Last week, three commissioners from the Federal Trade Commission (FTC) held in In the Matter of LabMD, Inc. that a company’s failure to implement reasonable security measures to protect sensitive consumer information on its network constituted an unfair business practice in violation of Section 5 of the Federal Trade Commission Act (FTC Act). In doing so, the Commission, which had authorized an investigation of the company, overturned a senior administrative law judge’s earlier finding that the Commission had not proved consumer harm and dismissal of the Commission’s administrative complaint against the company.
The FTC Act empowers the FTC prevent “unfair methods of competition” and “unfair or deceptive acts or practices in or affecting commerce[.]” See 15 U.S.C. § 45(a)(1), (a)(2). However, the FTC “shall have no authority… to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(n). The FTC may seek to bring enforcement actions for violation of the FTC Act either in a United States District Court or in an administrative complaint before an Administrative Law Judge (“ALJ”). ALJ rulings can be reviewed by the Commissioners of the FTC, which may then issue a final opinion and order. Orders from both the Commission and from a U.S. District Court may be appealed to a U.S. Court of Appeal.
On August 28, 2013, the FTC filed an administrative complaint against LabMD, Inc., a clinic testing laboratory, alleging that LabMD failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer network and that this conduct “caused or is likely to cause” substantial consumer injury, in violation of section 5 of the FTC Act.
The Complaint was based on two alleged security incidents. The first incident occurred in May 2008 when a third party informed LabMD that one of LabMD’s insurance aging reports,containing the personal information of approximately 9,300 patients of LabMD’s physician clients, was discovered on a peer-to-peer file-sharing network. A LabMD billing manager installed the file-sharing program LimeWire on his work computer and inadvertently shared the report. The second incident occurred in October 2012, when the Sacramento police discovered 40 LabMD transaction reports containing the personal information of 600 consumers, nine copied checks and one money order payable to LabMD in possession of individuals who eventually pled nolo contendere to identity theft charges.
On November 13, 2015, an ALJ dismissed the Complaint, finding that the FTC had failed to prove that LabMD’s alleged conduct caused or was likely to cause substantial injury to consumers. See In the Matter of LabMD, Inc., Docket No. 9357, Initial Decision (Nov. 13, 2015). The ALJ found that, due to the FTC’s failure to produce evidence that any consumer had suffered actual harm in the seven years since the incident, the exposure of the insurance aging report did not, and was not likely to, result in any identity theft-related harm. See id., at 57-67. Moreover, the ALJ found that there was no evidence of embarrassment or similar emotional harm resulting from the exposure of the insurance aging report and, even if there were, such harm did not constitute a “substantial injury” within the meaning of Section 5(n). See id., at 68-69.
The ALJ also found that the FTC failed to prove a causal connection between the exposure of the transaction reports, checks and money order and LabMD’s purportedly lax network security practices, as there was no evidence that these documents were maintained on, or taken from, LabMD’s computer network. See id., at 71-74. Finally, the ALJ expressly rejected the FTC’s argument that identity theft-related harm was likely for all consumers whose personal information was stored on LabMD’s network because that network was “at risk” of a future data breach. See id., at 80-87. Specifically, the ALJ found that although the FTC may, at best, have shown the “possibility” of harm with a future data breach, it did not meet its burden of proving the “probability” or “likelihood” of harm required by the statute. See id., at 14.
Three FTC Commissioners (two of the five FTC Commissioner seats are currently vacant) vacated the ALJ’S Initial Decision, holding that, in determining whether a practice is “likely to cause substantial injury” under the unfairness standard, the FTC “look[s] to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury it does occur” and that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” See In the Matter of LabMD, Inc., Docket No. 9357, Opinion of the Commission, at 10 (July 29, 2016). The Commissioners examined LabMD’s data security practices and found that they were unreasonable in that LabMD failed to implement “basic” risk management measures, specifically automated intrusion detection systems, file integrity monitoring software, or penetration testing; monitor firewall traffic; provide data security training to its employees; and adequately limit or monitor access to patients’ sensitive information or restrict employee downloads. See id., at 12-16. They also found that LabMD’s inadequate data security practices led to the disclosure of the insurance aging report and that “the privacy harm resulting from the unauthorized disclosure of [such] sensitive health or medical information is in and of itself a substantial injury [.]” Id., at 19. In making this finding, the Commissioners concluded that “the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).” Id., at 19.
Moreover, the Commissioners found the unauthorized exposure of the insurance aging report was “likely to cause substantial injury.” See id., at 20. They expressly rejected the ALJ’s reliance on the lack of actual harm in the case, holding that, in evaluating a practice, the FTC judges “the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes.” Id., at 23. The Commissioners described Section 5 as having a “prophylactic purpose” that authorized the FTC to take “preemptive action” and “not wait for consumers to suffer known harm at the hands of identity thieves.” Id. Accordingly, the Commissioners held that LabMD’s data security practices constituted unfair acts or practices within the meaning of Section 5 of the FTC Act.1
The Commissioners issued a Final Order requiring LabMD to establish, implement, and maintain a comprehensive information security program “reasonably designed to protect the security and confidentiality of consumers’ personal information” and “obtain initial and then biennial assessments and reports regarding its implementation of the information security program.” Id., at 34. The Final Order also requires LabMD to notify individuals “whose personal information LabMD has reason to believe was or could have been exposed about the authorized disclosure of their personal information” and “the health insurance companies for these individuals of the information disclosure.” Id., at 35.
The LabMD decision expands the authority of the FTC by broadening the standard for what constitutes a substantial injury or what is likely to cause a substantial injury under Section 5 of the FTC Act. It establishes that the exposure or disclosure of sensitive personal information by itself is sufficient to satisfy the injury requirement in the unfairness test and enables the FTC to declare the data security practices of a company as unfair acts or practices under Section 5 of the FTC Act, even in the absence of actual harm to any consumers. In doing so, the LabMD decision validates the growing number of FTC investigations and enforcement actions under Section 5 of the FTC Act for lax data security practices. Whether LabMd seeks appellate review of the Final Order by a U.S. Court of Appeal remains to be seen.
The LabMD decision does provide some guidance as to what constitutes minimally reasonable data security practices. Companies should employ intrusion detection systems, file integrity monitoring software, and penetration testing to assess the risks on their networks. They should also constantly update their antivirus programs, run and review scans, and monitor traffic coming across their firewalls. Even if such systems and programs are in place, companies should still provide extensive data security training to its employees. Finally, companies should limit access to sensitive personal information to only those employees who need the information to perform their jobs and monitor and restrict what employees are downloading onto their work computers. The presence of these measures does not guarantee that the FTC will not initiate an action against a company in the event of a security incident. But, their absence increases the probability that such an action will be brought and the likely success of that action.
1 The Commissioners, however, did agree with ALJ’s decision concerning the LabMD transaction reports, copied checks and money order, concluding that there was no evidence that LabMD’s computer security practices (which were the sole focus of the Administrative Complaint) caused the exposure of these documents. See id., at 25.