The lengthy saga between the Federal Trade Commission (FTC) and LabMD, Inc. reached another turning point on July 28, 2016. The FTC issued its unanimous Opinion in which it found that LabMD’s data security practices were unreasonable, lacked “even basic precautions to protect the sensitive consumer information maintained on its computer system,” and constituted unfair practices under Section 5 of the FTC Act.  Along with its Opinion, the FTC also issued a Final Order which directs LabMD to take a variety of remedial measures and carries a 20-year reporting requirement.

In taking this action, the FTC overruled its own Chief Administrative Law Judge, who had previously dismissed the FTC’s Complaint against LabMD last November.  Following an administrative trial,  Judge D. Michael Chappell issued a detailed, 95-page initial decision in which he concluded that LabMD’s data security practices did not “cause,” or were not “likely to cause,” “substantial consumer injury” in violation of Section 5 of the FTC Act.

In reversing Judge Chappell’s ruling, the FTC found that he had “applied the wrong legal standard for unfairness.”  While the FTC detailed a variety of LabMD’s conduct (or lack thereof) as being unfair under Section 5, the FTC appeared to focus on a single breach (and the multitude of ways that LabMD could have prevented that breach): that a file containing “1,718 pages of sensitive personal information for approximately 9,300 consumers” was accessed via a peer-to-peer (P2P) file sharing application from one of LabMD’s billing managers.

After the FTC issued its 37-page opinion, LabMD’s CEO Michael Daugherty indicated that LabMD will appeal the FTC’s opinion to federal court.

The Underlying Data Security Issues

As described more fully in the FTC’s opinion, LabMD operated as a clinical laboratory which ran tests on medical samples, and then sent the test reports to its clients, which consisted primarily of physicians.  In the course of its testing, LabMD collected personal information (such as social security numbers and dates of birth), medical information (such as diagnosis codes and physician orders), and financial information (such as copies of personal checks and credit and debit card numbers) for over 750,000 patients.

In 2005, a billing manager at LabMD downloaded a P2P file-sharing program, LimeWire, which was used primarily for downloading and listening to music files. Years later, in February 2008, a forensic analyst working for a data security company called Tiversa Holding Company (Tiversa), used LimeWire to download a file from a LabMD IP address.  That file contained “1,718 pages of sensitive personal information for approximately 9,300 customers, including their names, dates of birth, social security numbers, ‘CPT’ codes designating specific medical tests and procedures for lab tests conduct by LabMD, and, in some instances, health insurance company names, addresses, and policy numbers” (the 1718 file).  The Tiversa forensic analyst also downloaded other LabMD documents through LimeWire, three of which contained sensitive personal information.

In May 2008, Tiversa contacted LabMD to inform it that the 1718 file was exposed via LimeWire. Tiversa subsequently solicited LabMD’s business for data security services on multiple occasions, and after LabMD refused, Tiversa reported LabMD to the FTC.

LabMD conducted its own internal investigation where it discovered that the 1718 file was accessed via the billing manager’s computer because she had allowed all the contents of her “My Documents” folder to be shared on LimeWire. Despite this discovery, the company did not notify any of the consumers identified in the 1718 file and waited until 2010 to retain an independent security firm to perform penetration tests of its systems.

In January 2014, LabMD began winding down its business, blaming the FTC’s investigation for the company’s demise.

The FTC’s Case Against LabMD

On August 28, 2013, the FTC brought a Complaint against LabMD under Section 5(n) of the FTC Act, alleging that since 2005, LabMD “failed to provide reasonable and appropriate security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and other harms, such as disclosure of sensitive, private medical information.”

LabMD aggressively defended itself, asserting a variety of defenses and filing two complaints of its own—one in the U.S. District Court for the District of Columbia and one in the U.S. District Court for the Northern District of Georgia—to enjoin the FTC’s enforcement action. Both of LabMD’s federal court complaints were dismissed for lack of jurisdiction because the administrative process had not yet been completed.  In January 2015, the 11^th Circuit Court of Appeals affirmed the lower federal court’s decision to dismiss LabMD’s lawsuit at that time due to lack of subject matter jurisdiction.

LabMD subsequently participated in an FTC administrative trial before FTC Judge Chappell, which began on May 20, 2014, and concluded on July 15, 2015.   The trial record indicates that over 1,080 exhibits were admitted into evidence, 39 witnesses testified, either live or by deposition, and there were 1,504 pages of trial transcript.  Judge Chappell ultimately concluded that the FTC’s counsel failed to prove that LabMD’s computer data security practices “caused” or were “likely to cause” “substantial consumer injury” under Section 5(n) of the FTC Act.

Nonetheless, on July 28, 2016, the FTC exercised its review authority and reversed Judge Chappell’s decision. The FTC observed that Section 5 of the FTC Act authorized the FTC to challenge “unfair or deceptive acts or practices in or affecting commerce.”  15 U.S.C. § 45(a).  Section 5(n) of the FTC Act provided that an act or practice is unfair if (1) it “causes or is likely to cause substantial injury to consumers,” (2) the injury “is not reasonably avoidable by consumers themselves,” and (3) the injury is “not outweighed by countervailing benefits to consumers or competition.”  15 U.S.C. § 45(n).  The FTC concluded, after a lengthy analysis, that LabMD’s conduct (or lack thereof), and particularly the exposure of the 1718 file, met each of the requirements under Section 5(n).

The FTC’s Critical Findings Against LabMD

The FTC identified three specific ways in which LabMD’s actions violated Section 5 of the FTC Act:

1. LabMD Failed to Protect its Computer Network or Employ Adequate Risk Assessment Tools. The FTC found that LabMD lacked any intrusion detection system or file integrity monitoring, and LabMD only began penetration testing of its system after Tiversa notified LabMD of a data breach. While LabMD used antivirus programs, firewall logs, and performed manual computer inspections, LabMD “did not consistently update virus definitions or run and review scans.”  LabMD also failed to “monitor its network for unauthorized intrusions or exfiltration,” and its firewalls were ineffective because they were not properly configured.  LabMD also did not review firewall logs or monitor outgoing traffic over its network.  As a result, LabMD allowed LimeWire to run, undetected, on the billing manager’s computer for three years between 2005 and 2008, which led to the disclosure of sensitive personal information of thousands of consumers.
2. LabMD Failed to Provide Data Security Training to its Employees. The FTC found that LabMD failed to provide any training to its employees (including IT personnel) for data privacy and security issues. The FTC was particularly critical of LabMD’s failure to do so since LabMD’s written Compliance Manual specifically mandated that its compliance officer establish in-house training sessions.
3. LabMD Failed to Adequately Restrict and Monitor the Computer Practices of Individuals Using Its Network. The FTC found that LabMD failed to “adequately limit or monitor employees’ access to the sensitive personal information of patients or restrict employee downloads to safeguard the network.” Notably, LabMD had turned off the setting on its laboratory information software, LabSoft, which had allowed access to be restricted for different users.  LabMD also did not have a data deletion policy and did not destroy any patient or billing information.  Furthermore, LabMD allowed management and sales employees to have administrative rights over their workstations and laptops, respectively, which enabled them to alter security settings on their systems and download P2P applications such as LimeWire.  And even though LabMD’s Software Monitoring Policy provided that “program files will be reviewed for the appropriate applications for the specific user,” LabMD failed to follow this policy, which would have led to the detection of LimeWire on the billing manager’s computer.

In finding a violation of Section 5 of the FTC Act, the FTC ordered LabMD to, among other things, (1) establish and implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers”; (2) obtain “initial and biennial assessments and reports … from a qualified, objective, independent third-party professional” to review and report on the safeguards implemented by LabMD; and (3) provide notice to the consumers (and their health insurance companies) affected by the disclosure of their information, including those identified in the 1718 file.

Takeaways

The FTC’s opinion in LabMD demonstrates the need for companies to remain vigilant in their data security policies and implementation of reasonable and appropriate practices based on the “sensitivity and volume of consumer information [the company] holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”  The FTC opinion provided a wealth of guidance  — from the FTC’s view – on how LabMD could have avoided liability under Section 5 of the FTC Act.

First, the FTC noted the abundance of free and/or readily available information concerning data security. For example, the FTC explained that since 2002 the National Institute of Science and Technology has published guidelines which provide “a framework for risk management for information technology systems that included testing for the presence of vulnerabilities.”  The FTC also noted that it warned companies of the risk of P2P applications in an FTC Staff Report from 2005.  Our blog has previously discussed a variety of privacy and security guidelines, such as the FTC’s report on Big Data, the Department of Homeland Security and Department of Justice’s guidance in implementing the Cybersecurity Act of 2015, and the Automotive Information Sharing and Analysis Center’s first set of cybersecurity best practices.

Second, the FTC identified a variety of free or low cost software tools that LabMD (and others) could utilize to detect system vulnerabilities, such as SNORT, Wireshark, Nessus, and nmap.

Third, the FTC explained that LabMD could have provided adequate training to its employees, and that “[s]everal nationally recognized organizations provided low-cost or free IT security training courses,” such as the SysAdmin Audit Network Security (SANS) Institute or CERT at Carnegie Mellon University.

Fourth, the FTC observed that LabMD could have restricted employees’ access to only the personal information that particular employee needed in order to perform their job duties. Network operating systems and applications already contain controls to do so, so “rectifying this issue would have required only the time of training IT staff.”

Finally, a nuanced reading of the FTC’s opinion suggests that LabMD’s failure to adhere to several of its own written policies was strongly held against it.  On multiple occasions, a written policy provided for a certain action or practice, but LabMD failed to so act (or at least lacked documentation of it having done so).  Thus, in data security as in other areas, companies that create and distribute written policies would we well-advised to practice what they preach, lest their non-compliance be used against them in subsequent litigation or government investigations.