On July 29, 2016, the Federal Trade Commission (FTC) reversed an administrative law judge’s decision dismissing the FTC’s charges against medical testing laboratory LabMD, Inc., finding that LabMD’s failure to protect the sensitive personal information—including medical information—of over 750,000 patients was unreasonable and constituted an unfair act or practice in violation of Section 5 of the Federal Trade Commission Act. The FTC brought suit against LabMD in 2013, alleging that LabMD collected the sensitive personal information of over 750,000 patients between 2001 and 2014, including many consumers for whom it never performed any testing. In so doing, the FTC alleged that LabMD failed to implement reasonable security measures. Some of the oversights included (1) failing to use an intrusion detection system; (2) failing to use file integrity monitoring; (3) neglecting to monitor traffic coming across its firewalls; (4) providing no data security training to its employees; and (5) never deleting any of the consumer data it had collected. These deficiencies resulted in the installation of file-sharing software that exposed the sensitive personal information of 9,300 consumers on a peer-to-peer network that was accessible to millions of users for 11 months.
In a unanimous opinion, the FTC found that even though there was no evidence that patient information was misused, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 caused substantial injury. In addition, the commission found that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online peer-to-peer users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. The key takeaway from the FTC’s ruling is that a practice may be “unfair” under Section 5 “if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”
In light of the FTC’s ruling, companies should consider the following when storing and managing sensitive personal information of consumers:
1. Utilize software tools and hardware devices for detecting vulnerabilities (e.g., antivirus programs, firewalls, vulnerability-scanning tools, intrusion detection devices, penetration-testing programs, and file-integrity and monitoring tools).
2. Adequately train employees to protect personal information.
3. Limit employees’ access to sensitive data to an as-needed basis.
4. Purge personal consumer information that is no longer needed.
5. Do not store information for consumers for whom no services are performed.