The Federal Trade Commission (FTC) has issued an Opinion and Final Order finding that the data security practices of LabMD, Inc. were unreasonable, and therefore constituted an unfair act or practice in violation of Section 5 of the FTC Act.
In so holding, the FTC vacated a November 2015 Initial Decision by the FTC's chief administrative law judge (ALJ), finding in favor of LabMD and dismissing the FTC's enforcement action.
LabMD operated as a medical testing laboratory from 2001 until 2014, and its operations included collecting the sensitive personal information, including Social Security numbers and medical information, of more than 750,000 patients. The FTC initially brought a complaint against LabMD in August 2013 alleging that the company failed to take reasonable steps to protect the security of consumers' personal information, which amounted to an unfair act or practice in violation of Section 5 of the FTC Act. Specifically, the FTC based its case on two incidents. One involved an electronic file that contained the sensitive personal information of approximately 9,300 patients which was found on a peer-to-peer (P2P) file-sharing network. The other involved hard-copy documents with sensitive personal information of approximately 500 consumers that were found in the possession of third parties.
As we previously reported, in November 2015, the chief ALJ dismissed the enforcement action because the FTC failed to prove that LabMD's practices were "likely to cause substantial injury to consumers." Although substantial time had passed since the incidents, the chief ALJ found that the FTC had not proved that any consumers had actually been harmed.
The FTC's July 29, 2016, Order unanimously overturned the ALJ's decision. The FTC concluded that the ALJ applied the wrong legal standard for determining whether LabMD's practices were unfair by looking at whether its practices were "likely to cause substantial injury." Instead, the FTC held that "a practice may be unfair if the magnitude of potential injury is large, even if the likelihood of the injury occurring is low." It also concluded that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is itself a substantial injury under Section 5(n) of the FTC Act. The FTC further concluded that sharing files with such information on P2P software Limewire for 11 months was also highly likely to cause substantial privacy harm to thousands of consumers.
The FTC Order reiterated the importance of using a risk assessment as an essential starting point in any data security plan. It specifically referenced both the National Institute of Standards and Technology (NIST) standard SP800-30 (Risk Management Guide for Information Technology Systems) (2002)) and the requirements regarding risk assessment set forth under the Health Insurance Portability and Accountability Act (HIPAA), as useful benchmarks for what may constitute reasonable behavior under Section 5 of the FTC Act.
The FTC Order concluded that LabMD had failed to conduct such a risk assessment, and its "security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system." In particular, the FTC noted that LabMD, "failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected."
The FTC's Order is significant and should be carefully assessed by companies for a number of reasons. First, the FTC focused on the types of data that were exposed—extremely sensitive personal information including Social Security numbers and medical and health information. The FTC's statement suggests that there may be a type of heightened scrutiny for certain types of data, where the magnitude of potential harm is great even if the likelihood of harm is uncertain. This may go so far as a presumption of injury, and thus liability, in incidents exposing these types of data. Companies handling medical information should also be aware that in addition to enforcement actions related to data security by the Department of Health and Human Services, they may be subject to FTC enforcement.
Second, the FTC's Order highlights the need for companies to fully understand how the functionality of the technology utilized on their networks. Limewire and some other P2P software share by default upon installation. Thus, although the FTC alleged that the it was "widely known” that Limewire was being used by LabMD employees to download music, the alleged exposure of LabMD's data on Limewire may have been both unintentional by the user and undetected LabMD's information security personnel. Nevertheless, it still served as a basis for liability. Therefore, companies, particularly those that have "Bring Your Own Device" policies in place, must know what devices and what software are running on their networks. They also should implement policies and technical controls that prevent the installation or usage of P2P software from a device—whether it belongs to the company or the employee—on the company's network.
Finally, companies should monitor how courts treat the FTC's interpretation of Section 5 of the FTC Act. There is the possibility that courts may view this Order as persuasive authority for civil litigation, if not affording the FTC outright deference. This is particularly likely in light of the limited amount of authority—from courts or regulatory agencies—explaining whether particular information security practices (like permitting the use of P2P software) are "reasonable" under the FTC Act.