This post was co-authored by Mara Smith, a summer associate with Montgomery McCracken, and Stephen Grossman, a partner and chair of Montgomery McCracken’s Data Privacy Practice Group.
Last Friday, the FTC reversed an administrative law judge’s ruling in the FTC data security case against clinical laboratory LabMD, broadening the FTC’s enforcement authority of data security practices under the FTC Act. We addressed Chief Administrative Law Judge D. Michael Chappell’s dismissal of the FTC’s case against LabMD in a November 2015 blog post, but a quick recap is in order.
In 2013 the FTC filed a complaint against LabMD, alleging that the company’s lax data security resulted in the installation of file-sharing software – Limewire – that exposed sensitive medical information of 9,300 consumers on a peer-to-peer network, which led to the unauthorized disclosure of the information when, in 2008, Tiversa, an intelligence service company, discovered the LabMD data. After an extensive evidentiary hearing, Judge Chappell found that the FTC failed to prove that the incident caused or was likely to cause any substantial injury to consumers, finding that “[f]undamental fairness dictates that demonstrating actual or likely substantial consumer injury under [FTC Act] Section 5(n) requires proof of more than the hypothetical or theoretical harm than has been submitted by the government in this case.” The decision was appealed to the FTC by the FTC and, as expected, the FTC reversed, ruling against LabMd.
In Friday’s unanimous FTC opinion, Chairwoman Edith Ramierz concluded that Judge Chappell employed the wrong legal standard for determining unfairness. On appeal, the FTC alleged that Judge Chappell applied an “unduly stringent substantial injury standard” and “failed to recognize that economic physical harms are not the only cognizable forms of injury.”
In reviewing the three prongs of the unfairness standard set forth in the FTC Act, the Commission concluded that: (1) LabMD failed to protect its computer network or employ adequate risk assessment tools, (2) LabMD failed to provide data security training to its employees, and (3) LabMD failed to adequately restrict and monitor the computer practices of individuals using its network. Although the FTC was unable to produce specific examples of harm resulting from the data breach, the Commission found that “the exposure of sensitive medical information via a peer-to-peer file-sharing application was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury.” The Commission’s opinion cited breaches of customer privacy, embarrassment, and reputational harm as “substantial injuries” resulting from LabMD’s breach despite no evidence of any such harm. The Commission further rejected LabMD’s contentions that consumers were “reasonably capable of mitigating any injury after the fact” concluding that “there was no way for consumers to avoid the injury that was caused or was likely to be caused,” although the Complaint Counsel offered no specific examples of consumer injury.
The FTC’s ruling expands the FTC’s broad data security enforcement authority on entities under their purview. This decision follows the Wyndham Worldwide, Corp. case, where the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate cybersecurity under the unfairness prong of Section 5 of the FTC Act.
This fight, however, is not over. LabMD confirmed that it will appeal the Commission’s decision to the federal appellate court. The court’s decision has the potential to significantly impact many areas of cyber law. If the federal appellate court upholds the FTC’s opinion, the FTC would wield significant enforcement authority in data breach cases regardless of whether any consumer harm has actually occurred. Under such a standard, the FTC will only have to establish that there is a possibility that risk might occur in order to hold a company liable for a data breach. The mere occurrence of a data breach could be enough to satisfy the FTC’s “likelihood of substantial harm” requirement, despite the Commission’s pronouncement that “the mere fact that a breach occurred does not mean that a company has violated the law.”
The LabMD decision may also impact for-profit healthcare entitles, because until this FTC ruling, the healthcare data security arena was primarily handled under the regulatory oversight of HHS’s Office of Civil Rights (“OCR”). The OCR’s authority allows for the enforcement of data breaches involving any personally identifiable health information, as defined by HIPAA. If upheld, the FTC’s ruling in LabMD – that potential embarrassment or reputational harm is sufficient to meet the substantial harm standard under the FTC Act when there is a disclosure of sensitive health information to unauthorized users –could be applied to all healthcare entities under the FTC’s control who suffer a data breach. We question whether the FTC will limit this case to healthcare providers.
While this story continues to unfold, the LabMD case provides some data security lessons, or, hopefully, reminders. Make sure your business’ data security plan includes automated intrusion detection systems, file integrity monitoring software, penetration testing, traffic monitoring, employee training, file download restrictions to safeguard your network, and limiting or monitoring employees’ access to sensitive information – all of which the Commission opined were part of basic risk management techniques and safeguards that LabMD failed to employ.