Chapter 5: Federal and State Regulators and Enforcement of Privacy Law

Court Confirmation of FTC Authority: Wyndham and LabMD

FTC v. Wyndham (2015, Third Circuit) confirmed the FTC's unfairness authority extends to cybersecurity. FTC v. LabMD (2018, Eleventh Circuit) recognized that authority but vacated the FTC's order for being too vague about how to comply.

Two foundational FTC cybersecurity cases
Case	Court / year	Holding
FTC v. Wyndham	Third Circuit, 2015	FTC's unfairness authority under Section 5 extends to cybersecurity practices harmful to consumers; FTC may require more than minimum standards
FTC v. LabMD	Eleventh Circuit, 2018	Recognized FTC authority but vacated the FTC order as too vague - it 'mandates a complete overhaul' without saying how

Why LabMD's order failed

An ALJ first dismissed the action for failing to show consumer harm; the FTC reversed and ordered a comprehensive security program. The Eleventh Circuit vacated the order because it did not enjoin a specific act and 'says precious little about how' the overhaul should be accomplished.

Key terms - quick answers

What is “FTC v. Wyndham”?

2015 Third Circuit case confirming the FTC's Section 5 unfairness authority extends to regulating cybersecurity practices harmful to consumers.

What is “FTC v. LabMD”?

2018 Eleventh Circuit case that recognized FTC authority but vacated its order as too vague, constraining the FTC's ability to mandate comprehensive security overhauls.

← The FTC, Section 5, and Jurisdictional Limits FTC Enforcement Tools and the AMG Decision →