Section 5 of the Federal Trade Commission Act — the Act that established the FTC in the first place — makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices…” Though the words seem simple enough, its application in today’s world is anything but simple, particularly when you talk about data privacy. Two companies — Wyndham Worldwide Corp. and LabMD Inc. — are publicly, and independently, challenging the FTC’s authority over their data security policies (and subsequent lapses). This post is a quick update about LabMD’s challenge.
In August 2013, the FTC filed an administrative complaint against LabMD, alleging that it lacked appropriate data security and unreasonably exposed the health and personal data of its consumers. LabMD conducts clinical laboratory tests on patients and reports its finding to patients’ health care providers. In performing the needed tests, LabMD typically obtains personal information, including names, addresses, dates of birth, SSNs, bank account or credit card information, laboratory tests, test codes and results, diagnoses, clinical histories, and health insurance company names and policy numbers. LabMD possesses such data for approximately 1 million consumers.
The FTC charged that LabMD “failed to provide reasonable and appropriate security for personal information on its computer networks.” Among other things, the complaint states that LabMD failed to:
- develop, implement or maintain a comprehensive information security program;
- employ adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- adequately train employees to safeguard personal information;
- require employees, or other users with remote access to the networks, to use common authentication-related security measures; and
- utilize readily available measures to prevent or detect unauthorized access to personal information on its computer networks.
The complaint cited a couple of examples of these lapses, which are instructive to anyone who holds personal data for customers. First, the FTC claimed that LabMD employees were allowed to send emails with patients’ personal information to their own personal email accounts. Second, LabMD allegedly failed to prevent employees from installing certain applications on their computers. As a result, an unauthorized file sharing application was installed on its networks and an insurance aging report containing personal information for approximately 9,300 consumers was found on Limewire, a peer-to-peer file sharing network.
A month ago, LabMD moved to dismiss the complaint arguing that “Section 5’s plain language does not authorize patient-information data-security regulation.” LabMD further argued that only HHS, and not the FTC, is empowered to regulate patient-information data-security practices. Additionally, LabMD takes issue with the manner in which the FTC is exercising its authority, arguing that because the FTC has not published data-security regulations, guidance or standards explaining what is forbidden or required by Section 5, it has “denied LabMD and others similarly situated constitutionally required fair notice, engaged in prohibited ex post facto enforcement, and, through this action, violated LabMD’s due process rights.”
The FTC responded a couple of weeks ago. Not surprisingly, the FTC forcefully argues to the contrary — namely that:
- FTC and HHS have concurrent and complementary jurisdiction to protect consumers’ personal information;
- the FTC Act delegates broad power to the agency;
- sector-specific data security laws only add new powers and do not imply that the FTC lacked power previously to regulate or enforce; and
- the FTC Is not obligated to proceed by rulemaking.
The FTC has successfully fended off similar arguments in the past. Nevertheless, these challenges are gaining steam. In particular, as technology becomes ever more sophisticated and invasive, the need for a watchdog and clear rules governing data security become ever more apparent and necessary. Accordingly, query whether in the future some court might demand a clearer articulation of authority before allowing the FTC to continue on its current path. Query also whether the FTC will get its way and Congress will legislate the problem away by making the agency’s authority over data security and privacy more explicit.
Additional challenges are likely and at some point Congress will likely be forced to get involved. Every data breach and security lapse that happens will continue to garner public attention and a call for tighter regulation will not go away. Whichever way these challenges play out, there is clearly a need for oversight. The question is whether the FTC will be that oversight and, if so, through regulation or just enforcement. Stay tuned.