LabMD Beats FTC in Cybersecurity Appeal – What’s Next for “Reasonableness”-Based Enforcement Cases?
View Debevoise Update
Key takeaways
- The Eleventh Circuit held that the Federal Trade Commission’s cease and desist order against LabMD was unenforceable for lack of specificity. Rather than enjoining a specific act or practice, the order required the company to implement “reasonable” cybersecurity practices.
- Most of the FTC’s existing consent orders involving data security include similar requirements, so the decision calls their enforceability into question. The FTC may need to tailor future orders to specific deficiencies identified in its investigations.
- The decision also has potential implications beyond the cybersecurity context. Companies may begin to challenge consent orders based on alleged false advertising, many of which are similarly premised on a reasonableness standard.