The FTC issued an Opinion and Final Order reversing the previously dismissed charges against LabMD on July 29. FTC Administrative Law Judge (ALJ) D. Michael Chappell had dismissed the case against LabMD on November 13, 2015 based on an insufficient showing of harm, as required to find an act or practice unfair under § 5 of the FTC Act (15 U.S.C. § 45(n)). In overturning the ALJ’s Initial Decision, the FTC clarified its view of the proper standard for unfairness under § 5. The FTC further detailed specific security failings of LabMD and signaled the importance of timely and effective notice to consumers, particularly when there is sensitive data and a breach of a business-facing, rather than consumer-facing, business. While LabMD has sixty days from the issuance of the Opinion and Final Order to appeal to a federal appellate court, this Opinion provides key insights into how the FTC is likely to assess unfairness enforcement in the future.
The FTC filed its original complaint on August 28, 2013 after an employee of LabMD installed peer-to-peer file sharing software that exposed patient information to any other user of the file sharing network.
The Test for Unfairness
The crux of Judge Chappell’s decision to dismiss rested on a strict reading of § 5(n)’s explanation that an unfair act or practice “causes or is likely to cause substantial injury to consumers.” In correcting Judge Chappell’s reading of the word “likely” as “reasonably to be believed or expected,” the FTC instead wrote that “a ‘significant risk’ of injury satisfies the ‘likely to cause’ standard.” The FTC based that reading in part on prior cases, including International Harvester (where the Commission found a serious risk of potential injury or death or dismemberment at an accident rate of less than .001 percent) and Wyndham, where the Third Circuit evaluated both the “probability and expected size” of consumer harm. The FTC further noted that § 5 has a clear “prophylactic purpose” and does not require waiting until actual harm has occurred before allowing the FTC to intervene.
For LabMD, the FTC found both that there was a likelihood of access and a higher risk of harm due to the healthcare nature of the information at issue. First, the FTC pointed out that the mere disclosure of some healthcare information, such as the conducting of sensitive medical tests, can result in “embarrassment or other negative outcomes, including reputational harm” which would satisfy § 5(n)’s requirement. The FTC also called out the heightened risks of medical identity theft (where the thief obtains medical services, prescription drugs, or files insurance claims under the stolen identity) compared to traditional financial identity theft. Since medical identity theft is both difficult to correct and can result in misdiagnosis and mistreatment leading to direct physical harm, the FTC found that the risk of unauthorized disclosure of LabMD’s medical information constitutes a greater potential harm, further reducing the threshold of probability required to find unfairness.
The FTC also addressed why consumers could not reasonably avoid injuries resulting from LabMD’s security practices (which is another component of unfairness under § 5(n)), focusing on consumers’ inability to know when LabMD was handling their medical information and LabMD’s failure to provide notice of the breach. The FTC clarified that § 5(n)’s “inquiry centers on whether consumers can avoid harm before it occurs.” For one, since LabMD’s clients were health care providers, consumers would not have necessarily known that any of their information was being shared with LabMD. Moreover, despite LabMD’s claim that consumers could have mitigated potential harm, the lack of notice of a data breach made it impossible for consumers to know their data was in LabMD’s possession, let alone that they may be at risk of identity theft and should pursue credit monitoring or other precautionary steps.
Reasonable Data Security
In finding that LabMD lacked reasonable and appropriate data security practices, the FTC specifically focused on LabMD’s alleged failure to employ basic security techniques, adequate security training for employees, and proper limitations on access to sensitive data.
The FTC first pointed out that, as a covered entity that transmits health information, HIPAA’s risk and vulnerability assessment requirements provide a useful benchmark, though not a requirement, for compliance with Section 5 of the FTC Act. For the first time, the FTC Opinion points to the National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments (SP800-30) as an example of a helpful framework for assessing the reasonableness of data security practices. Here, the FTC found LabMD failed to use standard risk assessment techniques like intrusion detection systems, file integrity monitoring, penetration testing, or network monitoring for unauthorized intrusion or exfiltration. The Opinion also points out that even the tools LabMD did use (antivirus programs, firewall logs, and manual computer inspections) were improperly used and therefore ineffective.
Notably, the FTC Opinion specifically pointed out that “LabMD turned off the feature of its laboratory information software, LabSoft, that allowed for distinct access settings for different users.” According to the FTC, the presence of otherwise reasonable controls was nullified by their improper configuration, highlighting the need to monitor their configuration for effective deployment. Additionally, the FTC called attention to LabMD’s lack of a data deletion policy, noting that it had “never destroyed any patient or billing information it received since it began operating.” Even for a healthcare service, where a long trail of patient health records can aid healthcare professionals and patients alike, the FTC expressed its expectation that some data minimization and deletion procedure should be present.
The Importance of Notice
Notably, the FTC both called out LabMD’s lack of breach notification as evidence in its calculation of the risk of harm to consumers and also mandated that LabMD now notify affected consumers as part of the Final Order. This requirement was derived from the HIPAA Security Rule requiring notice for disclosures of personal medical information that have occurred since 2010. As mentioned earlier, the FTC pointed out that since LabMD did not deal directly with consumers, the failure to notify those consumers that their data had been breached materially impacted the calculation of potential harm. This signals to service providers that the FTC will specifically focus on timely notice of a breach when assessing future unfairness enforcement actions.
*Post by Justin Hemmings*