Eleventh Circuit Vacates FTC Cease and Desist Order for Failing to Enjoin Specific Cybersecurity Lapses: Court Holds FTC Must Articulate Specific Cybersecurity Measures to Be Implemented

Sullivan & Cromwell LLP - June 12, 2018
Read More

On June 6, 2018, in the closely watched case LabMD, Inc. v. Federal Trade Commission, the Eleventh Circuit Court of Appeals vacated a cease and desist order (the “Order”) issued by the Federal Trade Commission (the “FTC”) that would have required LabMD, Inc. (“LabMD”) to, among other things, “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”  Sidestepping the central question of whether the FTC has authority to regulate alleged cybersecurity deficiencies under its unfairness jurisdiction in the absence of tangible consumer harm, the Eleventh Circuit held that, because the Order failed to enjoin any specific act or practice and instead “command[ed] LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness,” the Order was insufficiently specific and therefore unenforceable.