Can FTC Call Cybersecurity As It Sees It?: LabMD appeal could lead to clearer guidance for healthcare and other businesses

Wednesday, December 7, 2016 - 13:48
Nathan Kottcamp

Nathan Kottcamp

Introduction: As the LabMD appeal suggests, the Federal Trade Commission may be making it up as it goes along when it comes to what it considers reasonable cybersecurity practices. That could change depending on a pending federal appellate ruling. McGuireWoods partner Nathan Kottkamp, who concentrates on healthcare law, including HIPPA matters, discusses below the potentially far-reaching ramifications of the LabMD appeal. His remarks have been edited for length and style.

MCC: Tell us about LabMD Inc.s appeal of the Federal Trade Commissions data security enforcement action and why it is significant.

Kottkamp: The FTC filed a complaint against LabMD in 2013 for allegedly allowing access to patient information via a file-sharing system that created a vulnerability such that thousands of patients’ records could have been downloaded. Further, the FTC found that from 2005 to 2010, LabMD failed to maintain basic security practices. Among other things, the FTC found that LabMD lacked file integrity monitoring and intrusion detection, failed to monitor digital traffic, failed to provide security training to its personnel, lacked a strong password policy and allowed at least half a dozen employees to use the same weak password (“labmd”), failed to update its software to address known vulnerabilities, and so on.

Due to the lack of evidence that LabMD’s lax data security practices actually caused injury to patients, an FTC administrative judge recommended to the Commission that the matter be dismissed. In an unusual move, the FTC overturned the judge’s determination and imposed sanctions on LabMD, holding that the disclosure of health information in and of itself was sufficient to establish harm under Section 5 of the FTC Act, which grants the Commission authority over “unfair or deceptive acts.” LabMD promptly appealed the FTC’s decision and also asked for a stay of the FTC order while the appeal is pending. In November, the U.S. Court of Appeals for the Eleventh Circuit stayed the FTC’s order pending the outcome of LabMD’s appeal.

The case is positioned to either push the FTC to clarify its expectations regarding “reasonable” data security practices or to solidify the Commission’s authority to enforce data security standards, including with regard to entities covered by the Health Insurance Portability and Accountability Act (HIPAA). The FTC’s analysis of substantial injury is not limited to the healthcare industry, however, and the Commission has made it clear that any industry in possession of sensitive consumer data will be required to maintain reasonable data security practices. Indeed, this case confirms that the FTC believes that enforcement actions are justified, even in the absence of identifiable harm.

MCC: What are unfair data security practices and what is substantial injury?

Kottkamp: The FTC Act (15 U.S.C. § 45), defines “unfair” practices as being likely to cause “substantial injury” to consumers, or in this case patients. The real question with regard to the LabMD case is whether the definition of unfair deceptive is even triggered since the FTC’s own definition in the statute includes substantial injury. Here, there was no injury, let alone the issue of substantial injury. So it begs the question, why does the FTC think it has authority over this matter? The FTC has essentially said that “substantial” can include a situation in which there is merely a substantial risk of harm.

That rationale is problematic because it leaves little or no room for human error. Many companies take measures to implement data security policies and procedures, but may still occasionally discover vulnerabilities with their online systems – whether it is for a few minutes, a few days, or a few months. But that does not mean anyone has capitalized on that vulnerability. So, for example, if a company’s IT department applies a temporary patch to its website that made customers’ information accessible for one week, it could be subject to an enforcement action. Even if there is no indication that anybody actually took advantage of that vulnerability, according to the FTC’s argument, the Commission would have jurisdiction to sanction that company because of the substantial theoretical risk.

Cybersecurity law is still fairly new, and the FTC has not yet set regulations that clearly define the Commission’s expectations. While one could extract core themes from various FTC settlements and FTC guidance documents that either implicitly or expressly indicate what the FTC thinks are reasonable cybersecurity practices, the outcome of such analysis still would not constitute clear law because there remain no regulations on point. Thus, businesses lack a clear set of rules by which to measure or benchmark their policies and procedures. This, of course, begs a fundamental legal question: If there are no legally defined parameters on how companies should behave with respect to cybersecurity, does the FTC have the authority to penalize companies for their behavior based on the FTC’s call-it-as-we-see-it standards?

MCC: Does the FTC have jurisdiction over HIPAA-covered entities?

Kottkamp: The short answer is probably. The FTC has not historically exercised authority over HIPAA-covered entities or business associates, likely because the Office of Civil Rights of the U.S. Department of Health and Human Services has express authority over HIPAA. But the FTC has asserted broad authority based on the FTC Act, and in this scenario, patients are consumers of healthcare. This creates twofold liability for entities that are non-compliant with HIPAA.

It is concerning for anyone who is covered by HIPAA, including business associates, to consider that due diligence to comply with HIPAA may not be enough. Does this nebulous standard about unfair practices obligate them to go beyond what HIPAA requires?

For example, there is no requirement for encryption under HIPAA. There is a safe harbor to the breach notification rule if an entity employs encryption, but there is no express requirement for encryption. However, encryption is so pervasive with technology these days that it is very easy to conceive of a scenario in which the FTC says it would consider it to be unfair practice not to employ encryption because encryption is relatively inexpensive, it is easy to implement, and it is the expected standard of care for sensitive information flow. The FTC could take the position that if a hospital, for example, does not encrypt data and sends email, it is in violation of the FTC Act even though it would have been a perfectly acceptable, although ill-advised, practice under the HIPAA law.

Thus, there may be a gap between what HIPAA requires and what the FTC considers reasonable.

MCC: What does the courts stay decision tell us?

Kottkamp: Quite simply: LabMD has a decent chance of prevailing. Of course, the substantive issues remain to be determined. But in deciding whether or not to grant the stay, the court weighed four considerations and found in LabMD’s favor on the issues of: Did LabMD make a strong showing it would succeed on the merits? Would LabMD be irreparably injured without the stay? Does issuing the stay substantially injure a third party? What is in the public’s best interest?

To succeed on the merits, LabMD must show that the FTC misinterpreted Section 5 or exceeded its authority when it took its enforcement action. In its decision, the court said LabMD presented “a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” In other words, there are enough questions about the FTC’s decision that the order should not be enforced, yet.

In weighing whether LabMD would be irreparably injured without the stay, the court noted the fact that LabMD is no longer in operation. It no longer has revenue and is relying on pro bono legal representation. Simply put, the court determined that LabMD is not well positioned to assume the costs required to comply with the order.

The third and fourth points consider whether the public would be harmed by delaying the order. The court noted, “FTC’s ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm… there is no evidence that any consumer ever suffered any tangible harm…we find it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates.”

Thus, the court’s analysis and decision to stay the order is very telling, and it suggests that LabMD has a good chance of success on the merits.

MCC: What are the implications of LabMDs appeal?

Kottkamp: If LabMD prevails, then the FTC will need to regroup to figure out next steps. It may lobby for some regulations that put clear parameters on what are acceptable cybersecurity practices so it will have clear authority over what it can enforce. Indeed, given the stakes, it is not unreasonable to think that there would be enough members of Congress that would support this effort, even a Congress that is generally opposed to more regulations. The reason: Cybersecurity impacts all industries and is a fundamental lynchpin of the economy (U.S. and global). Thus, it is conceivable that Congress will say we have to have clear standards by which companies can all be measured. 

If LabMD wins, we may see legislative action that adds a layer on top of existing standards and expectations on banks, any company that processes credit cards, or online retailers, to name a few examples. But then the FTC may find itself in a position where, once we have regulations, it is on the hook to enforce this law as the sole authority over cybersecurity issues. 

If the FTC prevails, we may see strong efforts by industries to ensure that the FTC’s authority is more clearly defined for the benefit (protection) of industries. Otherwise, without clear regulations that set defined standards, businesses could be perpetually under attack by the FTC, even for actions/inaction that does not result in harm. Either way, we are likely going to see some regulations emerge as a result of this case. The key questions are when and what the rules ultimately look like.