Data security practices are increasingly becoming a theme among management and employees in the administration of business and their daily work process. The common element in data breaches is the element of human negligence, training or the underestimation of needed attention. The extent that incidents are occurring, information technology personnel and operations personnel are finding themselves needing to collaborate more frequently than ever. This change in organizational administration is occurring at levels of state and federal government and in the private sector involving banking, legal, accounting, and insurance industries. The effort, one may say, is to enhance the quality or rigor of data security employed by the particular entity. Data breaches are not all the same but they do have one commonality in that the goal of the subject is always confidential data (CD), personal health information (PHI), electronic personal health information (ePHI), or personal identifiable information (PII). Regardless of the nomenclature used to define what is at the stake, the rigor or quality of the efforts is beginning to be questioned by entities originally deemed to not have authority to engage in this type of scrutiny. We have blogged on the needed care entities should take to ensure that their representation about their data security practices is not exact. When an entity claims a certain level of data security method, the Federal Trade Commission (FTC) could very well deem it a deceptive business practice.
The care that should be employed to attend to data handling and transfers is not to be overstated to avoid a finding similar to Dwolla, Inc.’s experience regarding the representations. One matter that comes to mind in this post is the case involving LabMD, Inc. LabMD is a company that administered a medical laboratory which among its services also provided cancer screening detection services for physicians. The FTC had filed in 2013 a complaint against LabMD. In its complaint, it alleged that LabMD is subject to Section 5 of the FTC Act because it misrepresented its actual data security efforts. LabMD’s practice was questioned. The FTC argued that LabMD did not exert reasonable efforts to secure data of personal information and that its networks were not attended to as they should. The FTC commenced its investigation as a result of data security incidents at LabMD. There was a tossing and turning exchange in this matter between the three, i.e., the FTC, the 11th Circuit, and LabMD.
From the initial complaint that commenced in Georgia District Court, it was noted that LabMD patient information available on the Internet. The data or electronic personal health information (ePHI) was actually searchable in a peer-to-peer network. LabMD was facing claims that it failed to prevent unauthorized disclosure of ePHI. Its motion to dismiss was unsuccessful, despite its strong argument. LabMD argued that the FTC did not authority. The FTC had filed an administrative case in District Court in Georgia. The District Court had to determine if indeed the FTC had a say over the handling of ePHI.
The toss thereafter was when the district court denied LabMD’s motion to dismiss and LabMD proceeded to appeal to the Eleventh Circuit Court of Appeals. The turn was not only that the Eleventh Circuit ruled against LabMD’s appeal. The turn was that it was hoped that the Court would opine on the FTC’s enforcement authority. What we learned is that the Circuit Court determined that there was an administrative remedy step that was required. The Court ruled that LabMD had remedies to exhaust before it was able to engage on the issues presented. The resulting turn at that stage was an administrative law lesson.
What proceeded thereafter was as expected. An administrative proceeding ensued where an ALJ determined that harm was not demonstrated. The ALJ reasoned that short of finding harm, the Commission did not meet what FTC Act Sec. 5 required. The FTC subsequently reversed the ALJ’s determination. In its ruling, the FTC stated that LabMD did not exert the best efforts to secure the data. It found that it did not monitor how the files were handled and it did not employ a system to detect if there was an intrusion. These steps were deemed to be basic means of protecting confidential data. The FTC concluded that LabMD’s conduct posed an ‘unfair act’ for the public to trust and it was inconsistent with FTC Act Sec. 5. What is noteworthy, is that nowhere in Section 5 of the FTC Act does it provide the FTC authority to address the need to protect medical records or maintain their privacy.
Nevertheless, the FTC proceeded to conclude that the disclosure was tantamount to harm because of the neglect that LabMD did by not training employees adequately on handling medical records, and not monitoring its firewall. LabMD’s conduct resulting in disclosure of medical personal information is a substantial injury under Sec. 5 of the FTC Act. The FTC did not look into whether the information was used in the open market. The FTC just looked at the fact that there was an unauthorized disclosure of PHI. LabMD is now obliged to implement a “CISP” (comprehensive information security program) and become proactive to inform individuals and conduct frequent audits. The key point to note about this matter that resulted with the FTC suing LabMD is that harm may just be more about the unauthorized disclosure due to neglect than the harm actually experienced by the individuals and that the FTC is exerting a greater authority than originally conceived it had regarding data security.
 Administrative Procedure Act – 5 U.S. Code § 704 – Actions reviewable