On August 28, the Federal Trade Commission (FTC) filed an administrative complaint against medical testing laboratory LabMD based on allegations that the company engaged in “unfair acts or practices” by failing to employ “reasonable and appropriate measures to prevent unauthorized access to personal information.” The FTC’s action in this case stems from an incident in which a file containing personal information on approximately 9,300 individuals allegedly was shared on a peer-to-peer (P2P) network from a company computer with P2P file-sharing software installed. The complaint follows other recent FTC actions in which the agency has relied on its Section 5 authority under the FTC Act to claim that companies’ exposure of data to P2P networks constituted an unlawful, unfair data security practice. The FTC’s action against LabMD makes clear that institutions governed by the Health Insurance Portability and Accountability Act (HIPAA) must also be mindful of the FTC’s increasing enforcement activity related to security controls, including actions against healthcare providers.
The FTC’s complaint against LabMD alleges that the company “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” The FTC includes as examples allegations that LabMD did not:
- “develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information”;
- “use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks”;
- “use adequate measures to prevent employees from accessing personal information not needed to perform their jobs”;
- “adequately train employees to safeguard personal information”;
- “require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication”;
- “maintain and update operating systems of computers and other devices on its networks”; or
- “employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.”
The FTC also alleges that LabMD “could have corrected its security failures at relatively low cost using readily available security measures.”
On September 17, LabMD filed its answer and defenses to the FTC’s complaint. LabMD generally denied all allegations that it did not engage in reasonable and appropriate security practices. Significantly, LabMD also challenged the FTC’s subject-matter jurisdiction and the agency’s “statutory authority to regulate the acts or practices alleged in the Complaint.” The answer also includes the defense that the FTC “has not published any rules, regulations, or other guidelines clarifying and providing any notice, let alone constitutionally adequate notice, of what data-security practices the Commission believes Section 5 of the FTC Act forbids or requires and has not otherwise established any meaningful standards,” in violation of the Fifth Amendment and the Administrative Procedures Act.
LabMD’s arguments echo those raised in FTC v. Wyndham, in which the FTC faces a similar challenge to its foundational authority under Section 5 to bring claims based on data security practices. The Wyndham case is in federal district court, however, whereas the LabMD case will play out before an Administrative Law Judge (ALJ), where the FTC may have a higher likelihood of prevailing. No matter the outcome before the ALJ, either the FTC or LabMD may appeal the ALJ’s decision to the full Commission, and the Commission’s decision would then be appealable to any federal circuit court of appeal in which LabMD carries on business. The reviewing court, however, would owe deference to the Commission’s findings of fact and interpretation of the FTC Act. It is unclear why the FTC has filed an administrative complaint against LabMD, versus the district court complaint against Wyndham, although the FTC website notes that “where a case involves novel legal issues or fact patterns, the Commission has tended to prefer administrative adjudication.” Every other company in Wyndham’s or LabMD’s position has chosen to settle FTC charges based on allegations of unfair security practices rather than contest them, so these cases, if tried to completion, are sure to break new ground.
The case against LabMD also is a reminder to HIPAA covered entities and business associates that the HIPAA Security Rule’s specific requirements are not the only standard by which such companies’ data security programs will be judged. Previous FTC actions against healthcare companies have focused on situations involving improper disposal of patient information (e.g., In re Rite Aid Corp., In re CVS Caremark Corp.). Notably, the FTC’s complaint against LabMD may suggest that the FTC takes a more aggressive view than does HHS of what constitutes reasonable information security, for example by implying that two-factor authentication may be necessary for remote access.