[PUBLISH]
`
`Case: 16-16270 Date Filed: 06/06/2018 Page: 1 of 31
`
`
`IN THE UNITED STATES COURT OF APPEALS
`
`FOR THE ELEVENTH CIRCUIT
`________________________
`
`No. 16-16270
`________________________
`
`Agency No. 9357
`
`
`
`LABMD, INC.,
`
`
`
`versus
`
`FEDERAL TRADE COMMISSION,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Petitioner,
`
`Respondent.
`
`________________________
`
`Petition for Review of a Decision of the
`Federal Trade Commission
`________________________
`
`(June 6, 2018)
`
`
`Before TJOFLAT and WILSON, Circuit Judges, and ROBRENO,* District Judge.
`
`TJOFLAT, Circuit Judge:
`
`
`
`* Honorable Eduardo C. Robreno, United States District Judge for the Eastern District of
`Pennsylvania, sitting by designation.
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 2 of 31
`
`
`
`This is an enforcement action brought by the Federal Trade Commission
`
`(“FTC” or “Commission”) against LabMD, Inc., alleging that LabMD’s data-
`
`security program was inadequate and thus constituted an “unfair act or practice”
`
`under Section 5(a) of the Federal Trade Commission Act (the “FTC Act” or
`
`“Act”), 15 U.S.C. § 45(a).1 Following a trial before an administrative law judge
`
`(“ALJ”), the Commission issued a cease and desist order directing LabMD to
`
`create and implement a variety of protective measures. LabMD petitions this
`
`Court to vacate the order, arguing that the order is unenforceable because it does
`
`not direct LabMD to cease committing an unfair act or practice within the meaning
`
`of Section 5(a). We agree and accordingly vacate the order.2
`
`I.
`
`A.
`
`
`
`LabMD is a now-defunct medical laboratory that previously conducted
`
`diagnostic testing for cancer.3 It used medical specimen samples, along with
`
`relevant patient information, to provide physicians with diagnoses. Given the
`
`nature of its work, LabMD was subject to data-security regulations issued under
`
`1 Section 5(a) declares unlawful “[u]nfair methods of competition in or affecting
`commerce, and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C.
`§ 45(a)(1). It empowers and directs the Commission “to prevent persons, partnerships, or
`corporations . . . from using unfair methods of competition in or affecting commerce and unfair
`or deceptive acts or practices in or affecting commerce.” Id. § 45(a)(2).
`2 See 15 U.S.C. § 45(c).
`3 LabMD is no longer in operation but still exists as a company and continues to secure
`its computers and the patient data stored within them.
`2
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 3 of 31
`
`the Health Insurance Portability and Accountability Act of 1996, known
`
`colloquially as HIPAA. LabMD employed a data-security program in an effort to
`
`comply with those regulations.4
`
`
`
`Sometime in 2005, contrary to LabMD policy, a peer-to-peer file-sharing
`
`application called LimeWire was installed on a computer used by LabMD’s billing
`
`manager.5 LimeWire is an application commonly used for sharing and
`
`downloading music and videos over the Internet. It connects to the “Gnutella”
`
`network, which during the relevant period had two to five million people logged in
`
`at any given time. Those using LimeWire and connected to the Gnutella network
`
`can browse directories and download files that other users on the network
`
`designate for sharing. The billing manager designated the contents of the “My
`
`Documents” folder on her computer for sharing, exposing the contents to the other
`
`users. Between July 2007 and May 2008, this folder contained a 1,718-page file
`
`(the “1718 File”) with the personal information of 9,300 consumers, including
`
`names, dates of birth, social security numbers, laboratory test codes, and, for some,
`
`health insurance company names, addresses, and policy numbers.
`
`In February 2008, Tiversa Holding Corporation, an entity specializing in
`
`data security, used LimeWire to download the 1718 File. Tiversa began contacting
`
`4 LabMD’s program included “a compliance program, training, firewalls, network
`monitoring, password controls, access controls, antivirus, and security-related inspections.”
`5 The record is not clear on the point but we assume that the billing manager installed the
`peer-to-peer application on her workstation computer.
`3
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 4 of 31
`
`LabMD months later, offering to sell its remediation services to LabMD.6 LabMD
`
`refused Tiversa’s services and removed LimeWire from the billing manager’s
`
`computer. Tiversa’s solicitations stopped in July 2008, after LabMD instructed
`
`Tiversa to direct any further communications to LabMD’s lawyer. In 2009,
`
`Tiversa arranged for the delivery of the 1718 File to the FTC.7
`
`B.
`
`In August 2013, the Commission, following an extensive investigation,
`
`issued an administrative complaint against LabMD and assigned an ALJ to the
`
`6 As described by the ALJ who initially presided over this case,
`[Tiversa’s] efforts included representing to LabMD that the 1718 File had been
`found on a peer-to-peer network and sending LabMD a Tiversa Incident Response
`Services Agreement describing Tiversa’s proposed fee schedule, payment terms,
`and services that would be provided. These contacts continued from mid-May
`through mid-July 2008. In these communications, Tiversa represented that
`Tiversa had “continued to see individuals [on peer-to-peer networks] searching
`for and downloading copies” of the 1718 File. . . .
`Tiversa’s representations in its communications with LabMD that the 1718 File
`was being searched for on peer-to-peer networks, and that the 1718 File had
`spread across peer-to-peer networks, were not true. These assertions were the
`“usual sales pitch” to encourage the purchase of remediation services from
`Tiversa. . . .
`Tiversa did, however, share a copy of the 1718 File with a Dartmouth College professor, who in
`February 2009 published an article about data security in the healthcare industry. Tiversa was a
`“research partner” for the article, meaning it searched for and provided the professor with
`relevant files to analyze. The professor did not share the 1718 File or its contents with anyone.
`7 Tiversa’s CEO and the FTC offered testimony at a 2007 congressional hearing
`regarding peer-to-peer file-sharing technology. About two months after the hearing, the FTC
`and Tiversa began communicating. The FTC wanted Tiversa to provide it with information
`regarding companies’ data-security practices. Tiversa, though, did not want a formal request for
`information—such as a Civil Investigative Demand (“CID”)—to be issued directly to it because
`it had been in talks about its possible acquisition by a third party. Tiversa thus created an entity
`called “The Privacy Institute” so that a CID could be issued without directly implicating Tiversa.
`The FTC issued a CID to The Privacy Institute in 2009 and The Privacy Institute provided the
`FTC with the 1718 File.
`
`
`
`4
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 5 of 31
`
`case. The complaint alleged that LabMD had committed an “unfair act or
`
`practice” prohibited by Section 5(a) by “engag[ing] in a number of practices that,
`
`taken together, failed to provide reasonable and appropriate security for personal
`
`information on its computer networks.” Rather than allege specific acts or
`
`practices that LabMD engaged in, however, the FTC’s complaint set forth a
`
`number of data-security measures that LabMD failed to perform.8 LabMD
`
`
`8 The FTC’s complaint alleged that LabMD
`(a) did not develop, implement, or maintain a comprehensive information
`security program to protect consumers’ personal information. Thus, for
`example, employees were allowed to send emails with such information to
`their personal email accounts without using readily available measures to
`protect the information from unauthorized disclosure;
`(b) did not use readily available measures to identify commonly known or
`reasonably foreseeable security risks and vulnerabilities on its networks. By
`not using measures such as penetration tests, for example, respondent could
`not adequately assess the extent of the risks and vulnerabilities of its
`networks;
`(c) did not use adequate measures to prevent employees from accessing personal
`information not needed to perform their jobs;
`(d) did not adequately train employees to safeguard personal information;
`(e) did not require employees, or other users with remote access to the networks,
`to use common authentication-related security measures, such as periodically
`changing passwords, prohibiting the use of the same password across
`applications and programs, or using two-factor authentication;
`(f) did not maintain and update operating systems of computers and other
`devices on its networks. For example, on some computers respondent used
`operating systems that were unsupported by the vendor, making it unlikely
`that
`the systems would be updated
`to address newly discovered
`vulnerabilities; and
`(g) did not employ readily available measures to prevent or detect unauthorized
`access to personal information on its computer networks. For example,
`respondent did not use appropriate measures to prevent employees from
`installing on computers applications or materials that were not needed to
`perform their jobs or adequately maintain or review records of activity on its
`5
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 6 of 31
`
`answered the complaint, denying it had engaged in the conduct alleged and
`
`asserting several affirmative defenses, among them that the Commission lacked
`
`authority under Section 5 of the Act to regulate its handling of the personal
`
`information in its computer networks.
`
`After answering the FTC’s complaint, LabMD filed a motion to dismiss it
`
`for failure to state a case cognizable under Section 5. The motion essentially
`
`replicated the assertions in LabMD’s answer. Under the FTC’s Rules of Practice,
`
`the Commission, rather than the ALJ, ruled on the motion to dismiss. The
`
`Commission denied the motion, concluding that it had authority under Section 5(a)
`
`to prosecute the charge of unfairness asserted in its complaint. LabMD, Inc., 2014-
`
`1 Trade Cases P 78784 (F.T.C.) (Jan. 16, 2014).
`
`Following discovery, LabMD filed a motion for summary judgment,
`
`presenting arguments similar to those made in support of its motion to dismiss. As
`
`before, the motion was submitted to the Commission to decide. It denied the
`
`motion on the ground that there were genuine factual disputes relating to LabMD’s
`
`liability “for engaging in unfair acts or practices in violation of Section 5(a),”
`
`necessitating an evidentiary hearing. LabMD, Inc., 2014-1 Trade Cases P 78785
`
`
`
`
`
`
`networks. As a result, respondent did not detect the installation or use of an
`unauthorized file sharing application on its networks.
`6
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 7 of 31
`
`(F.T.C.), at *1 (May 19, 2014) (quotations omitted). An evidentiary hearing was
`
`held before the ALJ in July 2015.9
`
`After considering the parties’ submissions, the ALJ dismissed the FTC’s
`
`complaint, concluding that the FTC failed to prove that LabMD had committed
`
`unfair acts or practices in neglecting to provide adequate security for the personal
`
`information lodged in its computer networks. Namely, the FTC failed to prove that
`
`LabMD’s “alleged failure to employ reasonable data security . . . caused or is
`
`likely to cause substantial injury to consumers,” as required by Section 5(n) of the
`
`Act, 15 U.S.C. § 45(n).10 Because there was no substantial injury or likelihood
`
`thereof, there could be no unfair act or practice.
`
`
`
` The FTC appealed the ALJ’s decision, which under 16 C.F.R. § 3.52
`
`brought the decision before the full Commission for review. In July 2016,
`
`reviewing the ALJ’s findings of fact and conclusions of law de novo, see id. § 3.54,
`
`the FTC reversed the ALJ’s decision.
`
`The FTC first found that LabMD “failed to implement reasonable security
`
`measures to protect the sensitive consumer information on its computer network.”
`
`Therefore, LabMD’s “data security practices were unfair under Section 5.” In
`
`9 Prior to the hearing, LabMD amended its answer and once again unsuccessfully moved
`to dismiss the FTC’s complaint. Nothing in the answer or the motion is pertinent here.
`10 Section 5(n) states, as a prerequisite for an act or practice to be unfair, “[T]he act or
`practice [1] causes or is likely to cause substantial injury to consumers [2] which is not
`reasonably avoidable by consumers themselves and [3] not outweighed by countervailing
`benefits to consumers or to competition.”
`
`
`
`7
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 8 of 31
`
`particular, LabMD failed to adequately secure its computer network, employ
`
`suitable risk-assessment tools, provide data-security training to its employees, and
`
`adequately restrict and monitor the computer practices of those using its network.
`
`Because of these deficiencies, the Commission continued, LimeWire was able to
`
`be installed on the LabMD billing manager’s computer, and Tiversa was ultimately
`
`able to download the 1718 File. The Commission then held that, contrary to the
`
`ALJ’s decision, the evidence showed that Section 5(n)’s “substantial injury” prong
`
`was met in two ways: the unauthorized disclosure of the 1718 File itself caused
`
`intangible privacy harm, and the mere exposure of the 1718 File on LimeWire was
`
`likely to cause substantial injury. The FTC went on to conclude that Section 5(n)’s
`
`other requirements were also met.11
`
`Next, the Commission addressed and rejected LabMD’s arguments that
`
`Section 5(a)’s “unfairness” standard—which, according to the Commission, is a
`
`reasonableness standard—is void for vagueness and that the Commission failed to
`
`provide fair notice of what data-security practices were adequate under Section
`
`5(a). The FTC then entered an order vacating the ALJ’s decision and enjoining
`
`LabMD to install a data-security program that comported with the FTC’s standard
`
`of reasonableness. See generally Appendix. The order is to terminate on either
`
`July 28, 2036, or twenty years “from the most recent date that the [FTC] files a
`
`
`11 See supra note 10.
`
`
`
`8
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 9 of 31
`
`complaint . . . in federal court alleging any violation of the order, whichever comes
`
`later.” Id. at 6.
`
`C.
`
`
`
`LabMD petitioned this Court to review the FTC’s decision. LabMD then
`
`moved to stay enforcement of the FTC’s cease and desist order pending review,
`
`arguing that compliance with the order was unfeasible given LabMD’s defunct
`
`status and de minimis assets. After an FTC response urging against the stay, we
`
`granted LabMD’s motion. LabMD, Inc. v. FTC, 678 F. App’x 816 (11th Cir.
`
`2016).
`
`II.
`
`Now, LabMD argues that the Commission’s cease and desist order is
`
`unenforceable because the order does not direct it to cease committing an unfair
`
`“act or practice” within the meaning of Section 5(a).12 We review the FTC’s legal
`
`conclusions de novo but give “some deference to [its] informed judgment that a
`
`particular commercial practice is to be condemned as ‘unfair.’” FTC v. Ind. Fed’n
`
`of Dentists, 476 U.S. 447, 454, 106 S. Ct. 2009, 2016 (1986). We review the
`
`FTC’s findings of facts under the “substantial evidence” standard, McWane, Inc. v.
`
`FTC, 783 F.3d 814, 824 (11th Cir. 2015), which requires “more than a mere
`
`
`12 LabMD’s brief asserts several grounds for setting aside the FTC’s order. The only
`issue we address is the enforceability of the FTC’s order.
`9
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 10 of 31
`
`scintilla” of evidence “but less than a preponderance,” Dyer v. Barnhart, 395 F.3d
`
`1206, 1210 (11th Cir. 2005).
`
`
`
`A.
`
`
`
`Section 5(a) of the FTC Act authorizes the FTC to protect consumers by
`
`“prevent[ing] persons, partnerships, or corporations . . . from using unfair . . . acts
`
`or practices in or affecting commerce.” The Act does not define the term “unfair.”
`
`The provision’s history, however, elucidates the term’s meaning.
`
`The FTC Act, passed in 1914, created the FTC and gave it power to prohibit
`
`“unfair methods of competition.”13 Rather than list “the particular practices to
`
`which [unfairness] was intended to apply,” Congress “intentionally left
`
`development of the term ‘unfair’ to the Commission” through case-by-case
`
`litigation14—though, at the time of the FTC Act’s inception, the FTC’s primary
`
`mission was understood to be the enforcement of antitrust law.15 In 1938, the Act
`
`was amended to provide that the FTC had authority to prohibit “unfair . . . acts or
`
`practices.”16 This amendment sought to clarify that the FTC’s authority applied
`
`
`13 See Marc Winerman, The Origins of the FTC: Concentration, Cooperation, Control,
`and Competition, 71 Antitrust L.J. 1, 2–6 (2003).
`14 FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239–40, 92 S. Ct. 898, 903 (1972);
`Atl. Ref. Co. v. FTC, 381 U.S. 357, 367, 85 S. Ct. 1498, 1505 (1965); see S. Rep. No. 63-597, at
`13 (1914); H.R. Rep. No. 63-1142, at 19 (1914).
`15 See generally Winerman, supra note 13.
`16 Id. at 96.
`
`
`
`10
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 11 of 31
`
`not only to competitors but, importantly, also to consumers.17 Hence, the FTC
`
`possesses “unfairness authority” to prohibit and prosecute unfair acts or practices
`
`harmful to consumers.
`
`In 1964, the FTC set forth three factors to consider in deciding whether to
`
`wield its unfairness authority. The FTC was to consider whether an act or practice
`
`(1) caused consumers, competitors, or other businesses substantial injury; (2)
`
`offended public policy as established by statute, the common law, or otherwise;
`
`and (3) was immoral, unethical, or unscrupulous.18 The Supreme Court cited these
`
`factors with apparent approval in dicta in the 1972 case FTC v. Sperry &
`
`Hutchinson, 405 U.S. 233, 244 n.5, 92 S. Ct. 898, 905 n.5 (1972).
`
`“Emboldened” by Sperry & Hutchinson’s dicta, “the Commission set forth
`
`to test the limits of the unfairness doctrine.”19 This effort peaked in a 1978 attempt
`
`to “use unfairness to ban all advertising directed to children on the grounds that it
`
`was ‘immoral, unscrupulous, and unethical’ and based on generalized public
`
`policies to protect children.”20 Congress and much of the public disapproved.21
`
`
`17 FTC v. Colgate-Palmolive Co., 380 U.S. 374, 384, 85 S. Ct. 1035, 1042 (1965); H.R.
`Rep. No. 75-1613, at 3 (1937).
`18 Unfair or Deceptive Advertising and Labeling of Cigarettes in Relation to the Health
`Hazards of Smoking, Statement of Basis and Purpose, 29 Fed. Reg. 8324, 8355 (July 2, 1964).
`19 J. Howard Beales, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and
`Resurrection, FTC (May 30, 2003), https://www.ftc.gov/public-statements/2003/05/ftcs-use-
`unfairness-authority-its-rise-fall-and-resurrection.
`20 Id.
`
`
`
`
`11
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 12 of 31
`
`Congressional backlash included refusing to fund the FTC, thus shutting it down
`
`for several days, and passing legislation that prevented the FTC from using its
`
`unfairness authority to promulgate rules that restrict children’s advertising.22
`
`Following this episode, the Commission wrote a unanimous letter to two
`
`senators in 198023 placing gloss on the three 1964 unfairness factors that were
`
`recognized in Sperry & Hutchinson. As to the first factor, consumer injury, the
`
`FTC laid out a separate three-part test defining a qualifying injury. These
`
`consumer-injury factors would later be codified in Section 5(n). The FTC stated
`
`that to warrant a finding of unfairness, an injury “[1] must be substantial; [2] it
`
`must not be outweighed by any countervailing benefits to consumers or
`
`competition that the practice produces; and [3] it must be an injury that consumers
`
`themselves could not reasonably have avoided.”
`
`As to the second 1964 unfairness factor, public policy, the FTC specified
`
`that the policies relied upon “should be clear and well-established”—that is,
`
`“declared or embodied in formal sources such as statutes, judicial decisions, or the
`
`Constitution as interpreted by the courts, rather than being ascertained from the
`
`
`
`21 See, e.g., The FTC as National Nanny, Wash. Post (Mar. 1, 1978),
`https://www.washingtonpost.com/archive/politics/1978/03/01/the-ftc-as-national-
`nanny/69f778f5-8407-4df0-b0e9-7f1f8e826b3b/?utm_term=.015de8e7203d.
`22 Beales, supra note 19 (citing FTC Improvements Act of 1980, Pub. L. No. 96-252,
`§ 14, 94 Stat. 388); see 15 U.S.C. § 57a(h).
`23 FTC Policy Statement on Unfairness, FTC (Dec. 17, 1980), available at
`https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
`12
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 13 of 31
`
`general sense of the national values.” Put another way, an act or practice’s
`
`“unfairness” must be grounded in statute, judicial decisions—i.e., the common
`
`law—or the Constitution. An act or practice that causes substantial injury but
`
`lacks such grounding is not unfair within Section 5(a)’s meaning.24 Finally, the
`
`FTC stated that it was nixing the third 1964 unfairness factor—whether a practice
`
`is immoral, unethical, or unscrupulous—because it was “largely duplicative” of the
`
`first two. Thus, an “unfair” act or practice is one which meets the consumer-injury
`
`factors listed above and is grounded in well-established legal policy.
`
`B.
`
`Here, the FTC’s complaint alleges that LimeWire was installed on the
`
`computer used by LabMD’s billing manager. This installation was contrary to
`
`company policy.25 The complaint then alleges that LimeWire’s installation caused
`
`the 1718 File, which consisted of consumers’ personal information, to be exposed.
`
`The 1718 File’s exposure caused consumers injury by infringing upon their right of
`
`privacy. Thus, the complaint alleges that LimeWire was installed in defiance of
`
`24 Section 5(n) now states, with regard to public policy, “In determining whether an act or
`practice is unfair, the Commission may consider established public policies as evidence to be
`considered with all other evidence. Such public policy considerations may not serve as a
`primary basis for such determination.” We do not take this ambiguous statement to mean that
`the Commission may bring suit purely on the basis of substantial consumer injury. The act or
`practice alleged to have caused the injury must still be unfair under a well-established legal
`standard, whether grounded in statute, the common law, or the Constitution.
`25 The FTC’s complaint does not state that LimeWire was installed contrary to company
`policy. But the complaint implies as much in that it does not allege that LabMD’s policy
`allowed the installation. Further, undisputed evidence in the record indicates that LimeWire was
`installed contrary to LabMD policy.
`
`
`
`13
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 14 of 31
`
`LabMD policy and caused the alleged consumer injury. Had the complaint
`
`stopped there, a narrowly drawn and easily enforceable order might have followed,
`
`commanding LabMD to eliminate the possibility that employees could install
`
`unauthorized programs on their computers.
`
`But the complaint continues past this single allegation of wrongdoing,
`
`adding that LimeWire’s installation was not the only conduct that caused the 1718
`
`File to be exposed. It also alleges broadly that LabMD “engaged in a number of
`
`practices that, taken together, failed to provide reasonable and appropriate security
`
`for personal information on its computer networks.” The complaint then provides
`
`a litany of security measures that LabMD failed to employ, each setting out in
`
`general terms a deficiency in LabMD’s data-security protocol.26 Because LabMD
`
`failed to employ these measures, the Commission’s theory goes, LimeWire was
`
`able to be installed on the billing manager’s computer. LabMD’s policy forbidding
`
`employees from installing programs like LimeWire was insufficient.
`
`The FTC’s complaint, therefore, uses LimeWire’s installation, and the 1718
`
`File’s exposure, as an entry point to broadly allege that LabMD’s data-security
`
`operations are deficient as a whole. Aside from the installation of LimeWire on a
`
`company computer, the complaint alleges no specific unfair acts or practices
`
`engaged in by LabMD. Rather, it was LabMD’s multiple, unspecified failures to
`
`
`26 See supra note 8.
`
`
`
`14
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 15 of 31
`
`act in creating and operating its data-security program that amounted to an unfair
`
`act or practice.27 Given the breadth of these failures, the Commission attached to
`
`its complaint a proposed order which would regulate all aspects of LabMD’s data-
`
`security program—sweeping prophylactic measures to collectively reduce the
`
`possibility of employees installing unauthorized programs on their computers and
`
`thus exposing consumer information. The proposed cease and desist order, which
`
`is identical in all relevant respects to the order the FTC ultimately issued, identifies
`
`no specific unfair acts or practices from which LabMD must abstain and instead
`
`requires LabMD to implement and maintain a data-security program “reasonably
`
`designed” to the Commission’s satisfaction. See generally Appendix.
`
`
`27 After outlining LabMD’s shortcomings in data security, namely those items listed in
`note 8, supra, the FTC’s complaint states in paragraph 22 that LabMD’s
`failure to employ reasonable and appropriate measures to prevent unauthorized
`access to personal information, including dates of birth, SSNs, medical test codes,
`and health information, caused, or is likely to cause, substantial injury to
`consumers that is not offset by countervailing benefits to consumers or
`competition and is not reasonably avoidable by consumers. This practice was,
`and is, an unfair act or practice.
`(Emphasis added). Oddly, paragraph 23 of the complaint states that the “acts and practices of
`[LabMD] as alleged in this complaint constitute unfair acts or practices in or affecting
`commerce in violation of Section 5(a).” (Emphasis added). Thus, paragraph 22 seems to
`conceive of all of LabMD’s data-security deficiencies as culminating in a single unfair act or
`practice, and paragraph 23, though unspecific and perhaps boilerplate, suggests that there were
`multiple unfair acts or practices. Paragraph 22 better encapsulates the FTC’s theory, as the
`complaint in preceding paragraphs lays out a number of deficiencies that, “taken together,”
`constitute unreasonable data security. Further, the Commission’s cease and desist order states,
`“[T]he Commission has concluded that LabMD’s data security practices were unreasonable and
`constitute an unfair act or practice that violates Section 5.” (Emphasis added). See Appendix at
`1.
`
`
`
`15
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 16 of 31
`
`The decision on which the FTC based its final cease and desist order exhibits
`
`more of the same. The FTC found that LabMD “failed to implement reasonable
`
`security measures to protect the sensitive consumer information on its computer
`
`network” and that the failure caused substantial consumer injury. In effect, the
`
`decision held that LabMD’s failure to act in various ways to protect consumer data
`
`rendered its entire data-security operation an unfair act or practice. The broad
`
`cease and desist order now at issue, according to the Commission, was therefore
`
`justified.
`
`*
`
`
`
`*
`
`
`
`*
`
`The first question LabMD’s petition for review presents is whether
`
`LabMD’s failure to implement and maintain a reasonably designed data-security
`
`program constituted an unfair act or practice within the ambit of Section 5(a). The
`
`FTC declared that it did because such failure caused substantial injury to
`
`consumers’ right of privacy, and it issued a cease and desist order to avoid further
`
`injury.
`
`The Commission must find the standards of unfairness it enforces in “clear
`
`and well-established” policies that are expressed in the Constitution, statutes, or the
`
`common law.28 The Commission’s decision in this case does not explicitly cite the
`
`source of the standard of unfairness it used in holding that LabMD’s failure to
`
`
`28 FTC Policy Statement on Unfairness, supra note 23.
`16
`
`
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 17 of 31
`
`implement and maintain a reasonably designed data-security program constituted
`
`an unfair act or practice. It is apparent to us, though, that the source is the common
`
`law of negligence. According to the Restatement (Second) of Torts § 281 (Am.
`
`Law Inst. 1965), Statement of the Elements of a Cause of Action for Negligence,
`
`[an] actor is liable for an invasion of an interest of another, if:
`(a) the interest invaded is protected against unintentional invasion,
`and
`(b) the conduct of the actor is negligent with respect to the other,
`or a class of persons within which [the other] is included, and
`(c) the actor’s conduct is a legal cause of the invasion, and
`(d) the other has not so conducted himself as to disable himself
`from bringing an action for such invasion.
`
`The gist of the Commission’s complaint and its decision is this: The
`
`consumers’ right of privacy is protected against unintentional invasion. LabMD
`
`unintentionally invaded their right, and its deficient data-security program was a
`
`legal cause. Section 5(a) empowers the Commission to “prevent persons,
`
`partnerships, or corporations . . . from using unfair . . . acts or practices.” The law
`
`of negligence, the Commission’s action implies, is a source that provides standards
`
`for determining whether an act or practice is unfair, so a person, partnership, or
`
`corporation that negligently infringes a consumer interest protected against
`
`unintentional invasion may be held accountable under Section 5(a). We will
`
`assume arguendo that the Commission is correct and that LabMD’s negligent
`
`
`
`17
`
`

`

`Case: 16-16270 Date Filed: 06/06/2018 Page: 18 of 31
`
`failure to design and maintain a reasonable data-security program invaded
`
`consumers’ right of privacy and thus constituted an unfair act or practice.
`
`The second question LabMD’s petition for review presents is whether the
`
`Commission’s cease and desist order, founded upon LabMD’s general negligent
`
`failure to act, is enforceable. We answer this question in the negative. We
`
`illustrate why by first laying out the FTC Act’s enforcement and remedial schemes
`
`and then by demonstrating the problems that enforcing the order would pose.
`
`III.
`
`The FTC carries out its Section 5(a) mission to prevent unfair acts or
`
`practices in two ways: formal rulemaking and case-by-case litigation.
`
`The Commission is authorized under 15 U.S.C. § 57a to prescribe rules
`
`“which define with specificity” unfair acts or practices within the meaning of
`
`Section 5(a). Once a rule takes effect, it becomes in essence an addendum to
`
`Section 5(a)’s phrase “unfair . . . acts or practices”; the rule puts the public on
`
`notice that a particular act or practice is unfair. The FTC enforces its rules in the
`
`federal district courts. Under 15 U.S.C. § 45(m)(1)(A),29 the Commission may
`
`
`29 This provision states,
`The Commission may commence a civil action to recover a civil penalty in a
`district court of the United States against any person, partnership, or corporation
`which violates any rule under this subchapter respecting unfair or deceptive