FTC FILES SUIT AGAINST MEDICAL LABORATORY: A ROADMAP TO AVOID FAILING TO PROTECT CONSUMER PRIVACY
By Paul C. Van Slyke and Tammy Woffenden
Paul C. Van Slyke, a partner in the Houston office of Locke Lord LLP, advises clients in the areas of intellectual property, advertising, promotions, media, technology, anti-counterfeiting, privacy, data security, and publishing law. He teaches Advertising & Marketing Law at the University of Houston Law School.
Tammy Ward Woffenden, an associate in the Austin, Tex., office of Locke Lord LLP, focuses on transactional, regulatory, and administrative health law issues. Her areas of experience include HIPAA privacy compliance, review of contractual arrangements involving health care providers, health care provider licensure and certification matters, and mergers of health care entities.
The Federal Trade Commission filed an administrative complaint (link is to redacted form of the complaint), Docket No. 9357, recently against a medical testing laboratory, LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers’ personal information, and that such failures subjected consumers’ personal information (in some instances including names, Social Security numbers, dates of birth, and healthcare-related information) to two separate security incidents. In the first incident, a spreadsheet was found online on a peer-to-peer (“P2P”) network. In the second incident, the Sacramento Police Department found LabMD documents containing sensitive personal information of at least 500 consumers in the hands of identity thieves. Although some of the information involved was healthcare related, there are lessons to be learned by companies that handle personal information in any industry.
In a press release, the FTC said this case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data. “The unauthorized exposure of consumers’ personal data puts them at risk,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”
The FTC Complaint alleges that LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer information — including health information — it collected and stored. Among other things, the Complaint alleges that the company:
• Did not implement or maintain a comprehensive security program to protect the sensitive consumer information;
• Did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to that information;
• Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
• Did not adequately train employees on basic information security practices; and
• Did not use readily available measures to prevent and detect unauthorized access to personal information.
Security Risk of Peer-to-Peer Network Software
As noted above, the complaint alleges that a testing laboratory spreadsheet containing insurance billing information was found on a P2P network. P2P network architecture is commonly used to share music, videos, and other materials with other users of compatible software, and may create significant security risks that files with sensitive information will be inadvertently shared. It is well known that P2P software used in a company network creates significant security risks. Once a file containing personal information has been made available on a P2P network and downloaded by another, it can be shared by that user across the network even if the original source of the file is no longer connected.
Proposed Order Has Onerous Requirements.
Like most FTC complaints dealing with consumer information, the FTC complaint contains a proposed agreed order that would prevent future violations of law, but also contained some unpleasant and onerous requirements, including:
• To implement a comprehensive written information security program;
• To require that the security program be evaluated every two years by an independent, certified security professional for the next twenty years; and
• To require the company to provide notice to consumers whose information the testing laboratory has reason to believe was, or could have been, accessible to unauthorized persons and to consumers’ health insurance companies as well.
FTC Complaint is Founded on its Unfairness Authority
The FTC complaint bases its jurisdictional authority under the unfairness clause of Section 5 of the FTC Act, rather than its deceptiveness authority; i.e., “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful” under Section 5 of the FTC Act. Since 1980 when the FTC adopted the Unfairness Policy Statement, many privacy actions brought by the FTC have been founded on its deceptiveness authority. During this period complaints were largely based on a representation to the public of a certain standard of privacy and a failure to live up to that standard as an act of deceptiveness. The Unfairness Policy Statement articulates a three-part test to determine whether the consumer injury is sufficient to make the practice unfair. The injury
1. must be substantial;
2. must not be outweighed by countervailing benefits to consumers or competition that the practice produces; and
3. must be an injury that consumers themselves could not reasonably have avoided.
The FTC filed this case under its unfairness authority of Section 5 of the FTC Act. The complaint alleges the three elements required by the Unfairness Policy Statement, namely:
1. “At all relevant times, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.”
2. “Respondent could have corrected its security failures at relatively low cost using readily available security measures.”
3. “Consumers have no way of independently knowing about respondent’s security failures and could not reasonably avoid possible harms from such failures, including identity theft, medical identity theft, and other harms, such as disclosure of sensitive, private medical information.”
FTC Complaint Does Not Cover Added HIPAA Obligations and Penalties
Although the FTC complaint does not address potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”), health care providers qualifying as “covered entities” under HIPAA are required to safeguard Protected Health Information (“PHI”) and Electronic PHI in a manner that prevents unauthorized use or disclosure. Failure to do so may be a violation of HIPAA and is potentially subject to significant civil penalties.
Since 2009, covered entities that experience a breach of unsecured PHI are required to report the incident to the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), contact affected individuals and, depending on the size of the breach, notify local media. OCR has been particularly active with enforcement measures relating to breaches of unsecured PHI caused by lack of adequate security measures, including failure to encrypt data, wipe equipment such as photocopies and laptops that store protected information, and use adequate technical safeguards to protect data that becomes available online. Covered entities, and their contractors who use and access PHI on the covered entity’s behalf, are required to conduct ongoing security risk assessments to identify and resolve such system vulnerabilities.
FTC Issues Civil Investigative Demands to LabMD
The FTC has served Civil Investigative Demands (“CIDs”) with a subpoena for documents and interrogatories seeking information on LabMD and its President Michael J. Daugherty. They responded by filing two petitions to limit or quash the CIDs before the FTC. On April 20, 2012, the FTC responded in a letter denying the two petitions in a ruling by FTC Commissioner Julie Brill acting as a delegate on behalf of the Commission. Among other grounds, the FTC ruled that the complaint is not required to allege under Section 5 that actual harm has occurred to consumers, but must allege, and did allege, only that “a failure to implement reasonable security measures may be an unfair act or practice if the failure is likely to cause harm. No showing of actual harm is needed.”
FTC Commissioner J. Thomas Rosch issued a dissenting statement concurring with the decision to enforce the document subpoena. Commissioner Rosch, however, criticized Commissioner Brill’s ruling on the petitions for failing to limit the scope of the CIDs to require production of a spreadsheet containing sensitive personally identifiable information regarding approximately 9,000 patients that was originally discovered through the efforts of Dartmouth Professor M. Eric Johnson and Tiversa, Inc.
In its answer to the compliant, LabMD adamantly denies the allegations of the complaint and takes the position that §5 does not give the FTC authority to regulate the acts and practices the FTC complained about. The answer states that the FTC’s actions are arbitrary, capricious and an abuse of discretion. It also alleges that the FTC has not published any guidelines that clarify the types of data security practices it has the ability and authority to enforce and regulate in order to give fair notice.
The FTC has appointed Chief Administrative Law Judge D. Michael Chappell to take testimony and receive evidence at a hearing scheduled for April 28, 2014.
This case is a reminder that the FTC will take action if it believes a company has failed to provide adequate security measures to protect sensitive personal information. Other lessons to take away from this case are:
• Under its consumer protection jurisdiction, the FTC may extend the finding of failures to protect personal information to be an “unfair” practice under the FTC Act.
• Many companies are under FTC scrutiny if they collect, store or distribute consumer personal information such as names linked to Social Security numbers, dates of birth, and credit card account numbers, regardless of whether the company is primarily in the consumer goods business. That would include, for example, retailers, certain lenders, and, as in this case, a healthcare provider.
• The FTC will carefully scrutinize companies not only for having what constitutes appropriate security programs, but also what are the effectiveness of those security programs.
• Companies should be aware of the risks posed by P2P network sharing protocols.
• The FTC may look at the existence and depth of employee training regarding consumer security information, as well as measures to detect incidents of unauthorized access.
• The orders typically sought by the FTC in these matters include onerous requirements that require companies to take affirmative, and potentially intrusive, actions for years, or even decades.