For many years, the Federal Trade Commission has argued that it has the authority to target businesses with deficient cybersecurity practices. This authority is not found in statute, but the FTC argues that its Section 5 authority to police unfair practices extends to cybersecurity. However, a ruling last week by the 11th U.S. Circuit Court of Appeals in LabMD v. FTC makes clear that the FTC cannot use this authority to impose vague cybersecurity standards on the private sector. The FTC should use this ruling as a chance to recalibrate its strategy for promoting strong cybersecurity practices among businesses.
The origins of this case began in 2005 when a billing manager at LabMD, a now-defunct medical laboratory that conducted diagnostic testing for cancer, installed LimeWire, a peer-to-peer file-sharing application mostly used to pirate movies and music, on her computer in violation of the company’s policies. The billing manager then shared her “My Documents” folder on the peer-to-peer network, inadvertently exposing sensitive computer files, including a 1,718-page electronic document containing personal information on 9,300 consumers, to other LimeWire users. In February 2008, a security company notified LabMD of the problem and offered to provide its remediation services. LabMD declined to hire the company, removing LimeWire from the bill manager’s computer on its own. Subsequently, the security company reported LabMD to the FTC which argued that the exposed file was emblematic of LabMD’s overall lax security practices.
However, the FTC’s complaint against LabMD has always been suspect. Notably, the FTC’s complaint was not about anything the company was doing, but rather about what it was not doing. The FTC said that LabMD had failed to implement a number of cybersecurity measures, such as conducting penetration testing on its networks, using two-factor authentication and properly configuring its firewall. But none of these measures are required by law. Companies that suffer data breaches, almost by definition, have deficient cybersecurity practices because unauthorized individuals obtained access to data stored in protected systems. The FTC has been reluctant to provide specific compliance criteria to companies ahead of time, instead engaging in Monday morning quarterbacking after attacks occur. The result is that businesses that experience data breaches may face a second reckoning if the FTC decides they were responsible.
To resolve this case, the FTC did not order LabMD to stop engaging in any specific practices or behaviors it designated as unfair, but instead ordered the company to develop and maintain a comprehensive cybersecurity program that meets an unspecified standard of reasonableness. The 11th Circuit did not rule on whether the FTC was justified in its complaint, but it did rule that the FTC’s proposed resolution to this case — an order to LabMD to implement additional cybersecurity practices—was unenforceable because it was too vague. The court stated that injunctive orders must be specific, otherwise they are unenforceable.
The question for the FTC is where it goes from here. Its best option is to outline a specific set of criteria for how it defines reasonable cybersecurity and order companies where data breaches cause unfair consumer injury to meet these requirements. This would give companies concrete guidance on how to improve cybersecurity and address the 11th Circuit Court’s critique that its order was insufficiently specific.
The 11th Circuit Court’s ruling did not directly rule on whether the FTC exceeded its authority, but it did specify that “the act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the constitution.” This part of the ruling may energize other companies to fight future FTC rulings. To help mitigate this problem, Congress could consider steps to strengthen the FTC’s hand, such as by requiring companies to publish their security policies. The goal of this requirement would be to give the FTC a concrete metric — the company’s own stated practices — to assess companies cybersecurity measures against while avoiding having the FTC dictate specific technical requirements for cybersecurity for the entire private sector. The FTC would then clearly be within its authority to bring action against companies that violate from their stated practices.
Ultimately, this is a Pyrrhic victory for LabMD. In its prime, the company earned $35-40 million in annual revenue. But the strain of fighting this case has destroyed this once-profitable company — mounting fees, operational problems, and strain from the legal case eventually led the company to shut down — and it now serves as a cautionary tale for companies that choose to fight allegations of wrongdoing by the FTC.
But this ruling could be a turning point for the FTC, especially with a new set of commissioners who may not want to appeal this case and may be looking for more business-friendly approaches to regulating cybersecurity.
Daniel Castro is the vice president of the Information Technology and Innovation Foundation, the world’s leading science and tech-policy think tank.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.