In an opinion authored by Federal Trade Commission Chairwoman Edith Ramirez, the three-member Commission determined that LabMD engaged in unreasonable data security practices in violation of Section 5 of the Federal Trade Commission Act, reversing an initial decision by an administrative law judge (ALJ).
From 2001 until 2014, LabMD operated as a clinical laboratory conducting tests on patient specimen samples and reporting the test results to its physician customers. Over the years, LabMD collected sensitive personal information—including medical information—from over 750,000 patients, including their names, addresses, Social Security numbers, diagnosis codes, and insurance information.
But according to a complaint filed by the FTC in August 2013, LabMD did not have basic data security practices in place for its network, which lacked file integrity monitoring or an intrusion detection system. According to the agency, the company also failed to provide data security training to employees in violation of its own internal compliance program, it neglected to update its software and protect against known vulnerabilities, it utilized a lax password policy, and it provided administrative rights to employees over their computers.
For example, employees had the ability to change security settings and download software applications and files from the Internet, including peer-to-peer file-sharing applications that were unrelated to the business. Using a P2P network, a forensic analyst discovered and downloaded a copy of one of LabMD’s reports that contained 1,718 pages of sensitive personal information for approximately 9,300 consumers.
Even after the analyst informed the company the data had been exposed, LabMD failed to improve its data security efforts, the FTC alleged, or notify the affected patients.
LabMD responded to the complaint with a motion to dismiss, challenging the FTC’s authority to bring the enforcement action. That argument was rejected by the Commission as well as a district court judge and the Eleventh Circuit Court of Appeals in a collateral attempt to enjoin the action in federal court.
After an evidentiary hearing, an ALJ, in dismissing the complaint, determined that the FTC’s counsel had failed to prove that LabMD’s computer data security practices “caused” or were “likely to cause” substantial consumer injuryas required by Section 5.
On appeal, the full Commission concluded that the ALJ applied the incorrect standard for unfairness. The central focus of any inquiry regarding unfairness is consumer injury, as determined on a case-by-case basis.
In the case of LabMD, the file obtained by the analyst contained a host of personal information about patients. In addition, FTC counsel introduced evidence of a range of harms that can and do result from the unauthorized disclosure of sensitive personal information contained in the file. In applying a test recognized by federal, state courts and federal law, Chairwoman Ramirez concluded that, “the exposure of sensitive medical and personal information via a peer-to-peer file-sharing application was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury.”
The sensitive personal information contained in the file “was exposed to millions of online P2P users, many of whom could have easily found the file,” the FTC said, and the file was available over an extended period of time. While the ALJ noted that no evidence existed that the patients had been victims of identity theft or suffered any harm, “given the absence of notification by LabMD, a lack of evidence regarding particular consumer injury tells us little about whether LabMD’s security practices caused or were likely to cause substantial consumer injury,” the Commission wrote. “We need not wait for consumers to suffer known harm at the hands of identity thieves.”
The Commission noted that “there were many free or low-cost software tools and hardware devices” and low-cost employee training programs available for LabMD to use, and that the company also “could have purged the personal information of consumers for whom it never performed testing.”
Writing that the FTC was applying the “same basic data security standard it has consistently articulated for nearly fifteen years,” the Commission rejected LabMD’s fair notice and due process objections. “Our complaints, as well as our decisions and orders accepting consent decrees … make clear that the failure to take reasonable data security measures may constitute an unfair practice,” according to the opinion. “Those complaints, decisions, and orders also flesh out the specific types of security lapses that may be deemed unreasonable.”
Having found the company violated the FTC Act, the Commission entered an order “that will ensure LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession,” Chairwoman Ramirez said. The FTC ordered LabMD to notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.
To read the opinion and order in In the Matter of LabMD, Inc., click here.
Why it matters: Frequently citing the Third Circuit Court of Appeals’ decision in the FTC v. Wyndham Worldwide Corp.case, the Commission’s opinion reiterated the FTC’s authority to regulate data security practices and made clear that the agency believes the exposure of personal information, even without evidence of compromise or misuse, is likely to cause substantial consumer injury and create liability under Section 5 of the FTC Act. LabMD disagrees and reportedly plans to appeal the opinion, potentially setting the stage for another showdown on the FTC’s power to regulate data security practices.