In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
The ruling signals that the Commission is prepared to pursue enforcement actions based on what it considers lax data security without a showing that consumers have suffered a tangible injury such as identity theft. Whether viewed with alarm or triumph, there is little question that the decision, at least for now, stands as one of the Commission’s most important pronouncements on data security.
In its Opinion and Final Order written by Chairwoman Edith Ramirez, the Commission found that “an intangible but very real harm like a privacy harm resulting from the unauthorized disclosure of sensitive health or medical information may constitute a substantial injury.” In the 37-page decision, the Commission declared that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.
The decision sets up a high-stakes legal battle in federal court that is expected to test the agency’s authority in data security as well as the reach of Section 5 of the FTC Act – the Commission’s primary enforcement tool. LabMD Chief Executive Officer Michael J. Daugherty has vowed to appeal the Commission’s ruling.
The LabMD case began in 2010 when the Commission commenced an investigation into the company’s data security safeguards. The case principally focuses on an internal report that contained the names, dates of birth, social security numbers and other information about 10,000 patients. A cybersecurity firm, Tiversa, Inc., apparently “discovered” this document on a peer-to-peer file sharing program that had been installed on one computer in the accounting department at LabMD. After LabMD declined Tiversa’s offer to provide data security services, it reported the file to the FTC.
After several years of contentious back-and-forth, the FTC in 2013 filed an Administrative Complaint alleging that LabMD had failed to adequately protect patient medical data, and demanded that the company institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD pushed back and refused to settle.
A three-year battle ensued, including a full administrative trial on the merits. In a 91-page Initial Decision – issued after wading through more than 1,000 exhibits, 39 witnesses, and 2,000 pages of trial and post-trial briefing – Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD. He concluded that the FTC failed to show any proof whatsoever of actual consumer injury and flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act. “To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”
The Commission, however, determined that the ALJ applied the “wrong” legal standard for an unfair act or practice within the meaning of Section 5 and vacated his ruling. “[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’ a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Further, the Commission held that LabMD’s security practices were unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system…These failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.”
LabMD has 60 days in which to file its appeal.