The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act.  In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security measures led to the disclosure of patient information from LabMD’s networks.  As we previously reported, FTC staff appealed the ALJ’s November 2015 initial decision dismissing the FTC’s complaint against LabMD for allegedly “unfair” data security practices.  The Commission’s Chief ALJ had dismissed the complaint on the ground that there was no injury or likelihood of injury to consumers because there was no evidence of misuse of any of the personal information at issue.  The Commission Opinion reverses that finding and holds that injury, for purposes of the FTC Act, was established on a record of insufficient data security protections.

The Commission’s opinion in LabMD further bolsters the FTC’s authority to regulate corporate data security practices, which was affirmed last year by the Third Circuit in Wyndham.  It also clarifies and expands upon the Commission’s interpretation of the unfairness test under Section 5 of the FTC Act as it relates to data security. 

Findings on LabMD’s Data Security Practices

The Commission Opinion first outlines the FTC’s unfairness standard, followed by an overview of LabMD’s data security practices.  The Commission found that LabMD did not have “basic data security practices in place for its network” and failed to implement “common practice[s] long employed by IT professionals.”  Specifically, LabMD did not employ automated intrusion detection systems, file integrity monitoring software, or penetration testing, and also failed to monitor traffic coming across its firewalls.  Nor did LabMD provide employees with data security training or review the programs installed on employee systems, despite internal policies mandating such steps.  The Commission also emphasized that LabMD never notified consumers that their personal information had been disclosed, and still has not destroyed or deleted any of the patient data it collected.

Notably, the Commission relied on standards from the Health Insurance Portability and Accountability Act, as well as standards and guidance on data security from organizations such as the National Institute of Standards and Technology and the National Research Council.   While the Commission emphasized that such standards “do not govern” obligations under Section 5, it found that “they do provide a useful benchmark for reasonable behavior.”

Application of the Section 5 Unfairness Test

Although the ALJ’s decision focused only on the first of the three prongs of the Section 5 unfairness test, the Commission Opinion stepped through the full test in determining for itself that LabMD’s data security practices violated the FTC Act.  The Commission articulated the applicable test as follows:

[W]e evaluate whether LabMD’s data security practices, taken together, failed to provide reasonable and appropriate security for the sensitive personal information on its computer network, and whether that failure caused or was likely to cause substantial injury that consumers could not have reasonably avoided and that was not outweighed by benefits to consumers or competition.

With respect to the first prong, the Commission found that LabMD’s data security practices both caused and were likely to cause substantial injury to consumers.  According to the Commission, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury” under Section 5, even “in the absence of proven economic or physical harm.”  In coming to this conclusion, the Commission relied on its own precedent, other federal and state statutes that recognize “the inherent harm in the disclosure of sensitive health and medical information,” and tort law recognition of privacy harms “that are neither economic nor physical.”

The Commission also found that LabMD’s data security practices were “likely to cause substantial injury” as an independent basis for satisfying the first prong of the unfairness test.  Here, the Commission found that the ALJ applied the wrong test in defining “likely to cause” as “having a high probability of occurring or being true.”  The FTC articulated the “likely to cause” standard as follows:

In determining whether a practice is “likely to cause a substantial injury,” we look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur. Thus, a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.  . . .  As is the case for analysis of unfairness generally, this evaluation does not require precise quantification. What is important is obtaining an overall understanding of the level of risk and harm to which consumers are exposed.

Thus, the Commission found that a “significant risk” of injury satisfies the likelihood standard, and that this standard was satisfied here based on the exposure of sensitive personal information to millions of online users via a P2P network and the potential consumer harms caused by medical identity theft such as fraud, misdiagnosis, and mistreatment.  The Commission rejected LabMD’s argument that it needed to satisfy Article III standing requirements, as articulated in the Supreme Court’s recent Spokeo decision, to find a likelihood of substantial injury under Section 5.

With respect to the second prong, the Commission found that consumers could not reasonably avoid the injuries resulting from LabMD’s data security practices, because most patients whose data was compromised were not aware that their data was even provided to LabMD.  The Commission emphasized that this inquiry “centers on whether consumers can avoid harm before it occurs,” and that even if consumers could have mitigated the harms after the fact here, LabMD failed to notify the consumers about the disclosure.  Finally, with respect to the third prong, the Commission found that the consumers’ injuries were not outweighed by countervailing benefits to consumers or to competition, largely relying on “detailed evidence of low-cost solutions that LabMD could have adopted to cure the deficiencies and render its practices reasonable and appropriate.”

Finally, the Commission Opinion rejected LabMD’s affirmative defenses, including its vagueness challenge against the FTC’s unfairness standard.  The Commission distinguished prior precedent on the subject, stating that “the FTC is imposing the same basic data security standard it has consistently articulated for nearly fifteen years.”  And it specifically pointed to “ample notice to the public” of the Commission’s “expectations regarding reasonable and appropriate data security practices,” such as FTC complaints and consent decrees.

Order

The Commission Opinion concludes with a description of its order, which is “similar” to the Notice Order that was attached to the original complaint.  As with the Commission’s consent orders in previous data security cases, the order lasts twenty years and requires LabMD to, among other things, maintain a comprehensive written information security program, obtain biennial assessments of that program, notify individuals whose personal information was or could have been exposed about the unauthorized disclosure, and comply with record-keeping and compliance reporting requirements.

According to the Commission’s press release on the decision, LabMD can now file a petition for review of the FTC’s decision and order with a U.S. Court of Appeals within 60 days.