The Federal Trade Commission filed an administrative complaint (link is to redacted form of the complaint) recently against a medical testing laboratory, LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers’ personal information, and that such failures subjected consumers’ personal information (in some instances including names, Social Security numbers, dates of birth, and healthcare-related information) to two separate security incidents.  In the first incident, a spreadsheet was found online on a peer-to-peer (“P2P”) network. In the second incident, the Sacramento Police Department found LabMD documents containing sensitive personal information of at least 500 consumers in the hands of identity thieves. Although some of the information involved was healthcare related, there are lessons to be learned by companies that handle personal information in any industry.

Background

In a press release, the FTC said this case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data. “The unauthorized exposure of consumers’ personal data puts them at risk,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”

The FTC Complaint alleges that LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer information – including health information – it collected and stored. Among other things, the Complaint alleges that the company:

  • Did not implement or maintain a comprehensive security program to protect the sensitive consumer information;
  • Did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to that information;
  • Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • Did not adequately train employees on basic information security practices; and
  • Did not use readily available measures to prevent and detect unauthorized access to personal information.

Security Risk of Peer-to-Peer Network Software

As noted above, the complaint alleges that a testing laboratory spreadsheet containing insurance billing information was found on a P2P network.  P2P network architecture is commonly used to share music, videos, and other materials with other users of compatible software, and may create significant security risks that files with sensitive information will be inadvertently shared.  It is well known that P2P software used in a company network creates significant security risks.  Once a file containing personal information has been made available on a P2P network and downloaded by another, it can be shared by that user across the network even if the original source of the file is no longer connected.

Proposed Order Has Onerous Requirements. 

Like most FTC complaints dealing with consumer information, the FTC complaint contains a proposed agreed order that would prevent future violations of law, but also contained some unpleasant and onerous requirements, including:

  • To implement a comprehensive written information security program;
  • To require that the security program be evaluated every two years by an independent, certified security professional for the next twenty years; and
  • To require the company to provide notice to consumers whose information the testing laboratory has reason to believe was, or could have been, accessible to unauthorized persons and to consumers’ health insurance companies as well.

FTC Complaint is Founded on its Unfairness Authority

The FTC complaint bases its jurisdictional authority under the unfairness clause of Section 5 of the FTC Act, rather than its deceptiveness authority; i.e. “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” under Section 5 of the FTC Act.  Since 1980 when the FTC adopted the Unfairness Policy Statement, many privacy actions brought by the FTC have been founded on its deceptiveness authority.  During this period complaints were largely based on a representation to the public of a certain standard of privacy and a failure to live up to that standard as an act of deceptiveness.  The Unfairness Policy Statement  articulates  a  three-part test to determine whether the consumer injury is sufficient to make the practice unfair.  The injury

  1. must be substantial;
  2. must not be outweighed by countervailing benefits to consumers or competition that the practice produces; and
  3. must be an injury that consumers themselves could not reasonably have avoided.

The FTC filed this case under its unfairness authority of Section 5 of the FTC Act..  The complaint alleges the three elements required by the Unfairness Policy Statement, namely:

  1. "At all relevant times, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.”
  2. “Respondent could have corrected its security failures at relatively low cost using readily available security measures.”
  3. “Consumers have no way of independently knowing about respondent’s security failures and could not reasonably avoid possible harms from such failures, including identity theft, medical identity theft, and other harms, such as disclosure of sensitive, private medical information.”

FTC Complaint Does Not Cover Added HIPAA Obligations and Penalties

Although the FTC complaint does not address potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”), health care providers qualifying as “covered entities” under HIPAA are required to safeguard Protected Health Information (“PHI”) and Electronic PHI in a manner that prevents unauthorized use or disclosure.  Failure to do so may be a violation of HIPAA and is potentially subject to significant civil penalties. 

Since 2009, covered entities that experience a breach of unsecured PHI are required to report the incident to the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), contact affected individuals and, depending on the size of the breach, notify local media.  OCR has been particularly active with enforcement measures relating to breaches of unsecured PHI caused by lack of adequate security measures, including failure to encrypt data, wipe equipment such as photocopies and laptops that store protected information, and use adequate technical safeguards to protect data that becomes available online.  Covered entities, and their contractors who use and access PHI on the covered entity’s behalf, are required to conduct ongoing security risk assessments to identify and resolve such system vulnerabilities.

Takeaways

This case is a reminder that the FTC will take action if it believes a company has failed to provide adequate security measures to protect sensitive personal information.  Other lessons to take away from this case are:

  • Under its consumer protection jurisdiction, the FTC may extend the finding of failures to protect personal information to be an “unfair” practice under the FTC Act.
  • Many companies are under FTC scrutiny if they collect, store or distribute consumer personal information such as names linked to Social Security numbers, dates of birth, and credit card account numbers, regardless of whether the company is primarily in the consumer goods business. That would include, for example, retailers, certain lenders, and, as in this case, a healthcare provider.
  • The FTC will carefully scrutinize companies not only for having what constitutes appropriate security programs, but also what are the effectiveness of those security programs.
  • Companies should be aware of the risks posed by P2P network sharing protocols.
  • The FTC may look at the existence and depth of employee training regarding consumer security information, as well as measures to detect incidents of unauthorized access.
  • The orders typically sought by the FTC in these matters include onerous requirements that require companies to take affirmative, and potentially intrusive, actions for years, or even decades.