As reported on the Privacy & Information Security Law blog, on July 29, 2016, the FTC announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

The case stems from allegations that LabMD, a now-defunct clinical laboratory for physicians, failed to protect the sensitive personal information (including medical information) of consumers, resulting in two specific security incidents. One such incident occurred when a third party informed LabMD that an insurance-related report, which contained personal information of approximately 9,300 LabMD clients (including names, dates of birth and Social Security numbers), was available on a peer-to-peer (“P2P”) file-sharing network.

In its ruling, the FTC stated that the administrative law judge used the wrong legal standard for the unfairness prong, and stated that LabMD’s security practices were unreasonable, among other failings, because the company “failed to use an intrusion detection system or file integrity monitoring, neglected to monitor traffic coming across its firewalls, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected.”

The order requires LabMD to establish a comprehensive information security program, obtain periodic third-party assessments of its security program and notify consumers whose personal information was exposed on the P2P network. LabMD has 60 days to appeal.