On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
FTC Files Complaint Against Healthcare Company LabMD, Alleging Inadequate Security Controls
The FTC's complaint against LabMD alleges that the company "engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks." The FTC includes as examples allegations that LabMD did not:
- "develop, implement, or maintain a comprehensive information security program to protect consumers' personal information";
- "use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks";
- "use adequate measures to prevent employees from accessing personal information not needed to perform their jobs";
- "adequately train employees to safeguard personal information";
- "require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication";
- "maintain and update operating systems of computers and other devices on its networks"; or
- "employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks."
The FTC also alleges that LabMD "could have corrected its security failures at relatively low cost using readily available security measures."
On September 17, LabMD filed its answer and defenses to the FTC's complaint. LabMD generally denied all allegations that it did not engage in reasonable and appropriate security practices. Significantly, LabMD also challenged the FTC's subject-matter jurisdiction and the agency's "statutory authority to regulate the acts or practices alleged in the Complaint." The answer also includes the defense that the FTC "has not published any rules, regulations, or other guidelines clarifying and providing any notice, let alone constitutionally adequate notice, of what data-security practices the Commission believes Section 5 of the FTC Act forbids or requires and has not otherwise established any meaningful standards," in violation of the Fifth Amendment and the Administrative Procedures Act.
LabMD's arguments echo those raised in FTC v. Wyndham, in which the FTC faces a similar challenge to its foundational authority under Section 5 to bring claims based on data security practices. The Wyndham case is in federal district court, however, whereas the LabMD case will play out before an Administrative Law Judge (ALJ), where the FTC may have a higher likelihood of prevailing. No matter the outcome before the ALJ, either the FTC or LabMD may appeal the ALJ's decision to the full Commission, and the Commission's decision would then be appealable to any federal circuit court of appeal in which LabMD carries on business. The reviewing court, however, would owe deference to the Commission's findings of fact and interpretation of the FTC Act. It is unclear why the FTC has filed an administrative complaint against LabMD, versus the district court complaint against Wyndham, although the FTC website notes that "where a case involves novel legal issues or fact patterns, the Commission has tended to prefer administrative adjudication." Every other company in Wyndham's or LabMD's position has chosen to settle FTC charges based on allegations of unfair security practices rather than contest them, so these cases, if tried to completion, are sure to break new ground.
The case against LabMD also is a reminder to HIPAA covered entities and business associates that the HIPAA Security Rule's specific requirements are not the only standard by which such companies' data security programs will be judged. Previous FTC actions against healthcare companies have focused on situations involving improper disposal of patient information (e.g., In re Rite Aid Corp., In re CVS Caremark Corp.). Notably, the FTC's complaint against LabMD may suggest that the FTC takes a more aggressive view than does HHS of what constitutes reasonable information security, for example by implying that two-factor authentication may be necessary for remote access.
Paul Otto, an associate in our Washington office, contributed to this entry.
The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016