By Jeffrey May, J.D.
LabMD’s lax data security practices that resulted in the unauthorized sharing of the personal information of thousands of consumers violated the FTC Act, the three members of the Commission have decided. The unreasonable security practices of the now-shuttered medical testing laboratory amounted to unfair acts or practices. The opinion in the closely-watched case was authored by FTC Chairwoman Edith Ramirez, who LabMD attempted to disqualify from the matter on two occasions (In the Matter of LabMD, Inc., July 28, 2016, Ramirez, E.).
In 2013, the FTC brought an action against LabMD, alleging that the company's billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and that company documents containing sensitive personal information of at least 500 consumers had fallen into the hands of identity thieves. The agency contended that LabMD failed to implement or maintain a comprehensive data security program to protect this information.
An administrative law judge (ALJ) rejected the claims in 2015. Focusing on the first of the unfairness standard’s three elements—the "substantial consumer injury" requirement—the ALJ dismissed the case. According to the ALJ's initial decision, the agency failed to prove that LabMD’s conduct caused, or was likely to cause, substantial injury to consumers. The ALJ rejected the agency's argument that the very disclosure of sensitive personal medical information, including lab tests for conditions such as HIV, prostate cancer, and herpes, itself represented substantial consumer injury. The ALJ did not consider the reasonableness of LabMD’s data security practices or the two other unfairness elements: (1) whether the alleged harm was reasonably avoidable by consumers and (2) whether it was outweighed by countervailing benefits to consumers or competition.
Under Section 5(n) to the FTC Act, an act or practice may be deemed unfair if (1) it "causes or is likely to cause substantial injury to consumers;" (2) the injury "is not reasonably avoidable by consumers themselves;" and (3) the injury is "not outweighed by countervailing benefits to consumers or competition."
The ALJ applied the wrong legal standard for unfairness, the Commission has now decided. Noting that it is "up to the Commission to determine, on a case-by-case basis, which practices should be condemned as ‘unfair’," the Commission explained that while most cases of unfairness involve economic harm or health and safety risks, subjective types of harm might also be considered as the basis for a finding of unfairness.
At the outset, the Commission found LabMD's security practices to be unreasonable, "lacking even basic precautions to protect the sensitive consumer information maintained on its computer system." According to the Commission, the company "failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected."
Consumer injury. The Commission also decided that the data security practices caused and were likely to cause substantial injury that was not avoidable by consumers or outweighed by countervailing benefits. "[T]he privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury" for purposes of an unfair practices claim, the Commission concluded.
In addition, there was a "significant risk" of substantial injury. A showing a "significant risk" of injury satisfied the "likely to cause substantial injury" standard, in the Commission's view. "We need not wait for consumers to suffer known harm at the hands of identity thieves," the commissioners explained, suggesting that there is a "prophylactic purpose" in Section 5.
Reasonably avoidance, countervailing benefits. The Commission also found that consumers had no ability to avoid the harms caused by LabMD’s practices. Rejected was LabMD’s argument that consumers were reasonably capable of mitigating any injury "after the fact." As for the third element of the unfairness claim, the consumer injury resulting from LabMD’s data security practices was not "outweighed by countervailing benefits to consumers or to competition." The Commission pointed to low-cost solutions that LabMD could have adopted to cure the deficiencies and render its practices reasonable and appropriate. The company also could have trained employees to safeguard personal information.
Documents held by identity thieves. With respect to the documents found in the possession of identity thieves by the Sacramento Police Department, there was no causal link between the exposed documents—found in hard copy form—and LabMD’s computer security practices. The agency did not establish that this incident was caused by deficiencies in LabMD’s computer security practices, which were the sole practices challenged in the complaint. Thus, this incident did not provide additional evidence that LabMD’s computer security practices caused or were likely to cause substantial injury.
Relief. The FTC issued a final order "that will ensure LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession." The order is intended to prevent future violations by LabMD and remediate the risk of harm to consumers. LabMD is required to establish a comprehensive information security program; to obtain periodic independent, third-party assessments regarding the implementation of the program; and to notify affected individuals about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.
This is Dkt. No. 9357.
Attorneys: John Krebs for the FTC. Sunni Harris (Dinsmore & Shohl, LLP) for LabMD, Inc.
Companies: LabMD, Inc.
MainStory: TopStory Privacy ConsumerProtection FederalTradeCommissionNews
Interested in submitting an article?
Submit your information to us today!Learn More