FTC v. LabMD: Authority to regulate cyber-security under the FTC Act
Key point:
The court ruled that the FTC’s cybersecurity consents order that do not contain security program requirements that are specific enough may be void and non-enforceable. As a consequence, it is likely that the FTC will respond to the decision by including more specific security requirements in future security and privacy orders.
Background
LabMD, Inc. was a cancer diagnostic testing facility that used medical specimen samples and patient information to provide diagnostic information to health care providers. As such, it was subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In violation of company policy, a company billing manager installed LimeWire (a peer-to-peer (P2P) file-sharing applications) a company computer. Using LimeWire, the manager made a file containing the personal information of 9,300 consumers available to approximately two to five million LimeWire users.
One of these files included names, dates of birth, Social Security numbers, laboratory diagnostic and testing codes, and (for some patients) health insurance information and was downloaded by a data security firm (Triversa) and contacted LabMD to offer remediation services, which were refused. The LimeWire was…