In a move the surprised no one, the Federal Trade Commission (FTC) reversed the decision of its own Administrative Law Judge (ALJ) and held that LabMD’s “data security practices constitute an unfair act or practice within the meaning of Section 5 of the FTC Act.” There are two noteworthy aspects to the opinion. First, if the magnitude of the harm is great enough, the risk of its occurrence can be low and still satisfy the “substantial injury” requirement. Second, believe it or not, the word “likely” does not mean “probably.”
The facts have been widely reported and I’ll summarize for context. Certain LabMD insurance reports, which included the sensitive health information of about 9,300 LabMD patients, became publicly available on Limewire – a peer-to-peer file sharing service, akin to a latter-day Napster. The program was apparently downloaded by the billing manager so she could share music. Unfortunately, she gave the sharing service access to her “My Documents” file, which uploaded the insurance reports. Other than one cyber security expert trolling for business, there was no evidence that anyone had accessed the file. FTC staff alleged that LabMD failed to adequately secure its data constituted because it did not (i) use readily available measures to protect its customers’ data, (ii) use adequate measures to compartmentalize sensitive data from its employees, (iii) adequately train its employees, (iv) properly authenticate remotely logging into its networks, (v) integrate system updates and (vi) use proper intrusion detection methods.
As we reported previously, the ALJ found that LabMD did not violate Section 5’s “unfairness” standard. Focusing on the first of the unfairness standard’s three elements, the ALJ held that there was no proof that LabMD’s computer data security practices “caused” or were “likely to cause substantial consumer injury,” as required by Section 5(n) of the FTC Act. Specifically, the ALJ held the lack of data security measure did not actually cause any injury because “privacy harms, allegedly arising from an unauthorized exposure of sensitive medical information . . . unaccompanied by any tangible injury such as monetary harm or health and safety risks, [do] not constitute ‘substantial injury’ within the meaning of Section 5(n).” As to whether LabMD’s conduct was likely to cause such injury, the ALJ focused on the word “likely,” which he held required proof that it is probable that the harm will occur. Because none of the patients whose information was disclosed had complained of suffering any tangible harm, and because the breaches occurred years ago, the ALJ concluded that any such future harm was speculative and unlikely to materialize.
The FTC ruled that the ALJ applied the wrong legal standard for unfairness. It further held that LabMD’s data security practices were unreasonable, an issue the ALJ never had to reach.
First, the FTC vehemently disagreed with the ALJ’s conclusion regarding the insubstantial nature of a privacy harm. As the FTC stated, “the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” In support of this conclusion, the decision referenced statutes such as HIPAA and HITECH, which “establish the importance of maintaining the privacy of medical information in particular.” Citing the Restatement of Torts, the FTC noted that when “intimate details of [one’s] life are spread before the public gaze in a manner highly offensive to the ordinary reasonable man, there is an actionable invasion of his privacy, unless the matter is one of legitimate public interest.”
The FTC also held that LabMD’s lax security posture was likely to cause substantial injury. The FTC said that focusing on whether harm actually occurred “comes perilously close to reading the term “likely” out of the statute. When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes.” The FTC further chastised the ALJ for focusing on a dictionary definition of the word: “He relied principally on the Merriam Webster dictionary’s statement that “the word ‘likely’ is ‘used to indicate the chance that something will happen,’ and is primarily defined as ‘having a high probability of occurring or being true.’” The FTC supported its refusal to go the dictionary route by citing other dictionaries’ definitions that did not equate likelihood with “high probability.”
In stating its position on what “likely to cause substantial injury” meant, the FTC ruled that they must take into account not just the likelihood that the harm will occur, but also the magnitude of the harm. Thus, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low. The FTC found support for its holding in the 3rd Circuit’s Wyndham decision (if you want to hear a podcast about the decision, click here), as the 3rd Circuit “explained that defendants may be liable for practices that are likely to cause substantial injury if the harm was ‘foreseeable’” and “focus[ed] on both the “probability and expected size” of consumer harm.” Given that as a standard, the FTC considered it irrelevant that no consumer had complained.
Finally, though the ALJ never reached this issue, the FTC found that LabMD’s data security measures lacked “even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
Accordingly, the FTC ordered that LabMD “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”
On a fundamental level, it is clear that companies should do the opposite of what the FTC accused LabMD from doing. Thus, reasonable data security measures should include:
- an intrusion detection system and/or file integrity monitoring
- monitoring traffic coming across the firewalls
- providing effective data security training to employees
- deleting consumer data that is no longer needed
On a more esoteric note, the decision clearly illustrates the FTC’s aggressive enforcement position when it comes to data security and most likely (no pun intended) runs counter to federal court decisions in consumer data breach actions. As we have discussed in the past (here, here, here and here), courts have been struggling with whether consumers have standing to sue after a data breach, especially when nothing untoward has happened to them yet. Pure privacy harm has not yet justified standing. The FTC decision stands in stark contrast. Granted, the standing requirements are different and the FTC need not show Article III standing to enforce Section 5, but it is the philosophical difference between how the judiciary and the FTC approach the concept of harm that is striking. And given that a violation of Section 5 can be found even if the risk of harm is low, so long as the magnitude of harm is great, companies handling sensitive data – such as those in the healthcare field – should be particularly keen to monitor the adequacy of their data security measures.
We shall see if LabMD appeals the decision. Even if they do not, it is likely that the FTC will have much more to say on the topic of data security in the coming months.