The FTC has entered its Opinion and Final Order in its ongoing campaign to take enforcement action against LabMD. The Commission alleges that in 2008 the former clinical laboratory unreasonably exposed the sensitive medical information of 9,300 consumers over a peer-to-peer file sharing network. Our last report on this protracted legal and jurisdictional struggle came in November 2015, when an Administrative Law Judge (ALJ) dismissed the FTC’s complaint for failing to demonstrate that LabMD’s data security practices were unfair. The Commission’s Opinion, authored by Chairwoman Edith Ramirez and passed by a 3-0 vote, determined that the ALJ had applied the wrong legal standard and reinstituted an Order requiring that LabMD implement a comprehensive information security program and provide notice to affected consumers.
The ALJ held that the Commission failed to establish that LabMD’s data security practices had or “were likely to cause substantial injury” constituting an “unfair practice” under Section 5 of the FTC Act. The November decision determined that privacy harms devoid of any “tangible injury such as monetary harm or health and safety risks” do not constitute a “substantial injury” for the purposes of the Act. The Commission disagreed, finding that the “disclosure of sensitive health or medical information” is a privacy violation that, while non-economic and non-physical in nature, can constitute “real and substantial” harm sufficient to form the basis of an unfair practice complaint.
Ramirez’s Opinion also refuted the ALJ’s conclusion that finding a business practice to be “likely to cause” a substantial injury requires a showing that the injury is a “probable” result of the practice. Citing to the Third Circuit’s interpretation of the FTC Act in the Wyndham case, the Commission determined that the analysis of whether or not a practice is “likely to cause substantial injury” should incorporate both the likelihood that the injury will occur and the “severity or magnitude” of the harm involved.
Using this unfairness standard, the Commission highlighted numerous specific faults in LabMD’s data security. The Commission contends that through various oversights, missteps, and deficient protocols, LabMD unfairly:
- Failed to protect its computer network or employ adequate risk assessment tools.
- Failed to provide data security training to its employees.
- Failed to adequately restrict and monitor the computer practices of individuals using its network.
Many of the specific practices identified by the Opinion (such as failing to require complex and unique employee passwords and failing to institute a procedure for securely disposing sensitive data) are directly contrary to the data security recommendations provided by the Commission in its “Start With Security” guide.
This case is further complicated by the fact that LabMD began to wind down its business operations in 2014 and has stopped receiving specimens and conducting tests. LabMD argued that the Commission’s Order is unnecessary and punitive in nature due to its current diminutive business operations. The Commission responded that the Order is still necessary because LabMD maintains the personal information of approximately 750,000 consumers on its computer system and could resume business operations at any time. The Commission also noted that the Order “takes account of LabMD’s current limited operations” and only requires LabMD to develop a comprehensive information security program that is “appropriate for the nature and scope” of LabMD’s current activities. Nevertheless, business owners should be alert that their data security obligations may extend beyond the life of their business.