Practitioners have been waiting for quite some time for the 11th Circuit’s decision in the LabMD case. LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16-270 (11th Cir. June 6, 2018). In particular, there was a great deal of interest as to how the court might resolve the issue of whether the “substantial injury” requirement under the unfairness prong of Section 5(a) of the FTC Act was satisfied by a data breach in 2008 involving approximately 9000 consumers and with little evidence of actual consumer monetary injury.
Well, the 11th Circuit published its decision this week but the issue regarding the meaning of “substantial injury” will have to wait for another day as the Court declined to address that question, instead ruling that the Federal Trade Commission’s order as drafted is unenforceable. In doing so, the 11th Circuit likely surprised a lot of folks and created a great deal of uncertainty regarding FTC orders in general.
The Court noted that for the most part the FTC’s complaint against LabMD was premised not upon certain affirmative acts taken by the company but rather by their failure to act in particular ways. In other words, the company had been negligent in establishing a reasonable data security program. The Court assumed for the sake of argument that the FTC could base an unfairness complaint upon a negligent failure to act but then went on to find the order unenforceable because the order set forth an indefinite “reasonableness” standard with respect to the Company’s future obligations in establishing data security measures. The relevant order language read as follows:
[T]he respondent shall … establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers … Such program … shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers …
The Court felt that this language was too vague and did not provide specific enough guidance as to what conduct was required of the Company lest it be subject to monetary penalties for violation of the order. The Court noted, by way of example, that the FTC could go to court and argue that the order had been violated because the Company had failed to implement “x” policy. The Company could produce an expert who would testify that “x” was not reasonably necessary to insure adequate data security and the Commission might well produce an expert who would argue that “x” was necessary. The Court argued that a finding in favor of the Commission in this type of scenario would essentially entail modifying the order so as to specifically require “x” and that such post hoc order modification was not permissible.
We don’t want to wade into the issue of whether the 11th Circuit got this issue right, and there are obviously lots of issues this ruling presents for other Commission privacy issues, but there are other areas outside of privacy where the 11th Circuit’s ruling could create complications for the Commission. For example, the Commission’s advertising substantiation doctrine is built upon the idea of a “reasonable basis” and that requirement is often written into Commission orders that require substantiation that experts in the field would believe to be adequate. This language, of course, begins to sound a lot like the language in LabMD that the 11th Circuit objected to.
Almost a decade ago, partially in response to decisions like those in Lane Labs, the Commission began providing more specificity in its substantiation orders, setting forth, for example, exactly how many and what type of clinical trials would be required. In this situation, the Commission was not reacting to courts finding that its orders were too vague to be enforceable but rather that an order’s “reasonableness” requirement could be too easily satisfied by a company putting forth a qualified expert to assert that its single study involving some type of animal was sufficient.
In recent years, however, the Commission has backed away from this approach, reacting in part to criticism by courts and commentators that putting such language in orders was too rigid and lacked the flexibility provided by the reasonable basis standard. Is the LabMD decision now going to force the Commission back in the other direction, particularly if companies begin mounting similar challenges to substantiation consent orders? No doubt the Commission must feel a bit like Goldilocks in search of that bed that is neither too small nor too big but exactly just right.