LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act that causes or is likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition may be deemed unfair.
FTC Chairwoman Edith Ramirez wrote in a unanimous opinion that LabMD’s security practices “lack[ed] even the basic precautions to protect the sensitive consumer information maintained on its computer system.” Specifically, LabMD did not utilize any intrusion detection system or other forms of file monitoring, including traffic across its firewalls, did not provide adequate data security training to its employees and did not delete any consumer data it had collected. These practices ultimately resulted in the installation of file-sharing software that exposed sensitive consumer data of 9,300 consumers on a peer-to-peer network that was widely accessible to the public. To make matters worse, LabMD left such data freely available to the public for 11 months and declined the services of an intelligence services company, who brought the problem to LabMD’s attention before notifying the FTC (which raises a whole other set of issues).
The FTC concluded that the unauthorized disclosure of a consumer’s sensitive medical information is a “substantial injury” in itself, and LabMD’s security practices (or lack thereof) were likely to cause substantial injury due to the high likelihood and magnitude of the potential harm, such as medical identity theft.
To help ensure LabMD will protect sensitive consumer information in the future, the FTC ordered LabMD to (i) establish a comprehensive information security program; (ii) obtain periodic independent, third-party assessments regarding the implementation of the information security program; and (iii) notify those consumers whose personal information was exposed about the unauthorized disclosure and how they can protect themselves from identity theft and related harms. The FTC’s decision can be appealed to a U.S. Court of Appeals, which LabMD CEO Michael Daugherty, already said he plans to do, attacking the FTC’s “dirty system.”
Daugherty was particularly concerned that the FTC handled the case, as opposed to the Health and Human Services’ (“HHS”) Office for Civil Rights, which typically handles healthcare data breaches because such breaches fall under HIPAA. He argues that the FTC expanding its jurisdiction over healthcare facilities will pose major issues due to the lack of notice and standards (including differing standards than HHS). However, commentators have suggested that it is far from uncommon, especially in today’s highly regulated environment, that multiple agencies have overlapping jurisdictions, and the standard to find a practice “unfair” remains high.
While the facts in this case were particularly damaging to LabMD, it remains unclear what the effect of this decision will mean for companies in the future. To a large extent, the decision is simply a continuation of the FTC’s practices in the data security area. Companies who handle sensitive consumer information on an on-going basis are on notice that the FTC is providing at least a second set of eyes on their practices in an effort to further protect consumers from the ever-existent perils of data breaches.