Emerging Standard of Care in Data Security: The FTC’s LabMd decision

Company data security practices will now be measured against a legally enforceable standard of care. The National Institute for Standards and Technology (NIST) began creating the groundwork for this standard in 2002,[1] the Third Circuit announced its arrival last year in Wyndham  Hotels[2], and the Federal Trade Commission (FTC or Commission) told you last month in its LabMD decision exactly what your company can and cannot do if it wants to avoid lengthy and expensive regulatory proceedings and related litigation.[3]

LabMD was a clinical laboratory testing service, the kind your physician probably uses. It held the records of 750,000 patients – under shoddy conditions. LabMD is now out of business.

The FTC’s Checklist

 The Commission’s findings provide a check-list for company counsel and IT managers. LabMD:

  1. Had no intrusion detection system or file integrity monitoring.
  2. Failed to monitor traffic coming through its firewalls.
  3. Failed to monitor its network for unauthorized exfiltration.
  4. Failed to provide meaningful data security training to its employees.
  5. Collected sensitive consumer data it did not need.
  6. Failed to delete consumer data for which it had no further use.
  7. Failed to control the hardware and software its employees could run on its system.
  8. Failed to require strong passwords.

Under the “deceptive” standard of Section 5, FTC proceedings have become routine (and FTC orders often oppressive) against companies that fail to adhere to their own privacy statements. Under Wyndham and LabMd, we can expect a similar development under the “unfairness” standard of Section 5 – routine proceedings that raise the cybersecurity bar in the private sector, but often involving oppressive compliance orders of unreasonable duration that can cripple small firms. The FTC’s checklist is also likely to become a general negligence standard in the courts. So be warned.

The Commission was particularly scathing about LabMD’s failure to control employees’ use of peer-to-peer or P2P software such as music sharing services. These services, unless configured perfectly, permit millions of strangers to access a wide variety of material other than the music the employee intends to share. This vulnerability has been widely known for years, yet many companies do not forbid P2P software on their networks. In LabMd’s case, the failure resulted in the exposure of the medical and other sensitive records of thousands of patients. And when management was told about the vulnerability, it did essentially nothing about it.

It would be a mistake to assume the FTC’s decision in LabMD was limited to companies subject to the Health Insurance Portability and AccountabilityAct (HIPAA), which imposes special standards on parties holding patient data. HIPAA is barely mentioned in the opinion, and Wyndham Hotels, which laid the groundwork for this decision, did not involve health care.

You can assume, however, that your risk of facing an FTC proceeding is vastly greater if you hold sensitive personal information than if you do not. If the only sensitive information in your system are the formulas, business plans, and trade secrets that make your company valuable, the FTC probably won’t care. In that case, nobody but your competitors, particularly in China and Russia, will be interested in getting into your system. However, your shareholders, who will be well represented by class action counsel, may feel they have an interest in keeping them out, in which case LabMd outlines the first wave of discovery demands you will get.

Two Take-Aways

The immediate take-away from LabMD is obvious. You now have a legal standard against which to measure your company’s behavior. But the case should also impel management to ask a deeper question: What business do you want to be in? If you are a widget manufacturer or in a service business, running a complex and expensive IT system is not your line of work, and you are probably not equipped with the talent and know-how to do it right. Now that the legal consequences of running a porous and insecure system are becoming clearer, many companies will confront anew the question of what functions they would be prudent to out-source.

 



[1] See In the matter of LabMD, Inc., FTC docket no. 9357 (July 29, 2016), at 12, n. 23, at https://www.ftc.gov/system/files/documents/cases/160729labmd-opinion.pdf.

[2] FTC v. Wyndham Worldwide, Inc. 799 F.3d 236 (3d Cir. 2015). This case upheld the FTC’s power to regulate poor data security under the “unfairness” standard of Section 5 of the FTC Act. Previously its data security cases had been brought only under the “deceptive” standard of Section 5.

[3] LabMD, supra, upholding the FTC’s statutory and constitutional authority to proceed under the “unfairness” standard of Section 5.