The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.
The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Poor data security may be an unfair business practice. Wyndham established that the FTC has the authority to prosecute businesses that do not have the good data security practices they claim to. Because LabMD’s actions were held to be unfair business practices and not deceptive business practices, the FTC signaled that a business must have reasonable measures in place to protect the data it collects and stores regardless of its claims to consumers.
Don’t ignore sector-specific security statues only because they don’t directly apply. Some of the violations alleged in LabMD took place 8 years before the complaint issued in 2013. At the time, HIPAA had not yet been amended to apply directly to businesses like LabMD. But the Commission still used HIPAA to show steps for securing sensitive health information was a standard practice that LabMD should have followed. Sector specific statutes offer guidance as to what the regulators deem an unfair practice, even if the statute does not technically apply.
Disclosure can be an injury to consumers, even without identity theft. The only unauthorized disclosures of sensitive health data were to a data security firm and an academic researcher, neither of which was likely to use the information for identity theft or to embarrass the data subjects. Nevertheless, the FTC held that the mere disclosure of sensitive medical information, not its misuse, was a substantial injury for the purposes of being an unfair business practice. This contrasts with private causes of action, where courts have questioned whether the increased likelihood of stolen information could be a cognizable harm.