While much of Washington, D.C. is enjoying the slow and hazy days of summer, the Federal Trade Commission (FTC) is staying busy solidifying its presence as the go-to authority for data security. Most recently, on July 29, 2016, the FTC issued a unanimous Opinion and Final Order against LabMD, Inc., for its unreasonable data security practices, reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges.
Between 2001 and 2014, LabMD collected and tested patient medical samples for physicians. The FTC’s decision found that from 2005 to 2010, LabMD failed to maintain basic security practices. Among other things, LabMD:
- lacked file integrity monitoring and intrusion detection;
- failed to monitor digital traffic;
- failed to provide security training to its personnel;
- lacked a strong password policy and allowed at least a half a dozen employees to use the same, weak password, “labmd”;
- failed to update its software to address known vulnerabilities;
- granted employees administrative rights to their laptops, which allowed these employees to download any software they wanted;
- allowed the downloading of peer-to-peer software (LimeWire), which enabled a file containing 1,718 pages of confidential information relating to approximately 9,300 customers to be downloaded through LimeWire; and
- failed to respond to warnings about data vulnerability after being made aware of the issue with respect to LimeWire.
The case was heard by an ALJ, who issued a decision in November 2015 (the “ALJ Decision”). The ALJ decision dismissed the complaint due to lack of evidence that LabMD’s data security practices either caused or were likely to cause substantial injury to its consumers. In its recent Opinion and Final Order, however, the FTC reversed the ALJ Decision and found that LabMD’s data security practices were unreasonable and caused, or were likely to cause, substantial injury to consumers.
What Are Unreasonable Data Security Practices?
The FTC’s thirty-seven page Opinion and Final Order details what the FTC found to be insufficient data security standards that left consumers at risk. In reaching its decision, the FTC repeatedly referenced the well-known data privacy and security standard in the Health Insurance Portability and Accountability Act (HIPAA).
Indeed, for all of the FTC’s concerns, there are corresponding HIPAA standards which provide important industry guidance with respect to data privacy and security. The FTC noted, however, that HIPAA does not itself determine the reasonableness of LabMD’s data security practice, since HIPAA is a multi-factored law that takes a “flexible approach” to Security Rule compliance. In fact, the FTC’s decision is separate from any specific HIPAA enforcement action that may result from the practices described above. Nevertheless, the repeated references to HIPAA provide a helpful reference point for the FTC’s expectations with respect to data privacy and security—a reference that should be universally known in the healthcare services world.
While the FTC used HIPAA to identify reasonable data security practices, its analysis of substantial injury is not limited to the health care industry. Indeed, the FTC has made it clear that any industry in possession of sensitive consumer data (such as names, addresses, dates of birth, Social Security numbers, and insurance information) will be required to maintain reasonable data security practices, and that enforcement actions may result even if there has been no identifiable harm to the subjects of such data.
What is Substantial Injury?
Having determined that LabMD had insufficient data security practices in place, the FTC looked at what constitutes substantial injury. In its analysis, the ALJ Decision relied on the fact that there is “no evidence that any consumer has suffered any injury as a result of the 2008 exposure.” In the Matter of LabMD, Inc., A.L.J. Docket No. 9357. In fact, even the FTC Final Order notes that it is unclear if the exposure “resulted in actual identity theft, medical identity theft, or physical harm for any of the consumers whose information was disclosed.” In the Matter of LabMD, Inc., FTC Docket No. 9357, at 23.
Nevertheless, the FTC determined that the mere “disclosure of sensitive health information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial” and therefore actionable. In other words, the FTC does not require consumers to show they have suffered “known harm” to enforce Section 5 of the FTC Act against unreasonable data security practices. In the Matter of LabMD, Inc., FTC Docket No. 9357. Rather, it is the timing of the data security practice that guides the FTC’s analysis of whether or not the consumer is subject to substantial injury. The FTC stated that when determining if an industry’s data security practice will cause harm, it will do so “at the time the practice occurred, not on the basis of actual future outcomes.” In the Matter of LabMD, Inc., FTC Docket No. 9357 at 23.
Under that analysis, the Commission found that LabMD put consumers at risk of substantial injury and ordered, among other things, that it notify consumers of the risk and adopt a comprehensive compliance plan to address the identified security shortcomings. LabMD now has 60 days to file a petition for review with a U.S. Court of Appeals – which it seems quite likely to do.
In the meantime, companies can use this decision to help review their own data privacy security practices, knowing that the FTC will undoubtedly continue to act as a leader in the data and privacy security field. And, for any HIPAA covered entity or business associate, this decision should be a wake-up call that that non-compliance with HIPAA may create two-fold liability.