On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard. The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm. What does this mean for privacy enforcement? Read on.
The LabMD History
As we wrote previously, this case originated in 2013. LabMD, a testing laboratory, was alleged to have failed to protect sensitive consumer information. Namely, between 2001 and 2014, LabMD collected and electronically stored sensitive medical information of 750,000 consumers from physicians, including many consumers for whom it never performed any testing. Despite possessing such a large volume of sensitive data, LabMD failed to implement reasonable security measures, including (1) failing to use an intrusion detection system, (2) lack of file integrity monitoring, (3) no monitoring of traffic across its firewalls, (4) no data security training of any kind, (5) failing to require strong passwords, (6) not complying with its own policies, (7) never deleting any old and unutilized consumer data, and (8) failing to notify consumers of the disclosure. These deficiencies resulted in LabMD’s employee unwittingly exposing personal sensitive information of approximately 9,300 consumers online for almost a year.
What makes this case somewhat unique is that there was no evidence that the patient information was misused. Additionally, in light of the evidence of actual exposure (i.e., “at least one unauthorized” download by a potential vendor as a part of the business pitch) of the data of 9,300 consumers, the FTC declined to address the Complaint Counsel’s broader argument that the mere risk of exposing the information of 750,000 consumers was a further violation of the FTC Act.
LabMD’s defenses before the ALJ and, later, the Commission, boiled down to three key arguments. First, LabMD claimed that the FTC lacks statutory authority to regulate data security practices (an argument, which the ALJ rejected, and which LabMD will likely continue to raise on appeal). Second, LabMD felt it did not have enough notice under the Act (the FTC disagreed, citing a long body of administrative law and guidelines). Third, LabMD asserted that the FTC failed to prove that its data security practices “caused” or were “likely to cause” substantial consumer harm under Section 5(c).
The ALJ agreed with LabMD’s third argument, holding that the mere online exposure of sensitive medical information, at best, amounted to subjective emotional harm and caused no tangible injury. The ALJ also noted that there was little likelihood of future harm because no one had complained, and there was no evidence that this information was misused.
The FTC’s Reversal
In a well-reasoned and detailed ruling, the Commission reversed the ALJ. In contrast to his decision, which required the probability of injury to be “precisely quantified,” the FTC emphasized that “economic and physical harm are not the only forms of cognizable injury.” What matters is the level or risk of harm. Thus, depending on its magnitude, mere exposure of personal information can suffice. For example, a practice may be “unfair” under Section 5(c) “if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” A small amount of harm to many people, or a large amount of harm to a few individuals can therefore establish “substantial” injury under the Act.
The FTC cited such precedents as FTC v. Wyndham Worldwide, Inc., 799 F.3d 236, 243 (3d Cir. 2015); Am. Fin. Servs. Ass’n v. FTC, 767 F.2d 957, 966 (D.C. Cir. 1985), HIPAA, NIST guidelines, and the HITECH Act as offering further guidance on what companies should do to protect sensitive data. The FTC ultimately ordered LabMD to (1) notify affected consumers, (2) establish a comprehensive security program, and (3) seek periodic independent assessments of that program.
It today’s press release, the FTC notes that this order “will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information.” Yet , the order has larger implications: It provides notice and further guidance to other companies who handle personal sensitive consumer data.
What Steps Your Business Should Take
In the wake of this ruling, the companies should employ the following cost-benefit analysis outlined by the Commission for storing and managing such data:
- Utilize software tools and hardware devices for detecting vulnerabilities (“including antivirus programs, firewalls, vulnerability scanning tools, intrusion detection devices, penetration testing programs, and file integrity, monitoring tools,” as noted in the order).
- Adequately train employees to protect personal information.
- Limit employees’ access to sensitive data on as-needed basis.
- Purge personal consumer information that is no longer needed.
- Do not store information for consumers for whom no services are performed.
- Prevent the installation of third-party software, which may inadvertently result in vulnerabilities. Provide employees with non-administrative accounts for these purposes.
Risk assessments and internal reviews of data protection processes are critical to managing sensitive personal data. You cannot act without knowledge of internal processes.