On August 28, the Federal Trade Commission (“FTC”) filed an administrative complaint against medical testing company LabMD, Inc., alleging that the company’s information security practices constituted unfair acts or practices in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). LabMD has announced its intention to litigate the matter, just as Wyndham Hotels has done in another closely-watched case.
The FTC’s complaint alleges that LabMD’s billing department manager installed the Limewire peer-to-peer filesharing program on a LabMD billing computer. The billing manager’s use of Limewire caused hundreds of files on the billing computer’s hard drive to be publicly shared, including an insurance file containing “personal information about approximately 9,300 consumers, including names, dates of birth, SSNs, CPT codes, and, in many instances, health insurance company names, addresses, and policy numbers.”
According to LabMD, the issue was first brought to its attention by a security vendor. LabMD claims that when it refused to pay the vendor to help address the problem and instead sought to fix things on its own, the vendor notified the FTC.
The FTC alleges that personal information about several hundred LabMD customers was found in the possession of identity thieves in Sacramento, CA in 2012. Among the LabMD practices that the FTC alleges were unfair are: failure to develop or maintain a comprehensive information security program to protect consumers’ personal information; failure to assess system vulnerabilities, e.g. through penetration testing; inadequate measures to prevent employees from accessing personal information not needed to perform their jobs; inadequate employee training; lack of authentication measures; and failure to maintain and update operating systems of computers and other devices on its networks.
The FTC is seeking an order to require LabMD to notify potentially affected customers, develop and implement a comprehensive data security program, and undergo biannual independent audits for twenty years.
By refusing to settle its case, LabMD is following the route of Wyndham, which also faces FTC enforcement based on data security practices and is challenging, among other things, the FTC’s statutory authority to regulate commercial data security practices under Section 5 of the FTC Act and the level of due process afforded by FTC’s strategy of rulemaking by enforcement rather than promulgating formal regulations. Wyndham’s motion to dismiss was filed in April 2013 and has not yet been ruled on by the district court. The Wyndham decision will likely have ramifications throughout the security ecosystem and—because the LabMD case must first be litigated before an FTC Administrative Law Judge, then affirmed by the Commissioners before it can be challenged in federal court—will likely be the most salient precedent by the time LabMD has its day in court.
There is no question that the FTC has become more aggressive in pursuing security-related cases recently. The consequence of this increased aggressiveness is likely to be continuing pushback by companies who believe that the FTC is literally making up security standards as they go, with a real lack of notice and warning to companies as to the standard against which they will be measured. We here at ZwillGen predict increasing security-related litigation, both administratively at the FTC and in district court as a result.