On Friday, July 29, 2016, the Federal Trade Commission (“FTC” or the “Commission”) overturned the decision of one of its administrative law judges (“ALJ”) from November 2015 in a suit against LabMD, Inc., now finding LabMD liable for lax data security practices and adopting an expansive view of the FTC’s enforcement authority for such cybersecurity issues.
The FTC found that over a stretch of at least several years, LabMD did not have basic data security practices in place. As a result of its broad failures, there were multiple incidents that exposed the personal information of about 10,000 consumers of the since-shuttered medical laboratory. In one incident in 2008, a file containing the names, dates of birth, apparent Social Security numbers, codes for conducted medical tests, and insurance information for approximately 9,300 individuals was allegedly made available to the public on a peer-to-peer file-sharing service. A LabMD billing manager had previously installed the LimeWire program to download and share music, but designated her “My Documents” folder for sharing. In another incident in 2012, the Sacramento police allegedly found hard-copy documents with names and Social Security numbers of approximately 600 LabMD customers in the possession of identity thieves.
LabMD maintained that the FTC had not proven its unfairness claim under Section 5(n) of the FTC Act, which requires the Commission to show that a practice “causes or is likely to cause substantial injury to consumers” that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition. The FTC argued that LabMD’s practices, which allowed these security lapses, caused a significant risk of future data breaches.
In a unanimous opinion authored by FTC Chairwoman Edith Ramirez, the Commissioners held that LabMD’s data security lapses were unreasonable and amounted to an unfair act or practice under Section 5 of the FTC Act, because they caused the unauthorized disclosure of patients’ medical data, amounting to a “substantial injury” to consumers.
The initial ALJ ruling had dismissed the action, finding that the FTC had failed to meet its burden of proof under the unfairness prong of Section 5 because there was no concrete evidence that the consumers with exposed personal data had suffered harm.
In overturning the ALJ ruling, the FTC made clear its regulatory expectations and the breadth of its enforcement powers concerning data security. Following this decision, the mere exposure of sensitive information, even without evidence of misuse, will likely constitute substantial consumer injury and create liability under Section 5. As Chairwoman Ramirez wrote in the opinion, the FTC “need not wait for consumers to suffer known harm at the hands of identity thieves” to take action.