WBK Industry - Federal Regulatory Developments

FTC Finds Cybersecurity Practices to be UDAP

On July 29, the Federal Trade Commission (FTC) announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision that dismissed FTC charges against medical testing laboratory LabMD, Inc. The Commission concluded that LabMD’s data security practices constituted an unfair or deceptive act or practices (UDAP) that violated Section 5 of the Federal Trade Commission Act. The Commissioners voted unanimously to issue the opinion and order.

The case at issue concerned LabMD, Inc.’s alleged failure to protect the sensitive personal and medical information of thousands of patients, resulting in the “installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.” LabMD allegedly left the network freely accessible for 11 months, leading to unauthorized disclosure of information. The Commission found that this was a “privacy harm” that rose to the level of substantial injury under Section 5(n).

The Commission’s opinion concludes that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” The Commission primarily faults LabMD, Inc. for its failures to:

  • Use an intrusion detection system or file integrity monitoring;
  • Monitor traffic coming across its firewalls;
  • Provide data security training to its employees; and
  • Delete collected consumer data.

Additionally, the Commission found that the lab’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online peer-to-peer users.

To remedy the aforementioned FTC Act violations, the Commission ordered LabMD to reasonably protect the security and confidentiality of personal consumer information by establishing a “comprehensive information security program.” Additionally, the lab must also obtain periodic “independent, third-party assessments regarding the implementation of the information security program” and notify consumers affected by the personal information exposure about the unauthorized disclosure and about how they can protect themselves from “identity theft or related harms.”

LabMD has 60 days after service of the Commission’s Opinion and Final Order to file a petition for review with a U.S. Court of Appeals.