The commissioners of the Federal Trade Commission (FTC), the lead agency in enforcement of consumer privacy and data security, revived a data security action against LabMD, a medical testing company that had been accused of leaving customers' names, Social Security numbers, dates of birth, and personal health insurance information exposed on publicly accessible peer-to-peer (P2P) file sharing networks. This decision is likely to further expand the potential liability for maintaining lax data security protocols, particularly with regard to health or medical information.
As we reported earlier this year (Cyber Security Update - Recent Developments and Expectations for 2016, Cyber Security Update - The FTC and Class Actions) the case against LabMD had previously been dismissed by an administrative law judge (ALJ) who held that, after several years without the occurrence of any identifiable harm traceable to the security incident, the FTC could not sustain its burden to prove LabMD's data practices "caused or were likely to cause substantial injury" to consumers (which is the key to the FTC's ability to exercise its jurisdiction).
However, on July 29, 2016, the FTC heads rebuffed that conclusion and vacated the ALJ's decision, holding that the ALJ applied the wrong legal standard for "unfairness" under Section 5 of the FTC Act, and that, by exposing the medical information of 9,300 consumers to millions of P2P users, LabMD had "caused and were likely to cause substantial injury that was not avoidable by consumers or outweighed by countervailing benefits." According to the factual findings, the consumer data had been "freely available" for more than 11 months.
The commissioners went so far as to say the "unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," but stressed also that "given the absence of notification by LabMD, a lack of evidence regarding particular consumer injury tells us little about whether LabMD's security practices caused or were likely to cause substantial consumer injury. "¦ We need not wait for consumers to suffer known harm at the hands of identity thieves."
The commissioners found LabMD's data security practices to be "unreasonable," citing that LabMD had failed:
- To employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing;
- To monitor traffic coming across its firewalls;
- To provide its employees with data security training; and
- To adequately limit or monitor employees' access to patients' sensitive information or restrict employee downloads to safeguard the network."
In accordance with those conclusions, the FTC commissioner ordered LabMD to notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.
It is unlikely that this will be the end of the dispute, as LabMD will likely seek court review of the FTC's decision. The issue of what constitutes an "injury" to an individual whose protected private/health information has been compromised as part of a data breach or inadvertent disclosure remains a hotly contested battle ground in many legal arenas in addition to the FTC, including, most prominently, the consumer class action field.
If you have any questions about your organization's data security or breach response program, contact Nicholas J. DiCesare at 716-566-1524 or ndicesare@barclaydamon.com or any of the Barclay Damon attorneys with whom you normally work.