed’ data security program.” Under this scenario, the court concluded, the FTC could never win its motion to enforce the order. A contrary result — the court determining “x” was necessary — would require the court to “micromanage” the “repeatedly modif[ied] injunction.”
To this reader, the court’s analysis seems wanting. Judicial decisionmakers are constantly asked to decide a battle of experts in negligence cases, where the standard of care is at issue. It does not seem correct to say that because the order does not specify some standard that it is not possible to determine what is reasonable. Professional malpractice cases (medical, legal, accounting, etc.) often hinge on experts opining on what the standard of care is — and sometimes disagreeing on what is applicable. Why is a case about data security standards, treated under a negligence framework, any different?
The court’s concern about “micromanaging” the constant modification of an order seems to be more defensible as a practical matter. Implicitly, this concern says more about the potential power that the FTC could wield with a broad, sweeping order, potentially consuming judicial resources and leading to arbitrary behavior by the agency.
The upshot is not that the FTC does not have the power to craft a requirement that companies implement reasonable data security programs in the context of an enforcement action; but rather that if it wants to do so in a way that is going to be enforceable by a court, it needs to provide more specificity to allay concerns about standardless requirements, on the one hand, and overtaxing judicial resources, on the other.