Last month, the Federal Trade Commission issued an opinion and order concluding that a clinical laboratory, LabMD, Inc., committed an unfair act or practice in violation of Section 5 of the FTC Act as a result of its allegedly “unreasonable” data security practices. This FTC matter has been closely watched and may well have a significant impact as an official confirmation—or arguably a broadening—of the law’s scope.
According to the FTC’s opinion, LabMD operated as a clinical laboratory that conducted tests on patient specimen samples and reported the test results to its physician customers. As a result, it had collected sensitive personal information for over 750,000 patients over the course of its operations, including their names, addresses, dates of birth, Social Security numbers, insurance information, diagnosis codes, and physician orders for tests and services. According to the FTC, LabMD allegedly failed to institute “basic security practices” at least from 2005 until 2010. For example, it allegedly lacked the following measures: “file integrity monitoring or intrusion detection system”; “adequate monitor traffic coming across its firewalls”; “data security training” for “its information technology personnel or other employees”; “a policy requiring strong passwords”; software “update[s]” to “protect against known vulnerabilities”; and overly broad assignment of “administrative rights” that permitted management employees to download peer-to-peer (P2P) file-sharing applications.
According to the opinion, LabMD later discovered that a billing manager had downloaded a P2P program, LimeWire, that inadvertently shared sensitive patient files. LabMD also found a host of other potential security vulnerabilities through further investigation. According to the FTC, at least one file was clearly disclosed, and it contained information about “tests for HIV, herpes, prostate cancer, and testosterone levels,” among other things.
Assessing this evidence, the FTC concluded that LabMD had violated Section 5(n) of the FTC Act, 15 U.S.C. § 45(n), under which an act or practice affecting commerce can be found “unfair or deceptive” if (1) it “causes or is likely to cause substantial injury to consumers”; (2) the injury “is not reasonably avoidable by consumers themselves”; and (3) the injury is “not outweighed by countervailing benefits to consumers or competition.” Acknowledging that the FTC did not know whether identify theft actually happened, the FTC nevertheless concluded that “that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” Moreover, the FTC ruled that “there was a significant risk of substantial injury,” and that this alone was enough to violate Section 5(n).
Notably, the FTC’s decision overruled an earlier order by an Administrative Law Judge. In support of that order, the ALJ found that no “harm” occurred within the terms of the statute because no consumer’s identify was stolen, and future harm was not “likely” within the statute’s terms because it was not “probable” to occur in the future. Overruling this order, the FTC concluded that “the ALJ applied the wrong legal standard for unfairness”: disclosure alone (not identity theft) was sufficient to constitute an actual “harm,” and a “significant risk of substantial injury” (not a “probable” risk) was sufficient to constitute a “likely” risk of future harm.
Companies that store and process sensitive personal data—particularly medical information—would be well advised to review the FTC’s LabMD opinion and assess whether they satisfy its standard for data security.