Enter to open, tab to navigate, enter to select
FTC Rules LabMD's Data Security Practices Violated the FTC Act
Practical Law Legal Update w-002-9075 (Approx. 5 pages)
FTC Rules LabMD's Data Security Practices Violated the FTC Act
by Practical Law Intellectual Property & Technology
| Published on 29 Jul 2016 • USA (National/Federal) |
The Federal Trade Commission (FTC) has issued a final opinion in In re LabMD, Inc., finding that LabMD, Inc.'s data practices were in violation of Section 5 of the FTC Act and constituted an unfair act or practice (15 U.S.C. § 45). The FTC also entered an order requiring LabMD to establish a comprehensive information security program to protect the personal information it retains.
On July 29, 2016, the Federal Trade Commission (FTC or Commission) issued a final opinion in In re LabMD, Inc., reversing the Administrative Law Judge's (ALJ) dismissal of its complaint against LabMD, Inc. ( (F.T.C. July 28, 2016)).
The FTC initially identified two security incidents that allegedly showed LabMD's failure to reasonably secure personal information:
- A LabMD insurance report, containing personal information like names, birthdates, health information, and Social Security numbers (SSNs) of 9,300 patients, was made available on an internet peer-to-peer file-sharing network.
- Patient day sheet documents and copied checks including personal information like names and SSNs were found in the possession of individuals who pled no contest to identity theft, and some of those SSNs were used by people with different names, further pointing to identity theft.
Previously, the ALJ dismissed the complaint, finding that the FTC failed to prove that LabMD’s security practices caused or were likely to cause substantial consumer injury. For more information on the ALJ's initial decision, see Legal Update, ALJ Dismisses FTC Complaint Against LabMD.
On appeal, the Commission reviewed the ALJ's findings of fact and conclusions of law de novo and concluded the ALJ applied the wrong legal standard for unfairness.
Section 5 of the FTC Act authorizes the FTC to challenge unfair or deceptive acts or practices, and the Commission is guided by the three-part test in Section 5(n):
- Whether the act causes or is likely to cause substantial injury to consumers.
- Whether the injury is reasonably avoidable by consumers.
- Whether the injury is outweighed by countervailing benefits to consumers or competition.
The Commission determined that the ALJ erroneously construed the language "likely to cause" in the first prong to mean "having a high probability of occurring or being true." The Commission clarified that it will look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur. Accordingly, a practice can be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.
LabMD's Data Security Practices Were Unreasonable and Caused Consumer Harm
Having clarified its framework for evaluating the three-part test, the Commission considered whether LabMD's data security practices:
- Failed to provide reasonable and appropriate security for the sensitive personal information it held on its network.
- Caused or were likely to cause substantial injury that consumers could not have reasonably avoided and that was not outweighed by benefits to consumers or competition.
The FTC determined that although LabMD employed two IT professionals, it failed to implement minimum reasonable data security practices, including:
- An intrusion detection system.
- File integrity monitoring.
- Firewall traffic monitoring.
Although LabMD employed anti-virus programs, firewall logs, and manual computer inspections, which helped to mitigate risk, they did not consistently update virus definitions, and their manual computer inspections were not used to detect security risks. LabMD's firewalls were also improperly configured, and no one reviewed firewall logs or network activity logs except in connection with troubleshooting.
The Commission also determined that LabMD failed to:
- Provide data security training to its employees, including its IT personnel.
- Restrict and monitor employees' computer practices.
- Restrict or prevent employees from accessing personal information or applications not needed to perform their jobs.
LabMD's policy manual included a software monitoring policy stating that users' computers would be reviewed for appropriate applications. If followed, this policy would have revealed the peer-to-peer file sharing software that exposed the personal information.
The Commission concluded that LabMD's lax data security practices satisfied the first prong of the Section 5(n) analysis. The Commission reasoned that disclosure of sensitive health or medical information can cause additional harms that are neither economic nor physical, but are still cognizable under Section 5(n), and may be considered a substantial injury.
Likewise, the Commission ruled that the ALJ had placed undue weight on the word "likely" in the phrase "likely to cause harm." The ALJ based his ruling, in part, on the fact that the complaint had not identified any consumers who had suffered harm from LabMD's data security practices. The Commission, however, clarified that the likelihood of harm analysis must be judged at the time the practice occurred, not on the basis of any future outcomes. The FTC further noted that it need not wait for consumers to suffer known harm before taking action because identity theft victims:
- May suffer unique consumer harms, including fraudulent health insurance bills and substantial out-of-pocket expenses.
- Often have difficulty pinpointing the company that was the source of the information that was used to harm them.
The Commission also found that LabMD's practices satisfied the second and third prongs of Section 5(n) because:
- Consumers had no ability to avoid the harms. Many consumers had no knowledge of LabMD's data security practices, and may not have even known their personal information would be sent to LabMD by their healthcare professionals.
- Despite LabMD's assertion that consumers were able to mitigate any injury after the fact, the relevant inquiry is whether consumers can avoid harm before it occurs. Even if consumers could mitigate their risks, LabMD never notified consumers that their personal information had been exposed.
- Whatever savings LabMD may have reaped by its conduct do not outweigh the substantial injury to consumers caused by its poor security practices. There were a number of well-known low-cost solutions LabMD could have adopted to cure the deficiencies in its practices.
LabMD Ordered to Implement Comprehensive Information Security Program
While LabMD stopped conducting lab tests in early 2014, it still retains personal information. The FTC thus entered an order requiring LabMD to:
- Establish and maintain a comprehensive written information security program appropriate to:
- LabMD’s size and complexity;
- the nature and scope of its activities; and
- the sensitive personal information it continues to retain.
- Obtain initial and then biennial independent, third-party assessments of its program.
- Notify affected individuals whose personal information was or could have been exposed on the peer-to-peer file sharing service and their health insurance companies.
The FTC continues to elaborate on what it considers reasonable data security practices in its decisions. Companies should weigh the sensitivity of the personal information they hold and their current information security program and practices against the FTC's statements regarding specific data security controls.
CASE UPDATE: On November 10, 2016, the US Court of Appeals for the Eleventh Circuit stayed enforcement of the FTC's final order pending LabMD's appeal. In granting the stay request, the Eleventh Circuit questioned both the FTC's statutory interpretation of unfairness under the FTC Act and the reasonableness of concluding that LabMD's actions were likely to have caused substantial consumer injury. (LabMD, Inc. v. Federal Trade Commission, No. 16-16270 (11th Cir. Nov. 10, 2016)).