On August 29, 2013, the FTC announced that it had filed a complaint against LabMD, Inc. (“LabMD”) for failing to protect consumers’ personal data. According to the complaint, LabMD, which performs various laboratory tests for consumers, exposed the personal information of more than 9,000 consumers on a peer-to-peer (“P2P”) file-sharing network. Specifically, a LabMD spreadsheet that was found on the P2P network contained names, Social Security numbers, dates of birth, health insurance information and medical treatment codes. In another instance, identity thieves were able to obtain LabMD documents that contained the personal information of more than 500 consumers, including names, Social Security numbers and bank account information.
The FTC’s complaint alleges that LabMD:
- failed to develop a comprehensive information security program;
- neglected to identify common risks and vulnerabilities to the personal information;
- didn’t utilize appropriate measures to limit access to personal information by its employees;
- failed to conduct adequate security training for its employees; and
- made insufficient attempts to prevent and detect unauthorized access to personal information.
In the press release accompanying the complaint, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, stressed the FTC’s commitment “to ensuring that firms who collect [personal] data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.” Although the complaint has not been published (LabMD has claimed that it may contain confidential business information), it purportedly orders LabMD to develop and maintain a comprehensive information security program that will be evaluated on a biennial basis by a third-party certified security professional for the next 20 years. The complaint also requires LabMD to notify any consumers whose personal information was exposed to unauthorized individuals.