FTC Determines Medical Testing Lab's Data Security Practices Unreasonable
On July 29, the FTC announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision to dismiss a 2013 FTC complaint against a Georgia-based medical testing laboratory (Respondent). In a 3-0 vote, the Commission determined that Respondent “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network and therefore that its data security practices were unfair under Section 5 of the [FTC] Act.” In reversing the Initial Decision, the Commission concluded that Respondent’s security practices lacked “even basic precautions” to protect consumers’ sensitive information by, among other things, failing to (i) “use an intrusion detection system or file integrity monitoring”; (ii) “monitor traffic coming across its firewalls”; (iii) provide adequate data security training to its employees, finding that “essentially no data security training” was provided; and (iv) delete “any of the consumer data it had collected.” According to the Commission, such failures led to the exposure of medical and other sensitive information for 9,300 consumers on a peer-to-peer (P2P) network to which millions of users had access. The Commission reasoned that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” further noting that Respondent’s practices were also “likely to cause substantial injury,” as reasonably interpreted under Section 5(n), because (i) they led to the exposure of consumers’ sensitive information to the millions of P2P users; and (ii) “Complaint Counsel’s expert witnesses identified a range of harms that can and do result from the unauthorized disclosure of consumers’ sensitive personal information of the type maintained by [Respondent] on its computer network.” The Commission’s Final Order requires that Respondent, among other things, establish “a comprehensive information security program,” give notice to those consumers and companies affected by the disclosure on the P2P network, and obtain periodic independent, third-party assessments regarding the implementation of the new security program. After service of the Commission’s Opinion and Final Order, Respondent has 60 days to file a petition for review with a U.S. Court of Appeals.