The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices
The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
In I/M/O LabMD, Inc., the Commission reversed an Administrative Law Judge’s Order, and concluded that LabMD had violated the FTC Act because its data security practices had caused, and were also likely to cause, substantial consumer injury, including identity theft, medical identity theft, and other harms.
The decision stemmed from allegations that LabMD, which operated as a clinical laboratory testing center, failed to protect patients’ sensitive personal information, including names, addresses, dates of birth, Social Security numbers, insurance information, diagnosis codes, and physician orders for tests and services. Specifically, the Commission found that LabMD failed to use file integrity monitoring, neglected to monitor traffic coming across its firewalls, failed to have an intrusion detection system, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected. These data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years. The file-sharing software was configured (unwittingly) to allow exposure of patient information on a peer-to-peer network accessible daily by millions of users. However, the only documented disclosure of patient information that occurred was a single “breach” by a data security firm looking to generate new business, who had used the peer-to-peer network to access a file containing sensitive data for approximately 9,300 individuals.
Section 5 of the FTC Act authorizes the Commission to challenge “unfair or deceptive acts or practices in or affecting commerce,” and provides that a practice is deemed unfair if it (1) “causes or is likely to cause substantial injury to consumers,” (2) the injury “is not reasonably avoidable by consumers themselves,” and (3) the injury is “not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(a) and (n). The Commission found that “the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial.” Accordingly, LabMD’s lax security practices “caused substantial injury” because “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under [the FTC Act].” In addition, the Commission concluded that the exposure of sensitive medical and health information to millions of online file-sharing users made a breach “particularly likely to occur” and was therefore “likely to cause substantial injury.”
The FTC based its conclusions regarding the existence of “substantial injury” primarily on the fact that the ineffective security practices and the actual breach exposed highly sensitive health and medical information, so it remains to be seen whether this decision will extend to inadequate data security leading to the disclosure of other confidential information. In addition, LabMD’s failures may be viewed as particularly egregious, so it remains unclear what affect the FTC’s decision will have in the future and with different perceived failures. Regardless, this decision is a clear signal of the FTC’s expanding effort to regulate data security, as sanctioned by the Third Circuit in FTC v. Wyndham Worldwide Corp. We note that LabMD has filed a motion seeking a stay of the effective date of the FTC’s Order pending review by the United States Court of Appeals, so stay tuned to this blog for further developments.
Perhaps acknowledging the future uncertainty, the opinion explains, “[t]he touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”
In light of the FTC’s conclusions, every organization – large or small, for-profit or charitable – that retains any confidential personal information of its employees, volunteers, or customers should consider implementing the following:
- regular data security training of all employees;
- limiting an employee’s access to only the types of information needed to perform their job;
- limiting an employee’s ability to download or install their own software on work-related devices;
- conducting risk assessments of data security practices;
- regular maintenance and updates of operating systems for computers and other work-related devices;
- ensuring that software tools and hardware devices to detect system vulnerabilities are properly installed, configured, and regularly updated,
- including intrusion detection devices, penetration testing programs, policy compliance and file integrity monitoring tools, and firewalls; and
- establishing and enforcing appropriate data retention policies and procedures.
Threats to data security are constantly evolving, so data security practices cannot remain static. Whether the FTC is watching or not, it is clear that implementing and regularly updating appropriate practices, policies, and procedures is essential for any “reasonable” data security program.