In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

In the decision, the Eleventh Circuit did not directly address questions surrounding customer harm, but rather the court states that even “assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a)” the FTC’s cease-and-desist order was unenforceable because, “[i]t does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The court notably did not provide any explicit insight into the FTC’s scope of data security enforcement authority. Rather, the court focused on the practical unenforceability of the FTC’s order which ultimately lost the case for the agency. Despite this loss, there are no signs that the FTC will slow down enforcement in this area. In fact, the agency will like increase efforts to bring action against unreasonable data security practices.

One particular area the agency could flex enforcement authority is GDPR enforcement. While the GDPR is somewhat limited in scope, US companies must still remain cognizant of their privacy policy and security practices. If a company claims to be GDPR compliant, but fails to actually comply with the law, the FTC could bring an enforcement action against the company as an unfair or deceptive business practice by claiming to be GDPR compliant but not actually meeting that standard. Admittedly, any action or fine by the FTC against a company for failing to meet its own privacy policy standards does not compare to the GDPR’s fine of four percent of a company’s annual revenue or 20 million euros, whichever is greater. Regardless, the FTC is still able to investigate a company, at the very least, for making false claims to consumers.

While the Trump administration, as well as several DC agencies, have recently made data security a top priority, the FTC has been establishing itself as the go-to data security enforcement agency for several years. Commissioner Ohlhausen, (whose term expires in September 2018) in addition to her background and interest in health-related connected devices, brought extensive privacy, data protection, and cybersecurity experience to the agency which helped build the FTC’s expertise in this area.  By contrast, her current fellow commissioners do not have as much experience working in the data privacy and security industry. However, the agency is not likely to slow down data security efforts. Just last year, the FTC brought three allegations against companies for making false claims about Privacy Shield participation. The FTC, now fully staffed, will have the resources to keep data security a priority and increase data security enforcement action.

The Eleventh Circuit LabMD decision did not provide any explicit insight into the FTC’s scope of data security enforcement authority. However, with several new commissioners ready to work, the FTC will likely continue operating, if not expanding, its role as the de facto leading data security enforcement authority in the US.