Facts of the LabMD Case
LabMD, Inc. was a cancer diagnostic testing facility that used medical specimen samples and patient information to provide diagnostic information to health care providers. The company was subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and had a HIPAA compliance program in place that prohibited the downloading of peer-to-peer (P2P) file-sharing applications on company computers. LabMD v. FTC, Case No. 16-16270 (11th Cir. June 6, 2018), at 2. Now defunct as an operating company, LabMD nonetheless exists as a company and continues to protect its information.
In violation of this prohibition, a company billing manager installed LimeWire on a company computer. This P2P software permits users to make computer documents accessible to the larger LimeWire community. The manager made a file containing the personal information of 9,300 consumers (the 1718 File) available to approximately two to five million LimeWire users. The 1718 File included names, dates of birth, Social Security numbers, laboratory diagnostic and testing codes, and for some patients health insurance information.
A data security firm, Triversa Holding Corporation (Triversa), downloaded the 1718 File and contacted LabMD to offer remediation services, which were refused. The LimeWire was deinstalled from the billing manager’s computer. Triversa sent the 1718 File to the FTC.
In its resulting complaint, the FTC alleged a variety of general security failures around LabMD’s policies and procedures that the FTC decided ultimately led to the posting of the 1718 File.
The Eleventh Circuit noted that there was no evidence that any of the 1718 File information was accessed by anyone other than Triversa or that it was otherwise improperly used.
FTC Consent Orders and Reasonable Information Security Programs
The FTC has filed enforcement actions against a variety of companies for security program failures, alleging that such failures constitute an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) (the FTC Act or Section 5(a)). The resulting consent orders generally require the defendant companies to implement and maintain information security policies and procedures designed to protect consumer information.
In this manner, the FTC has for years been building a “common law” body of orders intended to require companies to maintain reasonable information security programs. The FTC published in 2015 a guide for companies based on these consent orders, Start with Security, which it updated in 2017 with its “Stick with Security” blog series. These guides are crafted as “lessons-learned” guidance and focus on the following:
- Security and privacy programs aligned with the following principles: purpose or minimization limitation on the collection of personal information; retention for only as long as necessary; appropriate employee training and education; and consumer choice.
- Data access controls designed to restrict access to personal information and limit administrative access.
- Operational access controls, such as passwords and authentication processes.
- Protection of data in storage and in transit.
- Network firewalls and monitoring.
- Remote access controls.
- Addressing security in the development of new products or services.
- Vendor management of security risks posed by third-party service providers.
- Ongoing monitoring and evaluation of security processes.
- Physical security of storage media.
The enforcement actions tend to arise out of fairly egregious facts and are usually precipitated by a significant data breach. Accordingly, the specific “lessons learned” are often a list of “do-nots.” For example, a do-not of LabMD is “do not allow downloading of P2P (or noncompany) software on company systems.” The FTC has leveraged these specific do-nots into a larger concept of reasonable security. In LabMD, the FTC reasoned that a general laxity of information security policies and procedures led to the installation and failure to detect the presence of the P2P software on the billing manager’s computer.
In its press release regarding its 2017 Annual Privacy and Security Update (the Update), the FTC expressly stated that it “uses a variety of tools to protect consumers’ privacy and personal information including bringing enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior.” The FTC regularly includes comprehensive information security program requirements in its consent orders, attributing identified security lapses or breaches as resulting from weak security generally.
The FTC consent order security programming requirements tend to be: (1) technology-neutral; (2) intended to be evaluated and updated on a regular basis; and (3) focused on the individual company’s risk-management efforts, taking into account the amount of practical risk, costs involved, industry standards, and sensitivity of information, among other factors.
Other Regulatory Approaches to “Reasonable Security”
The FTC’s concept of “reasonable security” is consistent with approaches taken by other laws and regulatory guidance regarding information security programs. The consensus seems to be that as technology and innovation is evolving faster than the law, the applicable laws should focus on security management standards and goals, rather than express prescriptive rules.
For example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework/framework (RMF) offers a general set of standards, guidelines, and best practices to manage cybersecurity risk in critical infrastructure. The NIST RMF is neither prescriptive nor specific. Rather, it allows companies to evaluate their security programs in light of “their organizational requirements and objectives, risk appetite, and resources against” certain “core” cybersecurity principles.
Similarly, the Federal Financial Institutions Examination Council (FFIEC) Cyberscurity Assessment Tool (CAT) provides a “repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” Like the NIST RMF, the FFIEC CAT offers core principles and goals but relies on the company’s own risk-management assessment and strategies. The FFIEC CAT maturity domains include general statements like, “[d]edicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies” or “[t]he institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate.”
State statutory and regulatory requirements around security programs are also general. For example, the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (the NY Cyber Reg) requires such companies to develop cybersecurity programs based on a risk inventory and assessment process, with the goal of developing a policy that addresses all of the following:
- information security
- data governance and classification
- asset inventory and device management
- access controls and identity management
- business continuity and disaster recovery planning and resources
- systems operations and availability concerns
- systems and network security
- systems and network monitoring
- systems and application development and quality assurance
- physical security and environmental controls
- customer data privacy
- vendor and third-party service provider management
- risk assessment
- incident response
Like the NIST RMF and the FFIEC CAT, which address the use of multifactor authentication and penetration testing, as appropriate, the NY Cyber Reg does not require the use of specific technology.
The more comprehensive Massachusetts cybersecurity regulation, Standards for the Protection of Personal Information of Residents of the Commonwealth (the MA Cyber Reg), requires companies to maintain cybersecurity programs that, at a minimum and to the extent technically feasible, should have the following elements:
- Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
- Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
- Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
- Reasonable monitoring of systems for unauthorized use of or access to personal information;
- Encryption of all personal information stored on laptops or other portable devices;
- For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education and training of employees on the proper use of the computer security system and the importance of personal information security.
The MA Cyber Reg is technology-neutral, industry standards- and risk-based, and tied to a “reasonableness” concept.
Other state laws are even more broad. The recently enacted Alabama State Data Breach Notification Act (the AL Act) requires companies to maintain “reasonable security measures” to protect personal information. “Reasonable” means “practicable” in relation to a cost-benefit analysis, the type and volume of information involved, and the size of the entity, and with emphasis to be placed on “data security failures that are multiple or systemic” and taking into account consideration of all of the following measures:
- designation of one or more managers of the security program;
- risk inventory—both internal and external;
- vendor management with contractual security obligations;
- continuous monitoring and evaluation of threats and measures; and
- board or management oversight.
LabMD Consent Order
The FTC’s consent order in this case, FTC Consent Order In the Matter of LabMD, Inc., Docket No. 9357, at 2–3, imposed security requirements that were commensurate with those imposed by previous consent orders, which required LabMD to:
establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:
- the designation of an employee or employees to coordinate and be accountable for the information security program;
- the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
- the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
- the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
- the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by [the order], any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.
Eleventh Circuit Holding and Reasoning in LabMD
The Eleventh Circuit held that the LabMD consent order was void for lack of specificity:
In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.
The Eleventh Circuit acknowledged that due to limitations on legislating “an extensive list of unfair acts or practices,” Congress authorized the FTC “to establish unfair acts or practices through case-by-case litigation.” Notably, the court did not squarely address the issue of whether the FTC has data security enforcement authority under section 5(a).
The court focused on the FTC’s own two-prong test to determine whether an act or practice is “unfair” under section 5(a):
- whether there is a “consumer injury,” which is substantial, not outweighed by a countervailing benefit to the consumer, and not reasonably avoidable by the consumer; and
- whether the act “offended public policy as established by statute, the common law, or otherwise.”
The court found that “the [FTC’s] complaint alleges no specific unfair acts or practices” by LabMD other than the installation of P2P software on a single LabMD computer. The FTC complaint did not state that the installation of the P2P software violated a specific company policy. The court assumes that LabMD had a policy against the download. The court’s focus appears to be on this single violation, which, according to the court’s reasoning below, would justify an express prohibition in the consent order against policies or procedures permitting such an installation. The court did not discuss the FTC’s more holistic approach in the context of whether the company could have exercised better practices generally in implementing controls to actually prevent the employee from downloading external programs on a company computer, and whether such failure would warrant the imposition of more comprehensive security requirements, as was done in the order.
The opinion, however, assumed arguendo “that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice” under section 5(a).
The Eleventh Circuit recognized that although “[n]othing in the FTC Act addresses what content must go into a cease and desist order,” the FTC’s own procedural rule requires that “a complaint must contain a “clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” The court concluded that (1) the complaint must state violations with “reasonable definiteness,” and (2) the remedy (in this case, the requirements of the consent order) “must comport with this requirement of reasonable definiteness.” Accordingly, the opinion states that “the order’s prohibitions must be stated with clarity and precision.”
The opinion further explains how enforcement of FTC consent orders occur procedurally, either with enforcement by the administrative law judge (ALJ) or the district court. These authorities are charged with enforcement of injunctions of specific prohibited conduct enumerated in the consent order. The court concludes that the effect of indefinite requirements would lead to micromanagement in the form of constant interpretation and modification of the order by the ALJ or court.
The opinion holds that the order is void for lack of enforceability in that the order contained no express prohibited acts or practices: “it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness.”
Implications for FTC Cybersecurity Enforcement
The FTC’s consent order in this case included comprehensive but general information security program requirements, which is consistent with its approach in many previous cybersecurity consent orders. The intent of the FTC appears to have been to craft an evolving concept of “reasonable security” and to require companies to monitor and develop their security programs over time. The Eleventh Circuit, however, rejected this approach as lacking in specificity. The implications for the enforceability of existing FTC consent orders is significant. If courts follow the LabMD holding, a domino effect voiding a long line of consent orders may well follow. Moreover, going forward, the FTC must consider including very specific security requirements and prohibitions in its consent orders.
At a recent conference, an FTC attorney advisor, speaking in her “personal capacity” and not on behalf of the agency, indicated in an off-the-cuff remark that they were “considering [their] options” in light of the opinion. Hot Topics in Advertising Law 2018, “FTC Year in Review” Practising Law Institute webinar (Christine DeLorme, 6/26/18).
The Eleventh Circuit emphasized that:
- the posting of the 1718 File was in direct violation of a specific LabMD policy against downloading P2P software on company systems; and
- the FTC did not demonstrate that any alleged general laxity in security programming resulted in this specific company policy violation.
Does this mean that if the FTC concludes that a company’s failure to implement adequate cybersecurity programs caused a specific unfair act or practice, the FTC must:
- limit the remedy in the consent order to the specific act or practice; and/or
- expressly demonstrate that the specific violation was caused by a broader, but still definite, series of security lapses?
The FTC cybersecurity consent orders generally require a long-term information security program (20 years is typical) that encompasses all of the company’s activities related to consumer information. Does the LabMD decision mean that the order must focus on the specific violation as of a definite point in time?
Consider a company that does not honor consumer choices regarding information offered through its website. For example, the company may not give the opportunity to consent to or opt out of sharing of personal information with unrelated third parties for marketing purposes, or may offer that choice but not honor it. Must the consent order be limited to requiring that consumer choices regarding such sharing of personal information collected via the website for marketing purposes be offered and honored? In that event, would other types of sharing not violate the order, even if consumer choices are offered but not honored? Alternatively, would the same company be liable if it later offered a mobile application and failed to offer or honor the same consumer choices via the app? Would the FTC have to micromanage the company’s information security program through a series of enforcement actions over time?
Conversely, should the FTC focus its efforts on promulgating regulations to require companies to implement reasonable security programs, as has been done with the other laws and regulatory guidance discussed above?
The potential importance of this opinion cannot be overstated, both with respect to its impact on existing FTC consent orders and the FTC’s ability to continue developing a concept of “reasonable security” while prosecuting unfair privacy and security practices on an action-by-action basis.