In the latest installment of the fight between the FTC and medical testing laboratory LabMD, the FTC issued an Opinion and Final Order reversing an Administrative Law Judge’s (“ALJ”) prior initial decision dismissing the FTC’s data security charges. The FTC’s opinion determined that the ALJ “applied the wrong legal standard for unfairness” as it related to the substantial injury inquiry under the Section 5 of the FTC Act, and that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”
The FTC’s Long Battle with LabMD
The FTC’s case against LabMD began in earnest in August 2013 when the FTC filed an administrative complaint against the company, alleging that LabMD “failed to reasonably protect the security of consumers’ personal data, including medical information.” Specifically, the complaint alleged that, in two separate incidents, “LabMD collectively exposed the personal information of 10,000 consumers.” The first incident, the FTC alleges, came when “LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network.” Similarly, the FTC alleges that the second instance occurred in 2012 when “LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.”
LabMD Fights Back
LabMD subsequently moved to dismiss the FTC’s complaint, which the FTC denied in January 2014. The company also filed two federal suits against the FTC, both seeking an injunction to stay the administrative action from going forward on the grounds that the FTC lacked jurisdiction over the case, the FTC’s action against LabMD was retaliatory, and was a violation of Due Process. The Northern District of Georgia dismissed one of LabMD’s federal lawsuits on jurisdictional grounds, while LabMD agreed to voluntarily dismiss the other suit.
LabMD appealed the Georgia federal court’s decision to the Eleventh Circuit Court of Appeals, but to no avail. There, the Eleventh Circuit upheld the district court’s determination that it lacked jurisdiction to hear LabMD’s case because the FTC’s order denying LabMD’s motion to dismiss was not a final agency action for purposes of the Administrative Procedures Act (“APA”).
ALJ Dismisses FTC’s Case, Citing Lack of Actual Injury to Consumers
During the time LabMD’s claims were being litigated in federal court, the FTC’s administrative proceeding continued on. As part of those proceedings, LabMD moved several times to dismiss the FTC’s case, once in May 2014, once in April 2015, and once in July 2015. Ultimately, ALJ D. Michael Chappell granted LabMD’s request for a dismissal, finding that the FTC had failed to prove that LabMD’s alleged failure to employ reasonable data security practices constituted an unfair business practice. The ALJ based its decision on the conclusion that the FTC had not proven that the allegedly unreasonable conduct caused or was likely to cause substantial injury to consumers.
According to ALJ Chappell:
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.
FTC Appeals ALJ’s Decision to Full Commission
The FTC thereafter appealed the ALJ’s ruling to the entire Commission. In its opening appellate brief, the FTC argued that a “significant risk of concrete harm satisfies the Section 5(n) injury requirement,” and that Section 5 liability, under the circumstances presented by this case, “does not depend on the happenstance of whether a company is breached and whether a victimized consumer can trace an identity-theft incident back to the breached company.”
The FTC also argued three ways in which LabMD’s practices caused or were likely to cause substantial injury, including: “LabMD’s multiple, systemic, and serious data security failures caused a significant risk of concrete harm in the form of identity theft and medical identity theft”; “LabMD’s exposure of consumers’ sensitive personal information of the 1718 File for almost a year on a P2P network increased the already-significant risk of concrete harm that LabMD’s inadequate data security practices created”; and “in addition to the significant risks of concrete harm imposed upon consumers by LabMD’s unlawful data security practices and the exposure of the 1718 File on a P2P network for nearly a year, the unauthorized disclosure of the 1718 File to unauthorized parties also caused harm for consumers, because they experienced the loss of privacy of their sensitive personal and health information.”
In response, LabMD argued that the FTC based its case “on two ‘security incidents’ that were never properly investigated by the FTC.” According to LabMD:
Years have passed since the alleged “security incidents” involving the 1718 File and the Sacramento “Day Sheets.” FTC did not receive one complaint about LabMD data security practices in 2007-2008. No victim has come forward with a complaint attributable to LabMD, the 1718 File, or the Day Sheets. Moreover, there is no evidence that likely substantial harm will occur based on the allegations in the Complaint.
FTC Overturns ALJ’s Decision
Following briefing and oral argument, the FTC issued its Opinion and Final Order, which overturned the ALJ’s decision. The FTC’s opinion, written by FTC Chairwoman Edith Ramirez, concludes:
LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.
Furthermore, the FTC found that LabMD’s “failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”
Substantial Injury Does Not Mean Tangible Injury
Specifically, as it related to the issue of “substantial injury,” the FTC concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury. Or, in other words, the FTC concluded that it may successfully bring a data security claim without proving any actual harm to consumers. “In determining whether a practice is ‘likely to cause a substantial injury,’ we look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur. Thus, a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low,” the FTC said.
“Section 5 very clearly has a ‘prophylactic purpose’ and authorizes the Commission to take ‘preemptive action.’ We need not wait for consumers to suffer known harm at the hands of identity thieves,” the FTC said.
Additionally, the Commission’s opinion found that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online P2P users.
FTC Slams LabMD Data Security Practices
Having determined that LabMD’s conduct caused or was likely to cause substantial injury, the FTC determined that LabMD’s security practices were unreasonable and lacked “even basic precautions” that could protect against this type of injury. Among the more noteworthy deficiencies were the company’s failures to (1) use an intrusion-detection or file-monitoring system; (2) monitor traffic coming across its firewalls; (3) provide data security training to its employees; and (4) periodically delete consumer data that it had collected.
Final Order Requires LabMD to Establish “Comprehensive Information Security Program”
Under the FTC’s final order, LabMD will be required “to establish a comprehensive information security program,” and “obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.”
FTC Has Broad Data Security Authority After LabMD Ruling
LabMD has 60 days to appeal the FTC’s decision to the D.C. Court of Appeals. However, if the FTC’s final order stands, then it will undoubtedly solidify the FTC’s broad authority over data security practices. When coupled with the Third Circuit’s decision in the Wyndham Hotels data security matter, the FTC’s decision in the LabMD case puts companies on notice that the FTC intends to tighten its grip over data security practices. Of the 60 plus data security enforcement actions brought by the FTC, only two have not settled, the LabMD matter and the Wyndham Hotels matter. Both of these cases, while they have challenged the FTC’s authority over data security, have also increased the FTC’s authority over data security practices.
There are two major takeaways from the FTC’s LabMD opinion. First, the FTC rejected ALJ Chappell’s adoption of the actual harm standard. Under the FTC’s interpretation of the substantial injury prong of Section 5 of the FTC Act, a practice can be unfair if the magnitude of the potential injury is large, even if the likelihood of an injury occurring was low. Furthermore, the Commission found that the FTC Act allowed for “preemptive action,” meaning that no showing of actual harm was necessary.
Second, the FTC’s decision sets forth the alleged failures of LabMD regarding its company data security practices, including that LabMD failed to:
- Protect its computer network or employ adequate risk assessment tools;
- Use an intrusion detection system, file integrity monitoring, or penetration testing;
- Monitor traffic coming across its firewalls;
- Use manual inspections to detect security risks;
- Consistently update anti-virus definitions or run and review anti-virus scans;
- Provide data security training to its employees;
- Adequately restrict and monitor the computer practices of individuals using its network; failed to adequately limit or monitor employee access to patients’ sensitive information (and turned off some features in its laboratory software that would have restricted access by users);
- Adequately restrict or monitor what employees downloaded onto their work computers;
- Gave management and sales employees administrative rights allowing them to change security settings and download software from the internet; failed to comply with internal policies that called for internal review of added or removed software; and
- Never deleted any of the consumer data that it collected.
Learning from LabMD
Companies hoping to avoid a data security fight with the FTC should take note of the aforementioned lapses in data security in the LabMD case, and should take the necessary steps to make sure they are FTC compliant. Additionally, following the FTC’s decision in the LabMD matter, companies that are the victims of a data security breach may have far more to worry about than just the breach itself.
* Photo Cred.: privsecblog.com