Document Type



On June 6, 2018, in LabMD, Inc. v. Federal Trade Commission (LabMD III), the U.S. Court of Appeals for the Eleventh Circuit vacated a Federal Trade Commission order that required a small medical laboratory to maintain a reasonable data security program following a data breach. The case presented the Eleventh Circuit with the opportunity to clarify the FTC’s data privacy and security enforcement powers under Section 5 of the FTC Act. The court, however, only addressed this issue briefly in dicta, and instead held that the order was unenforceable because it was overly-broad. This Comment argues that Eleventh Circuit’s decision introduces further confusion about the scope of the FTC’s enforcement authority and meaningfully constrains the FTC’s approach to data privacy and security remediation.