Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

August 2, 2016

Are You Adequately Protecting Your Employee and Customer Data? FTC Reinstates LabMD Case

The commissioners of the Federal Trade Commission (FTC) last week reversed the dismissal of charges against medical testing company LabMD for its allegedly lax data security protocols. In so doing, they gave some insight into the kinds of protective measures organizations maintaining personal employee or consumer information – particularly health or medical data – may be expected to undertake, such as:

  • Employing basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing;
  • Monitoring traffic coming across its firewalls;
  • Providing its employees with data security training; and
  • Adequately limiting or monitoring employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.

LabMD had been accused of leaving customers’ names, Social Security numbers, dates of birth, and personal health insurance information exposed on publicly accessible peer-to-peer (P2P) file sharing networks. The administrative law judge (ALJ), who first heard the case against the medical testing lab, dismissed it for lack of a showing of substantial injury or likely substantial injury.

However, in reversing the ALJ, the commissioners found that LabMD’s data security practices were “unreasonable” for failing to effect the safeguards listed above and went further to say that the “unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury” and also that “given the absence of notification by LabMD, a lack of evidence regarding particular consumer injury tells us little about whether LabMD’s security practices caused or were likely to cause substantial consumer injury. … We need not wait for consumers to suffer known harm at the hands of identity thieves.”

Accordingly, the FTC commissioner ordered LabMD to notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.

Featured Media

Alerts

Second Circuit Upholds New York State's Ivory Law, but Holds Display Restriction Unconstitutional

Alerts

$175 Million of Federal Funds Available for Electric Vehicle Chargers in New York State

Alerts

USFWS Issues Final Guidance on Northern Long-Eared Bat and Tricolored Bat

Alerts

IRS Guidance Excludes VA Service-Connected Disability Benefits From Certain Income Determinations for Qualified Residential Rental Projects

Alerts

Second Department: Objective Evidence Required to Establish Trivial Defect Defense

Alerts

NYS Department of Health Issues Consumer Protection Guidance on Payments for Health Care Services

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out