WASHINGTON, DC — Since the Federal Trade Commission began bringing data security enforcement actions in 2002, no court had ruled on the substantive merits of the FTC’s approach — until today. A panel of three Eleventh Circuit judges (appointed by Presidents Ford, Clinton and H.W. Bush, respectively) decisively rejected the FTC’s use of broad, vague consent decrees, ruling that the Commission may only bar specific practices, and cannot require a company “to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The court could hardly have been more clear: the FTC has been acting unlawfully for well over a decade,” said Berin Szóka, President of TechFreedom. “After carefully dissecting the Commission’s enforcement powers, the Court ruled that the FTC Act already implicitly requires that the FTC’s complaints be plead with specificity, just as Congress has explicitly required for fraud cases under Rule 9(b) of the Federal Rules of Civil Procedure. The court noted a constitutional basis for this requirement: ‘Being held in contempt and sanctioned pursuant to an insufficiently specific injunction is …. a denial of due process.’ We made essentially the same constitutional argument in our 2014 amicus brief in the Wyndham case. The Commission ignored us for years, but it can’t ignore the court.”

The FTC could now ask the full Eleventh Circuit to review the panel decision en banc. Such a request is far more likely to be granted than the alternative: a petition for review by the Supreme Court. While today’s decision is technically binding only in the Eleventh Circuit (Georgia, Florida, and Alabama), it calls into question the FTC’s approach to data security nationwide and raises the possibility that many of the FTC’s past data security consent decrees could be invalidated for effectively bypassing the safeguards put in place on rulemaking by a Democratic Congress and Democratic President in 1980 after the Commission’s abuses of its rulemaking powers in the late 1970s.

Today’s decision doesn’t leave consumers unprotected, but it does require significant changes in the FTC’s approach,” continued Szóka, outlining three approaches the FTC could take:

  • “The Commission can continue enforcing commitments by companies to uphold specific data security standards. So the Commission should start by doing what it should have done years ago: encouraging standards-setting organizations and trade associations to develop codes of conduct tailored to particular industry sectors and to businesses of particular sizes. Perhaps the most shocking thing about the LabMD litigation was that, after six years of investigating the Georgia small business that ran a cancer testing lab, the FTC’s expert witness could only speak to the data security practices of Fortune 500 companies.”
  • “The Commission can still bring enforcement actions, but will need to be much more specific about the conduct at issue. For instance, the court noted here that the Commission could have issued a ‘a narrowly drawn and easily enforceable order …. commanding LabMD to eliminate the possibility that employees could install unauthorized programs on their computers.’ The problem was the Commission’s complaint went far beyond that, attempting to put LabMD on the hook for twenty years for failing to provide ‘reasonable’ data security.”
  • “The Commission could ask Congress to write legislation to clarify how data security should be regulated. Such legislation shouldn’t be conceived as a way to overrule the decision, but rather a way to ensure that companies, especially small businesses, have the clarity about how to assess whether they’re doing enough to secure consumers’ data.”

This is a true David and Goliath story,” concluded Szóka. “Well over sixty companies, many of them America’s biggest corporations, have simply rolled over when the FTC threatened to sue them. Wyndham Hotels did challenge the FTC in court, but gave up in the early stages of litigation. Only Mike Daugherty, the entrepreneur who started and ran LabMD, had the temerity to see this case through all the way to a federal court. This February marked a decade since his company was first approached by Tiversa, which claimed to have discovered a LabMD file on a peer-to-peer file-sharing network. Tiversa’s shakedown operation was so transparent that one Republican FTC Commissioner, in 2012, warned the Commission not to rely on such evidence — meaning, effectively, that the Commission should drop the complaint. Nevertheless, the Democratic majority on the Commission persisted — and in so doing, finally brought the FTC’s house of cards tumbling down. After losing his business and a decade of his life, Daugherty is a hero to anyone who’s ever gotten the short end of the regulatory stick.”


Read the panel decision here. We can be reached for comment at media@techfreedom.org. See our other work on the FTC: