In a unanimous opinion, the Federal Trade Commission ruled that an Administrative Law Judge erred when he concluded that the FTC failed to prove that LabMD, a Georgia-based clinical testing laboratory, had engaged in an “unfair or deceptive trade practice” based on inadequate computer security for records containing protected health information (PHI) and sensitive personally identifiable information (PII). The FTC’s Opinion, written by Chairwoman Edith Ramirez, concluded that the wrong legal standard for unfairness had been applied and that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” According to the FTC, LabMD’s failures included, but were not limited to: 1) failing to use an intrusion detection system or file integrity monitoring; 2) neglecting to monitor firewall traffic; 3) failing to provide data security training to its employees; and 4) failing to delete any of the 750,000 patient records it had collected between 2008 and 2014, including records culled from its physician-clients’ databases despite never having performed testing for those patients. The Opinion also clarified the FTC’s position on when an inadequate security program is “likely to cause substantial injury to consumers” sufficient to invoke its jurisdiction. Ultimately, the message for businesses was clear: the FTC has jurisdiction to pre-emptively investigate and prosecute inadequate computer security, regardless of whether a breach has occurred.
In February 2008, a security firm named Tiversa discovered that a LabMD billing computer on the Gnutella peer-to-peer file-sharing network was inadvertently sharing an insurance aging report containing PHI and sensitive PII on approximately 9,300 patients, including their names, dates of birth, Social Security numbers, CPT codes for laboratory tests conducted, and in some cases, health insurance company names, addresses, and policy numbers. This file was referred to in the matter as the “1718 File” because it was 1,718 pages long. After locating the 1718 File, the Tiversa researcher used the “browse host” function to reveal 950 other shared files in the “My Documents” directory on the LabMD computer, most of which consisted of music and video files. However, eighteen documents were also being shared at the same time, three of which also contained patient PHI.
Tiversa disclosed its download of the 1718 File to LabMD and offered its remediation services, which LabMD ultimately rejected. Instead, LabMD proceeded to conduct an internal investigation without disclosing the breach to its affected patients. The FTC’s Opinion cites to LabMD’s engagement of an independent security firm to conduct penetration testing and vulnerability mapping on its network. Their report identified a number of urgent and critical vulnerabilities on four of LabMD’s seven servers and rated the overall security of each server as “poor.” Meanwhile, a Civil Investigative Demand (CID) served on Tiversa’s affiliate, The Privacy Institute, resulted in the production of a spreadsheet of companies whom Tiversa claimed had exposed the personal information of 100 or more individuals, including LabMD and a copy of the 1718 File. This led the FTC to open an investigation of LabMD, which resulted in an action against them for failing to implement reasonable security, an alleged “unfair” practice.
In November 2015, Administrative Law Judge D. Michael Chappell dismissed the FTC’s claims following an administrative trial, concluding that the FTC failed to prove that LabMD’s security practices were “likely to cause substantial consumer injury.” The FTC presented substantial expert witness testimony on the potential injuries that could result from a theft of PHI including not only identity theft and fraud but also the potential for misdiagnosis and drug interactions caused by a merger of the patient’s actual medical records with the records of the identity thief. However, rather than considering the threats posed by the practices at the time of the disclosure, the Initial Decision instead remarked that “the absence of any evidence that any consumer has suffered harm as a result of [LabMD]’s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of [the FTC]’s claim that such harm is nevertheless ‘likely’ to occur.” Adopting a post-hoc analysis, the Initial Decision concluded that because actual harm had not yet been demonstrated from the allegedly unreasonable security practices, then the practices were not “likely” to cause substantial consumer harm. The Initial Decision also held that “privacy harms, allegedly arising from an unauthorized exposure of sensitive medical information … unaccompanied by any tangible injury such as monetary harm or health and safety risks, [do] not constitute ‘substantial injury’ within the meaning of Section 5(n).” Claiming that the “substantial consumer injury” required by Section 5(n) could not be satisfied by “hypothetical” or “theoretical” harm or “where the claim is predicated on expert opinion that essentially only theorizes how consumer harm could occur,” Judge Chappell opined that “[f]airness dictates that reality must trump speculation based on mere opinion.”
The FTC’s opinion rejected not only Judge Chappell’s analysis, but also his overly narrow view of what constitutes “harm” in the case of a security breach. According to the FTC, “[w]e conclude that the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” The Commission pointed out that its very first data security case was brought against the pharmaceutical company Eli Lilly, where lax security practices resulted in the inadvertent disclosure of the e-mail addresses of Prozac users. The opinion also identified “established public policies” in both state and federal law protecting sensitive health and medical information from public disclosure, as well as the recognition of privacy harms in tort law which do not require either economic or physical harm.
More importantly, the FTC ruled that a showing of “significant risk” of injury is sufficient to satisfy the “likely to cause” standard set forth in the Act. According to Chairwoman Ramirez, Judge Chappell’s post-hoc analysis focusing on the injuries suffered by patients (whom were never notified of the breach) “comes perilously close to reading the term ‘likely’ out of the statute. When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context. Consumers typically have no way of finding out that their personal information has been part of a data breach.” The FTC also re-emphasized that they are authorized to act pre-emptively in order to prevent harm, explaining that “Section 5 very clearly has a ‘prophylactic purpose’ and authorizes the Commission to take ‘preemptive action.’ We need not wait for consumers to suffer known harm at the hands of identity thieves.” (citations omitted).
In addition to concluding that LabMD’s inadequate security practices were likely to cause substantial harm to the 750,000 patients in their databases, the Commission also concluded that consumers had no reasonable ability to avoid the resulting harm. It noted that most patients were wholly unaware that their records were being collected by LabMD, who obtained them directly from their physician-clients, including records for which no testing was ever performed. LabMD attempted to counter that consumers could mitigate any injury “after the fact”; however, the Commission rejected this argument outright. According to the Opinion, “[o]ur inquiry centers on whether consumers can avoid harm before it occurs … even assuming arguendo that the ability to mitigate harm does factor into its avoidability, there is nothing LabMD has pointed to that demonstrates mitigation after the fact would have been possible here. Without notice of a breach, consumers can do little to mitigate its harms.” (emphasis in original). The Commission also pointed out that “it may be difficult or impossible to mitigate or avoid further harm, since [consumers] have ‘little, if … any, control over who may access that information’ in the future, and tools such as credit monitoring and fraud alerts cannot foreclose the possibility of future identity theft over a long period of time.”
As to the third factor of its analysis (i.e. whether countervailing benefits to consumers or to competition outweighs the cost of implementing adequate practices), the FTC pointed to the ubiquity of “free or low cost software tools and hardware devices available for detecting vulnerabilities, including antivirus programs, firewalls, vulnerability scanning tools, intrusion detection devices, penetration testing programs, and file integrity monitoring tools,” as well as free or low-cost availability of IT security training courses and free notifications available from vendors, the Computer Emergency Response Team (CERT), the Open Source Vulnerability Data Base, and the National Institute of Science and Technology. From an operational security standpoint, the FTC identified that LabMD could have easily implemented access controls based on the “principle of least privilege,” limiting employees’ access to only the types of data necessary to perform their particular job functions and preventing employees from installing software such as the LimeWire application without administrative privileges. They could also have purged data for consumers for whom they had never performed testing because there was no legal obligation for them to retain this data.
The FTC’s Final Order required LabMD “to establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security and confidentiality of consumers’ personal information” for the next 20 years, with biennial assessments and reporting. The Opinion recognized that while LabMD has ceased operations for the time being, it continues to exist as a corporation and still maintains records on approximately 750,000 consumers. Accordingly, the required information security program needs only be appropriate “for the nature and scope of LabMD’s activities,” noting that “a reasonable and appropriate information security program for LabMD’s current operations with a computer that is shut down and not connected to the Internet will undoubtedly differ from an appropriate comprehensive information security program if LabMD resumes more active operations.” The Final Order also required LabMD to notify all “individuals whose personal information LabMD has reason to believe was or could have been exposed about the unauthorized disclosure of their personal information” and “notify the health insurance companies for these individuals of the information disclosure.” LabMD has sixty (60) days after service of the Opinion and Final Order to file a petition for review with the U.S. Court of Appeals.
The FTC’s authority to regulate the adequacy of computer security practices continues to solidify. In its action against Wyndham Worldwide Corp., the 3rd U.S. Circuit Court of Appeal held in 2015 that the FTC could prosecute claims of deficient security practices without first issuing regulations advising businesses how to comply with its expectations. In the reversal of Judge Chappell’s Initial Decision in the LabMD case, the FTC made it clear that its authority would not be confined by an Article III-based standing analysis requiring proof of actual injury after the fact. This pre-emptive investigative and prosecutorial authority could be further tested in cases such as where disgruntled whistleblowers report the lax security practices of their former employers, without the necessity of a public data breach. For businesses eager to demonstrate their compliance with FTC expectations, the Commission’s Opinion points to the large body of freely-available consent decrees and prior decisions outlining practices to be avoided, as well as free resources whereby businesses can improve their processes and procedures for little or no cost. When all appeals have been exhausted, LabMD will likely serve as an cautionary tale for others – if they had put only a fraction of the effort they have expended defending themselves into preventative improvement of their security processes, they might still be in business today.