New Court Ruling Limits Federal Trade Commission Reach in Data Security EnforcementJun 08, 2018
- FisherBroyles News
- Health Care
- Pharmacy Law
Yesterday the 11th U.S. Circuit Court of Appeals in Atlanta vacated a Federal Trade Commission (FTC) cease and desist order directing a medical testing company to overhaul its data security program on the grounds that the order was overbroad and failed to enjoin any specific act or practice. This ruling means that going forward (at least in the States overseen by the 11th Circuit, including Florida, Georgia and Alabama), and unless and until a higher court decides otherwise or Congress acts to alter the FTC’s rulemaking and enforcement authority, the FTC will have to provide far more carefully-tailored orders to companies it finds to have committed unfair trade practices via data breaches or a failure to maintain adequate data security practices.
Over the past decade, the Federal Trade Commission (FTC) has utilized Section 5 of the FTC Act to bring over 50 enforcement actions against companies for breaches of data security. Company failures to protect consumer data were viewed as unfair business practices under the FTC’s interpretation of Section 5. One such company, LabMD, a now-defunct medical testing laboratory, was ordered by the FTC to conduct a complete overhaul of its data security systems following a breach that resulted in the exposure of patient health records and personal information. LabMD argued, and the 11th Circuit agreed, that the FTC’s order was overbroad and unenforceable.
While a three-judge panel of the court assumed for the sake of argument that “the commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice under Section 5,” the panel also decided that the FTC’s subsequent cease and desist order was not enforceable because it failed to enjoin and specific act or practice.
“Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress count not have envisioned.”
The 11th Circuit’s holding binds the federal district courts in Florida, Georgia, and Alabama and applies only to cases that are decided in those courts. It remains to be seen whether federal District and Appellate courts outside those States follow the 11th Circuit’s lead in future decisions regarding the range of the FTC’s authority in data breach enforcement actions. In addition, the FTC may yet seek further review of the decision by the entire panel of 11th Circuit or the U.S. Supreme Court.
The FisherBroyles Pharmacy and Health Care Law team is pleased to keep you updated on events of interest to those in the healthcare and pharmaceutical industries. Questions regarding the subject matter of this alert may be directed to any of the following attorneys:
About FisherBroyles, LLP
Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.
These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.
© 2021 FisherBroyles LLP