4 August 2016
The Federal Trade Commission (‘FTC’) issued, on 29 July 2016, its opinion and final order against LabMD, Inc. (‘the Decision’), which concluded that LabMD’s data security practices constituted an unfair act or practice within the meaning of Section 5 of the FTC Act 1914 (‘the Act’). The Decision consequently reverses the earlier Administrative Law Judge’s (‘the ALJ’) ruling, which held that the FTC failed to prove that LabMD did not employ ‘reasonable and appropriate’ data security measures, which ’caused, or [was] likely to cause, substantial injury to consumers,’ as alleged.
Joan Antokol, Partner at Park Legal LLC, told DataGuidance, “The Decision is another example of the FTC’s intent to exercise its authority very broadly, in terms of the types of organisations that fall within its scope, the personal data covered, and the safeguards that must be in place to protect the data. While the FTC’s unfair and deceptive trade practice requirements in the Act are intentionally broad so as to cover a wide variety of situations, the FTC’s message, and expectations, is abundantly clear from all of the surrounding information issued by the agency.”
Section 5 of the Act authorises the FTC to challenge ‘unfair or deceptive’ acts or practices in or affecting commerce. The FTC indicated in its Decision that LabMD’s data security practices were unfair due to its failure to protect its computer network or employ adequate risk assessment tools, noting that the costs of rectifying LabMD’s flawed practices would have been relatively low. In addition, the FTC asserted that economic and physical harm are not the only forms of injury and that it is not required to be precisely quantified.
“The FTC’s clear message to companies is that they must look broadly across the data security landscape and be cognisant of the variety of applicable standards and frameworks”
Katherine Gasztonyi, Associate at Hogan Lovells, commented, “The FTC’s clear message to companies is that they must look broadly across the data security landscape and be cognisant of the variety of applicable standards and frameworks that the FTC might look to when assessing whether an entity maintains a ‘reasonable’ data security programme.”
In particular, the FTC relied on both the National Institute of Science and Technology (‘NIST’) and the Health Insurance Portability and Accountability Act 1996 (‘HIPAA’) frameworks as a ‘benchmark’ for what data security conduct is reasonably expected from entities. Moreover, the FTC highlighted that disclosure of sensitive health and medical information is recognised by federal and state law as causing inherent harm, in order to reinforce its authority and establish that the ‘substantial injury’ requirement pursuant to Section 5 of the Act is satisfied.
Antokol noted, “Although the US is often criticised for having a sector-specific approach to privacy and security enforcement rather than passing a national data protection law, this case underscores the fact that federal and state agencies with oversight for privacy and security enforcement take their obligations seriously. While most healthcare organisations fear enforcement from the U.S. Office of Civil Rights, they need to recognise that the HIPAA – Health Information Technology for Economic and Clinical Health Act 2009 Privacy and Security Rules are not the only laws that they need to uphold, and that their actions and omissions may well trigger enforcement under a multitude of other laws, including the FTC’s deceptive and unfair trade practices requirements as well as a multitude of state laws.”
In addition, the FTC addressed LabMD’s defence arguments, including the assertion that the FTC failed to provide adequate notice or meaningful standards on what data security practices are required by Section 5, and thus violated the Fifth Amendment of the US Constitution’s due process guarantee and the Administrative Procedure Act 1946. In this respect, the FTC emphasised its case-law, administrative decisions and orders, as well as existing guidance from other federal authorities, namely HIPAA and NIST.
Gasztonyi highlighted, “Companies have long been calling for the FTC to develop more specific guidance, but the FTC’s consistent response has been that such guidance would be obsolete as soon as the ink dried. What constitutes reasonable and appropriate data security measures necessarily shifts with the advancement and evolution of security technologies and cyber threats. For a sense of what measures to implement in this evolving landscape, organisations should look not only to the FTC’s prior complaints and consent decrees but also to other sources such as self-regulatory frameworks, principles, and standards organisations.”
The FTC’s final order requires LabMD to notify affected consumers, establish a comprehensive information security programme, and obtain independent assessments on its implementation.
Antokol concluded, “The best advice for organisations is to take a practical approach that addresses key risks, and demonstrates good faith in relation to compliance. This case is precisely what the FTC and other privacy and security oversight agencies in the US and other countries are looking for; a considerable amount of sensitive data that could (or did) end up in the wrong hands based upon insufficient security safeguards, possible or actual harm to the affected individuals resulting from the deficiency, and a corporate culture that says ‘we think we didn’t do anything wrong here.'”
Francisca Arguinarena | Americas Privacy Analyst