- Medical testing laboratory LabMD, Inc. failed to employ proper data security measures to protect the sensitive consumer information it collected, according to a recent Federal Trade Commission final order.
This reverses a previously announced administrative law judge decision that dismissed charges against LabMD. The judge explained in that ruling that FTC “failed to carry its burden of proving its theory that [LabMD’s] alleged failure to employ reasonable data security constitutes an unfair trade practice because [FTC] has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
That decision also applied the wrong legal standards for unfairness, according to Chairwoman Edith Ramirez.
“LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system,” Ramirez wrote. “Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
Also in contrast to the administrative law judge opinion, FTC said there was harm when LabMD disclosed medical information without authorization. The LabMD security practices also were “likely to cause substantial injury.”
The prior ruling maintained that it was not proven whether LabMD’s action would affect the “probability” that a health data breach would occur. The “possibility” of harm had been proven, but not the “probability.
“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of “likely” substantial consumer injury,” Judge Michael Chappell wrote in the administrative decision.
FTC stated in its overturning of the decision that that the likelihood of potential harm had been high and was proven in the case. Witnesses “identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information” LabMD had on its network.
Two reported incidents led to the FTC case. First, LabMD was accused of exposing billing information for over 9,000 consumers when the data was found on a peer-to-peer (P2P) file-sharing network. Furthermore, documents containing information on 500 consumers were found in the hands of identity thieves.
Per the Commission’s final order, LabMD must “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”
LabMD CEO Michael Dougherty explained in a blog post that he was not surprised by the decision.
“The real story is in what the FTC is silent about,” Dougherty wrote. “They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights.”
While he said that he is relieved to no longer have to deal with FTC, Dougherty added that FTC “made a mockery of legal ethics, regulatory boundaries and HHS.”