On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”
This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network. Two alleged security incidents form the basis of the Complaint. In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD. In the second incident, dozens of day sheets and a small number of copied checks containing personal information, such as names and social security numbers, were found in the possession of individuals who subsequently pleaded no contest to identity theft charges.
The ALJ’s 2015 Initial Decision dismissed the Complaint for lack of evidence. The ALJ found that the FTC could not prove the documents in the second incident came from LabMD’s computer network or that this exposure has caused, or is likely to cause, any consumer harm. (For additional discussion of the ALJ’s Initial Decision, please see our November 24, 2015 blog post entitled “Administrative Law Judge Dismisses FTC Complaint Against LabMD.” The FTC agreed with the ALJ about the second incident and instead focused on the first incident and whether it involved an unfair act or practice.
The FTC vacated the ALJ’s Initial Decision after explaining that the ALJ applied the incorrect legal standard for unfairness. Federal law states that the FTC “shall have no authority … to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). The ALJ focused on only the first of the unfairness standard’s three elements, dismissing the Complaint because it was not proven that LabMD’s computer data security practices “caused” or were “likely to cause” “substantial consumer injury.” The ALJ defined the phrase “likely to cause” to mean “having a high probability of occurring or being true” and rejected an argument that identity and medical identity theft-related harms were “likely” for consumers whose personal information was maintained on LabMD’s computer network.
The ALJ concluded that “[a]t best, Complaint Counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm.” The Initial Decision also firmly rejected the FTC’s speculative argument that consumers whose personal information was maintained on LabMD’s computer networks were at risk for a future data breach and possible identity theft. The Initial Decision eloquently stated: “Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury … requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
The FTC rejected the ALJ’s fairness standard analysis and expanded the FTC’s authority. In this case, the FTC focused on consumer injury and reiterated that ”substantial injury may be demonstrated by a showing of a small amount of harm to a large number of people, as well as a large amount of harm to a small number of people.” The possibility of future harm was also evaluated. Ultimately, the FTC articulated the fairness standard as “whether LabMD’s data security practices, taken together, failed to provide reasonable and appropriate security for the sensitive personal information on its computer network, and whether that failure caused or was likely to cause substantial injury that consumers could not have reasonably avoided and that was not outweighed by benefits to consumers or competition.”
The Opinion and Final Decision highlight LabMD’s data security failings – businesses should take cues from these failings. The FTC concluded that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” Among other things, the FTC criticized LabMD for numerous security failures:
- not using a system to detect unauthorized intrusions or exfiltration;
- not monitoring file integrity (which might have revealed the P2P);
- not employing penetration testing;
- neglecting to monitor traffic coming across its firewalls for items like social security numbers.;
- providing essentially no data security training to its employees, which resulted in employees using easy to crack passwords, such as “labmd”, and downloading P2P software;
- not limiting employee access to sensitive protected health information on a need to know basis;
- not restricting or monitoring what employees downloaded onto their work computers;
- never deleting any of the consumer data it had collected; and
- not consistently updating virus definitions or running and reviewing scans.
The FTC concluded that these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of over 9,000 consumers on a P2P network accessible by millions of users for almost a year (even though there was no evidence the information was actually accessed).
To prevent such security failures, the FTC touts meeting benchmarks, such as the Health Insurance Portability and Accountability Act (HIPAA) and the National Institute of Science and Technology (NIST) guidelines. The FTC characterizes the HIPAA and NIST guidelines as “widely known and accepted standards governing minimum reasonable data security practices.” The FTC advises in the Opinion that “[w]hile the requirements imposed by HIPAA do not govern whether LabMD met its obligations under Section 5 of the FTC Act, they do provide a useful benchmark for reasonable behavior.”
HIPAA Covered Entities run the risk of being found liable under both HIPAA and the FTC Act if they do not meet HIPAA standards. In a previous Order in this case, the FTC asserted its opinion that everyone regulated by HIPAA can be regulated by the FTC as well. For additional information on the FTC’s Order discussing jurisdiction, please see our February 20, 2015 blog post entitled “After LabMD: FTC, What Do We Comply With?”
Similarly, the FTC cited the NIST guidelines as a framework for risk management for information technology systems. We recommend that HIPAA Covered Entities and other companies that maintain private data should employ HIPAA, NIST and other reasonable security measures and consider potential consumer harm that could result from a breach.
Please note that LabMD has 60 days in which to appeal the Opinion and Final Order to federal court. It is unknown whether LabMD has the resources to continue battling the FTC by pursuing an appeal since LabMD ceased operations in 2014, citing the financial burden of the FTC regulation and this case as the primary reasons.