The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
In I/M/O LabMD, Inc., the Commission reversed an Administrative Law Judge’s Order, and concluded that LabMD had violated the FTC Act because its data security practices had caused, and were also likely to cause, substantial consumer injury, including identity theft, medical identity theft, and other harms.
The decision stemmed from allegations that LabMD, which operated as a clinical laboratory testing center, failed to protect patients’ sensitive personal information, including names, addresses, dates of birth, Social Security numbers, insurance information, diagnosis codes, and physician orders for tests and services. Specifically, the Commission found that LabMD failed to use file integrity monitoring, neglected to monitor traffic coming across its firewalls, failed to have an intrusion detection system, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected. These data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years. The file-sharing software was configured (unwittingly) to allow exposure of patient information on a peer-to-peer network accessible daily by millions of users. However, the only documented disclosure of patient information that occurred was a single “breach” by a data security firm looking to generate new business, who had used the peer-to-peer network to access a file containing sensitive data for approximately 9,300 individuals.