Practitioners have been waiting for quite some time for the 11th Circuit’s decision in the LabMD case. LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16-270 (11th Cir. June 6, 2018). In particular, there was a great deal of interest as to how the court might resolve the issue of whether the “substantial injury” requirement under the unfairness prong of Section 5(a) of the FTC Act was satisfied by a data breach in 2008 involving approximately 9000 consumers and with little evidence of actual consumer monetary injury.
Well, the 11th Circuit published its decision this week but the issue regarding the meaning of “substantial injury” will have to wait for another day as the Court declined to address that question, instead ruling that the Federal Trade Commission’s order as drafted is unenforceable. In doing so, the 11th Circuit likely surprised a lot of folks and created a great deal of uncertainty regarding FTC orders in general.
The Court noted that for the most part the FTC’s complaint against LabMD was premised not upon certain affirmative acts taken by the company but rather by their failure to act in particular ways. In other words, the company had been negligent in establishing a reasonable data security program. The Court assumed for the sake of argument that the FTC could base an unfairness complaint upon a negligent failure to act but then went on to find the order unenforceable because the order set forth an indefinite “reasonableness” standard with respect to the Company’s future obligations in establishing data security measures. The relevant order language read as follows: