On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network. The FTC’s conclusion is significant because companies may face enforcement action for inadequate data security in connection with incidents in which there is no evidence that consumer information was accessed by unauthorized persons who likely intended to misuse the information.

Background

As we previously reported, the FTC first began investigating LabMD’s data security practices in 2010, when Tiversa Holding Company, a cybersecurity consulting firm, informed the FTC that sensitive personal information held by LabMD may have been publicly disclosed on a peer-to-peer (“P2P”) file-sharing network. On Aug. 28, 2013, the FTC brought the administrative action against LabMD under Section 5 of the FTC Act, alleging, in part, that LabMD failed to provide reasonable and appropriate data security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and the disclosure of sensitive, private medical information. Section 5(n) of the FTC Act prohibits unfair acts or practices if: (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition.

On Nov. 13, 2015, the ALJ concluded that the FTC failed to prove the substantial injury prong of the three-part test, holding that “[t]o impose liability for unfair conduct … , where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.” Counsel for the FTC appealed to the full Commission.

The FTC’s Opinion

The Commission, reviewing the facts de novo, unanimously reversed the ALJ’s decision, noting that the ALJ applied the wrong legal standard for unfairness by looking at whether the practices were “likely to cause substantial injury.” The Commission found that although emotional impact and other more subjective types of harm “will not ordinarily make a practice unfair,” “in extreme cases, subjective types of harm might well be considered as the basis for a finding of unfairness.” Importantly, the Commission stated that Section 5 does not “foreclose[] the possibility that an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information may constitute a substantial injury.” The Commission also reiterated its position on data security reasonableness:

The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. … [T]he Commission has made clear that it does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.

Given that approach to consumer injury and data security reasonableness, the Commission found that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” More specifically, “it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” The Commission then concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).”

The Commission also held that, independent of its conclusion that the unauthorized disclosure of medical information caused substantial injury, the unauthorized exposure of sensitive information for more than 11 months on the P2P network was also “likely to cause substantial injury.” In doing so, the Commission rejected the ALJ’s test, which required a showing of “the probability or likelihood that [a company]’s alleged unreasonable data security will result in a data breach and identity theft injury” in order to satisfy the “likely to cause substantial injury” standard. According to the Commission, Congress intended to incorporate the concept of risk so that merely showing a “significant risk” of injury satisfies the “likely to cause” standard. The Commission held that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” In LabMD’s case, there was a “high likelihood of harm” because the personal information at issue was exposed to millions of online P2P users, and the type of sensitive information involved would be attractive to identity thieves. Additionally, the Commission noted that the “severity and magnitude of potential harm was high,” which was manifested by the various types of consumer harms caused by medical identity theft, such as reimbursement to health care providers for services received by the identity thief, costs of identity protection, credit counseling and legal counsel, payment for medical services and prescriptions because of a lapse in health care coverage, and the potential for misdiagnosis or mistreatment of illness.

LabMD has filed a Petition for Reconsideration with the Commission, and the Commission’s decision can be appealed to the D.C. Circuit.

Takeaways

There are several takeaways from the LabMD Opinion. First, the mere public exposure of sensitive health or medical information can constitute a substantial consumer injury to support an “unfairness” violation under Section 5 even in the absence of evidence that the consumer information was, in fact, misused or even accessed by an unauthorized person who is likely to misuse the information (such as financially motivated attackers or state-sponsored threat actors). As such, the decision likely portends more FTC enforcement actions brought even where it lacks evidence of actual or imminent consumer harm. However, because the FTC’s rationale supporting its finding of “substantial injury” was principally based upon the highly sensitive nature of medical data, it remains to be seen whether inadequate protection of other consumer information, such as financial account information and Social Security numbers, will also support a finding of “substantial injury” without evidence of misuse.

Second, the FTC’s Opinion provides important insight into what the FTC considers “basic” and “reasonable” data security practices. Taking into consideration the type of sensitive information maintained and the size and complexity of the organization and its systems, every organization should consider:

  • Conducting risk assessments of its data security practices and penetration tests to check for security vulnerabilities;
  • Implementing intrusion detection systems to monitor the network and systems for malicious activity or policy violations;
  • Ensuring that firewalls are properly configured and that firewall and network-activity logs are regularly reviewed;
  • Installing, updating and scanning systems with antivirus software;
  • Implementing controls to limit user access to only that information for which the user has a legitimate need;
  • Implementing file integrity monitoring systems to detect unauthorized attempts to modify systems, applications and configurations;
  • Implementing strong password requirement policies;
  • Limiting non-administrative users’ ability to download or install their own software and controlling the use of administrative privileges;
  • Regularly providing data security training to its employees; and
  • Establishing clear data collection, retention, and destruction policies and procedures.

Finally, because threat actors are continually developing and launching new tactics, techniques and procedures to circumvent the latest security technologies, the FTC’s view of what constitutes “reasonable security” will continually evolve. Therefore, organizations must continuously assess and improve their data security to keep up with the rapidly evolving threat landscape and the FTC’s expectations of “reasonable security.”