Since 2002, the FTC has brought over 50 data security enforcement actions under Section 5 of the FTC Act. Most companies quickly enter consent decrees with only two companies making the choice to fight the FTC.
- The first was Wyndham Worldwide Corporation which challenged the FTC’s authority over data security only to have the Third Circuit affirm’s the FTC’s authority.
- The other company was LabMD, which operated as a clinical laboratory conducting tests on patient specimen samples and reporting the test results to its physician customers until going out of business in 2014.
The FTC contends:
LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected. These failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.
LabMD challenged the FTC complaint and an administrative law judge (ALJ) agreed, dismissing the complaint since the FTC failed to prove that LabMD’s computer data security practices “caused” or were “likely to cause” “substantial consumer injury”.
The FTC, however, reversed this ruling explaining
[T]he Commission has long recognized that the unauthorized release of sensitive medical information harms consumers. The Commission brought its very first data security case against Eli Lilly to address lax security practices that resulted in the inadvertent disclosure of the email addresses of Prozac users.58 FTC v. Eli Lilly & Co., 133 F.T.C. 763, 767-68 (2002) (complaint and consent order).
There is also broad recognition in federal and state law of the inherent harm in the disclosure of sensitive health and medical information. . . . We therefore conclude that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the 1718 file itself caused substantial injury.
The full opinion is below. The ruling is a message that the FTC will take a very strict view towards data breaches involving sensitive consumer information.