FTC Reverses Administrative Law Judge Ruling in Finding LabMD Liable for Unfair Data Security Practices
On July 29, 2016, the Federal Trade Commission (FTC) reasserted its authority to enforce data security standards and overruled the decision of the Administrative Law Judge (ALJ) in dismissing the FTC's case against the clinical laboratory and medical testing company, LabMD, Inc. In so doing, the FTC concluded that "the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n) [of the Federal Trade Commission Act]."
This case originated in 2013 with the FTC alleging LabMD failed to implement reasonable security measures to protect the large volume of sensitive consumer information, including medical information, on its computer network. Among the lax data security practices cited were the company's failure to monitor for unwanted intrusions into the network; failure to monitor traffic coming across its firewalls; failure to provide data security training to its employees; failure to implement policies requiring strong passwords; failure to update software to protect against known vulnerabilities; and failure to adequately limit or monitor employee's access to patients' sensitive information or restrict employee downloads to safeguard the network.
In considering whether LabMD's security measures were "unfair" under Section 5 of the FTC Act, the FTC noted that the lax security practices of the company led to the unauthorized sharing of sensitive information of approximately 9,300 consumers online. This, in and of itself, was sufficient to satisfy the "substantial injury" requirement in Section 5 of the FTC Act. In reaching this conclusion, the FTC reviewed long standing authority from other FTC enforcement actions and federal and state case law recognizing the inherent harm in the disclosure of sensitive health and medical information. Ultimately, the FTC concluded that the disclosure of health or medical information causes harms that are neither economic nor physical in nature, but are nonetheless real and "substantial."
In short, it is the level or risk of harm that matters. Indeed, the FTC stated that a practice may be "unfair" under Section 5(c) "if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low." Thus, a small amount of harm to many people or a large amount of harm to a few individuals can establish "substantial injury" under Section 5.
Ultimately, the FTC concluded that LabMD failed to implement reasonable security measures to protect sensitive consumer information and therefore its data securities practices were "unfair" under Section 5 of the FTC Act. LabMD was ordered to notify affected consumers, establish a comprehensive information security program, and obtain independent assessments regarding its implementation of the program.
What are the lessons to be learned by companies in light of the FTC's ruling regarding the managing and storing of data? Here they are:
- Conduct a risk assessment to identify potential vulnerabilities to the sensitive information held by your company. Note that merely having antivirus programs, firewall logs and manual computer inspections may not be enough if they identify only a limited scope of vulnerabilities and are not used very often. Also, don't forget to run updates to software to receive new virus definitions.
- Regularly monitor your network for unauthorized intrusions or exfiltration, not just in response to user complaints for speed or connectivity problems.
- Have a training program for all employees, including managers, regarding privacy and security. Train not only new employees, but implement regular training for all employees on an ongoing basis.
- Limit employee access to sensitive data on a "need to know" basis.
- Consider whether the sensitive information maintained by your company is needed to conduct your business. If it is not, consider purging those records from your files.
- Restrict or monitor what employees download to their workstations. Administrative rights over computers should be limited such that security settings cannot be changed and downloads over the internet are restricted.
Need help updating or creating a privacy program? Selman's team of attorneys can guide you down the right path.
UPDATE (11/29/16): On November 10, 2016, the 11th Circuit Court of Appeals issued a ruling that dealt a blow to the FTC's interpretation of the "unfairness" prong of the Federal Trade Commission Act. In the ruling, the court held that mere emotional harm and acts causing only a low likelihood of consumer harm — even when the exposed data is highly sensitive — may not meet the unfairness definition. The result is that LabMD received a stay against the FTC’s order and the court further added to the confusion as to when the FTC can pursue companies with inadequate security.
 For a practice to be considered "unfair" under Section 5 of the FTC Act, the injury caused must be (1) substantial; (2) without offsetting benefits and (3) one that consumers cannot reasonably avoid.