08.01.2016
|
Updates
The Federal Trade Commission unanimously (3-0) ruled on July 29, 2016 that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act, reversing a decision of its Administrative Law Judge (ALJ).
As we previously reported, the FTC’s data security program suffered a setback when its ALJ dismissed the FTC’s complaint against LabMD in November 2015 on the basis of insufficient evidence of harm or likelihood of harm. In now reversing and vacating the ALJ’s ruling, the Commission makes three key holdings in an opinion that offers rare insight into how the Commission views the agency’s burden in establishing that data security practices are “unfair.”
First, the unauthorized disclosure of highly sensitive health and medical data that occurred here, without any evidence of economic or physical harm, caused substantial injury, due to the emotional, subjective impact on affected consumers.
Second, the FTC is not required to prove that consumer injury is probable to show that injury is likely; it need only show that there is a “significant risk” of injury and that risk may be “low” if the magnitude of the potential injury is large.
Third, and relatedly, evidence of exposure of sensitive information to a large number of people, standing alone, can be sufficient to support a finding of likely harm; the Commission need not come forward with any evidence that the information was misused or accessed without authorization.
LabMD Case Background
Until 2014, LabMD offered clinical laboratory services for physicians. In February 2008, a data-security firm called Tiversa discovered that a LabMD document containing personal information for approximately 9,300 consumers was publicly available to download on a peer-to-peer sharing (P2P) network. The personal information included names, addresses, dates of birth, Social Security numbers, insurance information, medical diagnosis codes and physician orders for tests and services. Tiversa subsequently provided this information to the FTC. Later, in October 2012, the Sacramento Police Department found LabMD paper documents containing personal information belonging to approximately 600 patients and also provided that information to the FTC. The FTC filed an administrative complaint against LabMD in August 2013. The ALJ held a full administrative trial in 2015.
ALJ’s Ruling
A Section 5 unfairness violation occurs if an act or practice (1) “causes or is likely to cause substantial injury to consumers;” (2) the injury “is not reasonably avoidable by consumers themselves;” and (3) the injury is “not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(n). The ALJ dismissed the complaint against LabMD following trial on the grounds that evidence of an “increased risk” of injury does not demonstrate that the alleged unfair act or practice “causes or is likely to cause” substantial injury to consumers. The ALJ reasoned that relying on “risk” alone would be tantamount to imposing liability whenever the evidence established unreasonable security practices, contrary to clear statutory intent to impose liability only for those practices with a causal link to actual or likely harm. In particular, the ALJ concluded that the FTC staff offered insufficient evidence because the FTC’s experts had provided no quantification of the risk and because the evidence established only that consumer harm was possible, not that it was probable or likely. (For a full description of the ALJ’s reasoning and result, see our previous update on the case.)
Commission’s Ruling
Reversing the ALJ, the Commission found that LabMD engaged in unfair practices because it failed to employ reasonable security measures, and such failure both “caused” and was “likely to cause” substantial injury to consumers. It reached this conclusion through several key determinations:
LabMD’s Security Practices Were Unreasonable. The Commission found that LabMD failed to “employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software or penetration testing” “to monitor traffic coming across its firewalls,” “to provide its employees with data security training” and “to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.” Opinion at 11-12.
Although LabMD used antivirus programs, firewall logs and manual computer inspections to mitigate risk, the Commission held that these measures “could identify only a limited scope of vulnerabilities and were often used in a manner that further reduced their effectiveness,” such as inconsistent virus definition updates and scans, improperly configured firewalls, firewall logs being overwritten every few days and insufficient monitoring of outgoing traffic. Opinion at 13.
The Commission also noted that LabMD had failed to abide by its own compliance program requiring that privacy and security training sessions be established and that users’ computers would be reviewed to ensure that only applications appropriate to the specific user were installed. Notably, the Commission looked to data security standards under HIPAA regulations, guidelines of the National Institute of Standards and Technology and the National Research Council, and what the Commission described as “commonly used” intrusion detection systems and monitoring products of IT practitioners at the time of the events in question, as a “useful benchmark for reasonable behavior.” Opinion at 12. Finally, specific to the actual information exposed, the Commission found that LabMD failed to “restrict or monitor what employees downloaded onto their work computers,” including P2P file-sharing programs, which, according to the Commission, “presented a well-known and significant risk that files would be inadvertently shared.” Opinion at 15.
Mere Unauthorized Disclosure of Sensitive Medical Information May “Cause Substantial Harm." The Commission held that “substantial injury” to consumers may be “caused” solely by the disclosure of their sensitive medical information without authorization, even in the absence of any economic or physical harm flowing from such disclosure. Opinion at 17-19. Although the Commission’s Unfairness Statement, which serves as a touchstone for the agency’s unfairness authority, provides that “[e]motional impact and other more subjective types of harm . . . will not ordinarily make a practice unfair,” Opinion at 10 (citing Commission Statement of Policy on the Scope of the Consumer Unfairness Jurisdiction, 104 F.T.C. at 1073 (1980)), it recognizes that “in extreme cases, subjective types of harm might well be considered as the basis for a finding of unfairness.” Opinion at 10.
With respect to the privacy harms at issue, the Commission “conclude[d] that the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n),” noting expert testimony that the “disclosure of the mere fact that medical tests were performed . . . can involve ‘embarrassment or other negative outcomes, including reputational harm.'” Opinion at 17 (citation omitted). The Commission found such injury even though the only evidence in the record regarding actual access to the disclosed consumer data was that Tiversa, the security firm that had given the FTC the information that served as a catalyst for the investigation of LabMD, had downloaded the consumer data in question from a P2P file-sharing network, which it had shared with an academic researcher, and no one was shown to have misused the data. See Opinion at 17, 19.
A “Significant Risk” of Consumer Injury Demonstrates an Act or Practice Is “Likely to Cause” Substantial Injury. Contrary to the ALJ, the Commission also held that “likely to cause” does not require proof that substantial consumer injury is “probable.” Opinion at 20-21. Rather, “showing a ‘significant risk’ of injury satisfies the ‘likely to cause’ standard.” Opinion at 21. “[T]his evaluation does not require precise quantification,” but rather “an overall understanding of the level of risk and harm to which consumers are exposed.” Opinion at 10. Specifically, the Commission explained that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Opinion at 21. Here, the Commission reasoned that the availability of sensitive data for 11 months on a P2P file-sharing network was “likely to cause” substantial injury because (1) millions of people had access to the P2P network to which the consumer data had been uploaded, and (2) malicious actors had the incentive and the means to seek out files with sensitive information that were inadvertently shared with the network. The Commission reached that conclusion notwithstanding the lack of evidence in the record regarding actual access to the data (other than evidence that Tiversa downloaded the file and then shared it with an academic researcher) or that any consumers had suffered identity theft, medical identity theft or other tangible injury due to the availability of the data on a P2P network.
Final Order
Based on its finding that LabMD’s unreasonable security practices violated the FTC Act, the Commission issued a final order requiring LabMD to (1) notify both the individuals whose personal information was exposed when their information was made available on a P2P file-sharing network and their health insurance companies, (2) establish a comprehensive information security program and (3) obtain biennial assessments of its implementation of that program.
Significance of the Decision
Moving Closer to a “Per Se” Theory of Liability. By holding that the FTC is not required to show “probable” consumer injury to establish that data security practices are unfair, but can proceed if it proves a “significant risk” of injury, and further holding that standard met on the evidence in this case, the opinion raises the question of whether the Commission would like to effectively treat unreasonable lapses in data security safeguards as per se unlawful.
Article III Standing Requirements Inapplicable. The Commission also suggests that it sees important distinctions between the standing prerequisites imposed on private party litigation and FTC Section 5 enforcement. The Commission rejected the argument that Article III standing requirements (including as articulated in the Supreme Court’s recent Spokeo decision, which we described in a separate update) governing the authority of federal courts to hear private lawsuits apply to administrative adjudication, which proceeds under Article II rather than Article III. The Commission further noted that applying the Article III “injury in fact” requirements would be particularly inappropriate given the FTC’s authority to “take preemptive action” to accomplish Section 5’s “prophylactic purpose.” Opinion at 20 n.63 (citation omitted).
Further Articulation of What Data Security Practices Are “Unreasonable.” Because nearly all of the FTC’s data security enforcement actions have settled without litigation, this is one of the few times the Commission has described, in a level of detail that far exceeds what is typically contained in its complaints, the specific data security practices it deems “unfair.”
The Commission acknowledged that LabMD employed security measures but found that LabMD’s failure to implement those measures properly, and its failure to rely on other safeguards, rendered LabMD’s conduct unfair. The Commission specifically faulted LabMD for not using an “intrusion detection system;” for not performing “file integrity monitoring;” for not undertaking regular and routine “penetration testing;” and for using “antivirus programs, firewall logs, and manual computer inspections” that could “identify only a limited scope of vulnerabilities and were often used in a manner that further reduced their effectiveness.” Opinion at 11, 13. For example, LabMD failed to “consistently update virus definitions or run and review scans,” its firewalls were not “configured properly” and “there was no attempt to monitor outgoing traffic for items like social security numbers.” Opinion at 13.
In addition, the Commission chastised LabMD for failing to train its employees about security risks, for failing to “employ adequate measures to prevent employees from accessing personal information not needed to perform their jobs” and for not “adequately restrict[ing] or monitor[ing] what employees downloaded onto their work computers.” Opinion at 11-15. In all, the Commission held that these sins of omission and commission amounted to “unfair” data security.
Importance of Response to a Data Security Incident. The Commission made much of the fact that LabMD had not notified affected consumers or taken prompt steps to detect the exposure of data and stop it. We do not know how the Commission would have decided the case if those facts were different, but prompt corrective action and notification by the company might have sufficiently ameliorated the impact and changed the overall evidentiary picture in way could have resulted in a better outcome.
Impact on Manufacturers of Connected Health and Medical Devices. The Commission’s decision has particular significance for businesses in the burgeoning field of connected health and medical devices. Under the Commission’s reasoning, if such businesses or their partners collect, use or disclose sufficiently sensitive information, the Commission may take the position that its mere unauthorized release is grounds for an unfairness claim.
Aftermath of LabMD Decision
The Commission’s decision, while an important development in this closely watched case, is unlikely to be the last word. LabMD has 60 days after service of the Commission’s decision to file a petition for review in a U.S. Court of Appeals. LabMD’s CEO, Michael Daugherty, has already indicated that he will appeal the decision.
© 2016 Perkins Coie LLP
