Did the 11th Circuit Just Disarm the Nation’s Cybersecurity Cop?

Over the years, the Federal Trade Commission has emerged as the de facto traffic cop in addressing cybersecurity breaches.  Two recent cases sought to challenge the FTC’s authority in this area.

  • The first was Wyndham Worldwide Corporation which challenged the FTC’s authority over data security only to have the Third Circuit affirm’s the FTC’s authority.
  • The other company was LabMD, a now-defunct clinical laboratory,  which challenged an FTC order “enjoining LabMD to install a data-security program that comported with the FTC’s standard of reasonableness.

Today, the 11th Circuit has ruled in LabMD’s favor finding the FTC’s Order were unenforceable.  In its opinion, Judge Gerald Tjoflat† stressed that “prohibitions contained in cease and desist orders and injunctions must be specific.”  The FTC Order:

does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We therefore grant LabMD’s petition for review and vacate the Commission’s order.

Unless the FTC is able to restate its orders in cyber security/ data breach cases in a more specific manner, it would appear that the nation’s cybersecurity cop has just been largely disarmed

† The 88-year old Judge Tjoflat is the longest-serving federal appeals court judge still in active service.