FTC Finds Data Security Practices Unreasonable, Even Without Evidence of Unauthorized Access


By: Matt Foree

Recently, the Federal Trade Commission (“FTC”) issued a significant decision in which it held that LabMD, a former clinical laboratory, engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network.  The FTC held that LabMD’s “failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.”  The FTC also found that LabMD left the data “freely available, for 11 months, leading to the unauthorized disclosure of the information.”  Significantly, the FTC reached its decision even though there was no evidence that consumer information was accessed by unauthorized persons.

The case centered on an analysis of whether LabMD’s practices were likely to cause substantial injury to consumers. The FTC stated that, “[i]n determining whether a practice is ‘likely to cause a substantial injury,’ we look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur.”  In issuing its decision, the FTC also restated its position on reasonableness:  “The touchstone of the FTC’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”

Applying these principles, the FTC found that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  Specifically, “it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” The FTC concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n)” such that disclosure of data caused substantial injury.

LabMD has filed a Motion to Stay the effective date of the FTC Order pending review by a United States Court of Appeals, which is currently pending before the FTC.

The FTC’s decision sets forth an interesting precedent for violations under Section 5 of the FTC Act.  The decision expands the FTC’s ability to find violations of Section 5 without the need for evidence of access by unauthorized persons, which portends that the number of enforcement actions taken by the FTC will increase.