Failure to Protect Data is an Unfair Practice
LabMD was a clinical laboratory that performed tests for physicians who would download patients’ personal information to LabMD’s network, order tests, and access the test results. In many instances, LabMD retrieved the personal information of all patients in physicians’ databases, even if LabMD was not performing tests for those patients. The Federal Trade Commission (FTC) found that LabMD’s lax data security constituted an unfair practice.
LabMD’s management and sales employees had administrative rights over their computers. The employees could change security settings and download software applications and files from the Internet, such as P2P (peer-to-peer) file-sharing applications and music files that were unrelated to LabMD’s business.
In 2005, LabMD’s billing manager and other employees downloaded LimeWire, a P2P file-sharing program, so they could download and listen to music. LimeWire used the Gnutella P2P protocol, in which users share files on the Gnutella network by designating a directory on their computers as a shared directory. All files in shared directories are freely available for downloading and viewing by other network users.
In 2008 Richard Wallace, a forensic analyst for a data security company called Tiversa Holding Company, found and downloaded a LabMD file that contained the medical and personal information of over 9,000 people. The information had been stored in the billing manager’s “My Documents” folder. Despite clear onscreen LimeWire warnings that the documents were being shared, neither the billing manager nor anyone else at LabMD did anything to protect patient information.
Tiversa, trying to sell breach detection services to LabMD, informed LabMD about the data breach. LabMD rejected the use of Tiversa’s services and did its own investigation and confirmed it. Tiversa subsequently reported the breach to the FTC.
In 2012 the Sacramento Police Department found LabMD information while searching the homes of people suspected of utility billing theft.
Although LabMD stopped conducting lab tests and began winding down its business in 2014, it did not destroy or delete any patient data that it collected.
The FTC filed a complaint against LabMD, claiming that its failure to prevent a data breach was an unfair practice under the FTC Act. A practice is unfair if it causes or is likely to cause substantial consumer injury, consumers can’t reasonably avoid injury themselves, and the injury isn’t outweighed by countervailing benefits to consumers or competition.
An administrative law judge (ALJ) found that LabMD’s security practices were not likely to cause injury. He also determined that the FTC failed to prove that an injury had occurred in the seven years since the breach, because (1) Tiversa shared the information only with the FTC and with a university professor as part of a research project and (2) no consumers complained about their information being exposed. The ALJ felt that at best, the FTC proved “the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm.”
A panel of FTC commissioners reversed the ALJ’s decision, finding that LabMD:
(*) failed to use an intrusion detection system or file integrity monitoring
(*) failed to monitor traffic coming across its firewalls
(*) provided essentially no data security training to employees
(*) never deleted the consumer data it collected
The FTC first noted that because LabMD never notified consumers that their information had been disclosed, it was impossible to tell if the breach resulted in identify theft or physical harm. It then held that the disclosure of sensitive health or medical information causes real and substantial harm, even if it’s not economic or physical harm. It ordered LabMD to notify affected customers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information it possessed, and obtain independent assessments concerning its implementation of the program. [In the Matter of LabMD, Inc. (FTC 2016) Docket No. 9357]
Reasonable and Appropriate Data Security Practices
LabMD argued that the FTC should not have issued an unfair practice complaint, because the FTC hasn’t “prescribed regulations or legislative rules . . . establishing medical data security standards.” The FTC said because section 5(n) of the FTC Act (codified at 15 U.S.C. section 45(n)) requires a company that maintains consumers’ personal information to assess the risks that its actions could take and to implement reasonable measures to prevent or minimize foreseeable harm, the Act “provides reasonably clear and intelligible guidelines for companies to follow in designing their own data security programs.”
The FTC also said that it has made clear, in administrative decisions and orders, that failure to take reasonable data security measures may constitute an unfair practice. The FTC also discussed generally accepted IT practices and compared them unfavorably to LabMD’s data security practices.
Protection of the computer network and use of adequate risk assessment tools: The FTC began by stating that “[w]idely known and accepted standards governing minimum reasonable data security practices have long established that risk assessment is an essential starting point.” For instance, regulations under the Health Insurance Portability and Accountability Act (HIPAA) require covered entities that transmit health information, like LabMD, to conduct accurate and thorough assessments of the potential risks and vulnerabilities concerning electronic protected health information. “While the requirements imposed by HIPAA do not govern whether LabMD met its obligations” under the FTC Act, said the Court, “they do provide a useful benchmark for reasonable behavior.”
In addition, the National Institute of Science and Technology (NIST) publishes guidelines for conducting risk assessments. And IT practitioners commonly use intrusion detection systems and file integrity monitoring products to assess risks on their networks. They also do “penetration tests” to spot vulnerabilities by checking server ports and determining whether industry-known software bugs are patched.
But, said the Court, LabMD “did none of this.” It had no intrusion detection system or file integrity monitoring, and it employed penetration testing only after Tiversa notified it of the breach. The risk mitigation tools that LabMD used were antivirus programs, firewall logs, and manual computer inspections, which could identify only a limited scope of vulnerabilities. The tools’ effectiveness was further reduced by the way LabMD used them: LabMD didn’t consistently update virus definitions or run or review scans, and LabMD’s manual inspections were used not to detect security risks but only as a response to complaints about computer performance. LabMD also failed to monitor its network for unauthorized intrusions or exfiltration. Its firewalls were ineffective because they were not configured properly and no one reviewed firewall logs or network activity logs except in connection with troubleshooting a problem like Internet speed or connectivity.
Consequently, LimeWire ran undetected on the billing manager’s computer between 2005 and 2008. LabMD didn’t conduct file integrity monitoring or more complete walk-around inspections that could have detected the problem.
Data security training: “Even where basic hardware and software data security mechanisms are in place,” said the Court, “there is an increased likelihood of exposing consumers’ personal information if employees are not adequately trained.” LabMD’s Compliance Manual required its compliance officer to establish in-house training sessions on privacy and security, but LabMD failed to provide such training, even to its IT personnel. The billing manager who had loaded LimeWire onto her computer testified that LabMD relied on the training that employees had received in previous jobs.
Restrictions and monitoring of employees’ computer practices: The Court stated that the National Research Council has been emphasizing since 1997 that procedures should be in place to ensure that users have access to only the information for which they have a legitimate need. Not only did LabMD fail to prevent employees from accessing information that they didn’t need, but it turned off the feature of its laboratory information software that would have allowed for distinct access settings for different users. Even sales people and college students who were part-time employees could access patients’ medical and personal information. Because LabMD never deleted information, the amount of information on its network was extensive. Finally, LabMD didn’t follow its own Software Monitoring Policy, which stated that users’ add/remove programs files would be reviewed.
LabMD is likely to appeal the FTC’s finding of an unfair practice, especially in light of the US Supreme Court’s May 2016 decision in Spokeo, Inc. v. Robins, in which the Supreme Court held that a lawsuit requires an injury that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”
But regardless of whether this particular unfair practice decision is overturned, the FTC has provided detailed guidance of what it considers to be reasonable data security practices. In this case, LabMD had policies in place that might have avoided the breach, but the policies weren’t followed. In addition, all employees should have a basic knowledge of data security and privacy. Untrained employees might compromise the security of data by reusing passwords or by becoming victims of tactics like phishing or ransomware. LawRoom’s online data security training can help organizations protect their data and their customers.