Eleventh Circuit Vacates FTC Cybersecurity Order against LabMD
Attorneys at Ropes & Gray, the law firm representing LabMD in LabMD vs. FTC, write:
On June 6, 2018, at the urging of Ropes & Gray, the U.S. Court of Appeals for the Eleventh Circuit vacated an order that the Federal Trade Commission (the “FTC”) had imposed on LabMD, Inc. (“LabMD”) to overhaul the cancer detection laboratory’s data security program. The court ruled that the FTC’s order is unenforceable because, rather than enjoining a specific act or practice, it mandates a complete overhaul of LabMD’s data security program and says little about how this is to be accomplished, effectively charging a district court with managing the overhaul. The decision also recognizes important limitations on the agency’s authority even to declare an act “unfair” in the first place. The Eleventh Circuit’s rejection of the FTC’s action against LabMD has significant implications both for the FTC’s privacy and data security program and for other regulatory and private litigation contexts.
Read more on Ropes & Gray.
I realize that there are many privacy law scholars who are not happy with the 11th Circuit’s opinion and/or who feel that the court got it wrong, but as one of those people who felt that this was an absolutely outrageous case that never should have been brought, I am delighted for LabMD, Mike Daugherty, and kudos to his legal team. Well done! And if FTC doesn’t like what happens now, well, maybe they shouldn’t have been so over the top in starting an enforcement action where, despite the FTC’s claims, there was no harm to consumers and once the employee’s misstep was pointed out, no risk of a recurrence.