By Paul C. Van Slyke and Tammy Woffenden
Paul C. Van Slyke, a partner in the Houston office of Locke Lord LLP, advises clients in the areas of intellectual property, advertising, promotions, media, technology, anti-counterfeiting, privacy, data security, and publishing law. He teaches Advertising & Marketing Law at the University of Houston Law School.
Tammy Ward Woffenden, an associate in the Austin, Tex., office of Locke Lord LLP, focuses on transactional, regulatory, and administrative health law issues. Her areas of experience include HIPAA privacy compliance, review of contractual arrangements involving health care providers, health care provider licensure and certification matters, and mergers of health care entities.
The Federal Trade Commission filed an administrative complaint (link is to redacted form of the complaint), Docket No. 9357, recently against a medical testing laboratory, LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers' personal information, and that such failures subjected consumers' personal information (in some instances including names, Social Security numbers, dates of birth, and healthcare-related information) to two separate security incidents. In the first incident, a spreadsheet was found online on a peer-to-peer (“P2P”) network. In the second incident, the Sacramento Police Department found LabMD documents containing sensitive personal information of at least 500 consumers in the hands of identity thieves. Although some of the information involved was healthcare related, there are lessons to be learned by companies that handle personal information in any industry.
The FTC Complaint alleges that LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer information -- including health information -- it collected and stored. Among other things, the Complaint alleges that the company:
• Did not implement or maintain a comprehensive security program to protect the sensitive consumer information;
• Did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to that information;
• Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
• Did not adequately train employees on basic information security practices; and
• Did not use readily available measures to prevent and detect unauthorized access to personal information.
As noted above, the complaint alleges that a testing laboratory spreadsheet containing insurance billing information was found on a P2P network. P2P network architecture is commonly used to share music, videos, and other materials with other users of compatible software, and may create significant security risks that files with sensitive information will be inadvertently shared. It is well known that P2P software used in a company network creates significant security risks. Once a file containing personal information has been made available on a P2P network and downloaded by another, it can be shared by that user across the network even if the original source of the file is no longer connected.
• To implement a comprehensive written information security program;
• To require that the security program be evaluated every two years by an independent, certified security professional for the next twenty years; and
• To require the company to provide notice to consumers whose information the testing laboratory has reason to believe was, or could have been, accessible to unauthorized persons and to consumers' health insurance companies as well.
1. must be substantial;
2. must not be outweighed by countervailing benefits to consumers or competition that the practice produces; and
3. must be an injury that consumers themselves could not reasonably have avoided.
The FTC filed this case under its unfairness authority of Section 5 of the FTC Act. The complaint alleges the three elements required by the Unfairness Policy Statement, namely:
1. “At all relevant times, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.”
2. “Respondent could have corrected its security failures at relatively low cost using readily available security measures.”
3. “Consumers have no way of independently knowing about respondent's security failures and could not reasonably avoid possible harms from such failures, including identity theft, medical identity theft, and other harms, such as disclosure of sensitive, private medical information.”
Since 2009, covered entities that experience a breach of unsecured PHI are required to report the incident to the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), contact affected individuals and, depending on the size of the breach, notify local media. OCR has been particularly active with enforcement measures relating to breaches of unsecured PHI caused by lack of adequate security measures, including failure to encrypt data, wipe equipment such as photocopies and laptops that store protected information, and use adequate technical safeguards to protect data that becomes available online. Covered entities, and their contractors who use and access PHI on the covered entity's behalf, are required to conduct ongoing security risk assessments to identify and resolve such system vulnerabilities.
FTC Commissioner J. Thomas Rosch issued a dissenting statement concurring with the decision to enforce the document subpoena. Commissioner Rosch, however, criticized Commissioner Brill's ruling on the petitions for failing to limit the scope of the CIDs to require production of a spreadsheet containing sensitive personally identifiable information regarding approximately 9,000 patients that was originally discovered through the efforts of Dartmouth Professor M. Eric Johnson and Tiversa, Inc.
In its answer to the compliant, LabMD adamantly denies the allegations of the complaint and takes the position that §5 does not give the FTC authority to regulate the acts and practices the FTC complained about. The answer states that the FTC's actions are arbitrary, capricious and an abuse of discretion. It also alleges that the FTC has not published any guidelines that clarify the types of data security practices it has the ability and authority to enforce and regulate in order to give fair notice.
The FTC has appointed Chief Administrative Law Judge D. Michael Chappell to take testimony and receive evidence at a hearing scheduled for April 28, 2014.
To view additional stories from Bloomberg Law® request a demo now