Labmd, Inc. v. Fed. Trade Comm'n
894 F.3d 1221
11th Cir.2018Background
- LabMD, a medical testing lab subject to HIPAA, had a billing-manager workstation on which the peer-to-peer application LimeWire was installed contrary to company policy, exposing a 1,718‑page file with personal data for ~9,300 consumers (the "1718 File").
- Tiversa downloaded the file and later provided it to the FTC; LabMD refused remediation services and removed LimeWire when notified.
- The FTC filed an administrative complaint alleging LabMD's overall data‑security program was inadequate and thus an "unfair act or practice" under Section 5(a); the complaint listed numerous generalized security failures rather than a single discrete wrongful act.
- An ALJ found insufficient proof of substantial consumer injury under Section 5(n) and dismissed the complaint; the full FTC reversed, concluding LabMD's deficient data security was unfair and issued a broad cease‑and‑desist order requiring a "comprehensive information security program reasonably designed" to protect consumer data.
- LabMD petitioned for review in the Eleventh Circuit, arguing the FTC order is unenforceable because it does not prohibit a specific unfair act or practice; the Court stayed enforcement and heard the petition.
- The Eleventh Circuit assumed arguendo that negligent failure to maintain reasonable security could be an unfair practice, but held the FTC order unenforceable because it lacks specificity and effectively delegates ongoing standards to the FTC and courts, raising due‑process and enforceability problems.
Issues
| Issue | Plaintiff's Argument (FTC) | Defendant's Argument (LabMD) | Held |
|---|---|---|---|
| Whether LabMD's failure to implement and maintain a reasonably designed data‑security program constitutes an "unfair act or practice" under Section 5(a) | LabMD's cumulative security failures caused or were likely to cause substantial consumer injury (privacy harm) and thus are unfair under Section 5(a)/5(n) | Section 5(a) cannot be used to regulate such generalized negligence; the Commission lacked authority and failed to give fair notice | Court assumed arguendo that negligent data‑security failure can be an unfair practice, but did not decide the substantive boundary definitively |
| Whether the FTC's cease‑and‑desist order is sufficiently specific and therefore enforceable | The order appropriately enjoins LabMD by requiring a reasonable information‑security program and attendant measures | The order is impermissibly vague: it does not identify a specific act to stop, instead mandates an indeterminate program standard that cannot be enforced without continual judicial management | Held unenforceable—vacated for lack of specificity and practical enforceability |
| Whether administrative cease‑and‑desist orders can be enforced via penalties or contempt without clear standards | The Commission may issue orders setting standards and enforce compliance through §5(l) penalties and enforcement mechanisms | Vague orders expose defendants to severe penalties without fair notice and would force courts into micromanaging business practices via repeated show‑cause hearings and injunction modifications | Court emphasized the need for particularity in orders; sanctions require clear, specific prohibitions |
| Proper enforcement path for articulating broad conduct standards affecting businesses | Commission can develop rules via §57a rulemaking or define unfairness through case‑by‑case litigation with clear holdings | When relying on litigation to establish new standards, the Commission must ensure the resulting remedial order is precise and administrable | Court suggested that broad prophylactic orders imposing open‑ended obligations are improper absent clearer standards or rulemaking |
Key Cases Cited
- FTC v. Sperry & Hutchinson Co., 405 U.S. 233 (1972) (discusses FTC's unfairness doctrine and factors)
- FTC v. Colgate‑Palmolive Co., 380 U.S. 374 (1965) (orders must be clear and precise to provide fair notice and avoid due‑process problems)
- Indiana Fed'n of Dentists v. FTC, 476 U.S. 447 (1986) (appellate deference to FTC's judgment that a commercial practice is "unfair")
- McWane, Inc. v. FTC, 783 F.3d 814 (11th Cir. 2015) (substantial‑evidence standard for FTC factual findings)
- Dyer v. Barnhart, 395 F.3d 1206 (11th Cir. 2005) (definition of substantial evidence review)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading standard, "more than the mere possibility of misconduct")
- Schmidt v. Lessard, 414 U.S. 473 (1974) (Rule 65(d) requires injunction specificity; vagueness precludes contempt)
- Int'l Longshoremen's Ass'n v. Phila. Marine Trade Ass'n, 389 U.S. 64 (1967) (penalties for violating vague commands violate due process)
- BMW of N. Am., Inc. v. Gore, 517 U.S. 559 (1996) (due‑process concerns require fair notice when civil penalties are severe)
- McGregor v. Chierico, 206 F.3d 1378 (11th Cir. 2000) (to establish civil contempt, violations must be shown by clear and convincing evidence and ability to comply must be proved)
- FTC v. Trudeau, 579 F.3d 754 (7th Cir. 2009) (clear‑and‑convincing standard for contempt in FTC enforcement)