The FTC’s Data Security Error: Treating Small Businesses Like The Fortune 1000

Gus Hurwitz has a great commentary on LabMD v. FTC and an amicus brief filed by privacy law scholars in support of the FTC.

I say “great” because I agree with him completely.

I  hold the privacy law scholars who filed the brief in very high regard, but reading their brief, I felt like it was the ivory tower vs. real world if you’re a small-medium entity in the healthcare sector.

From the gitgo on this case, I have repeatedly noted that small and medium businesses that were covered by HIPAA were never given sufficient notice that we also had to comply with Section 5 of the FTC Act or what such compliance would entail. Where were the notices and guidance prior to LabMD’s incident in February 2008? A presentation to Congress in 2007? A report in 2005 based on a workshop in 2004 that SMB in the healthcare sector might not have even known to consider attending or reading? How would we even know to look at those? My review of web sites prior to 2008 turned up not a single government site or law firm site devoted to HIPAA that even mentioned compliance with the FTC Act. So how would small and medium entities even know to go look for guidance on FTC’s site?

And even if you can convince me that we should have somehow known, then where was the sufficient notice or guidance as to what practices would run us afoul of Section 5?  Where, prior to 2008 when the LabMD incident occurred, was there anything that even remotely approached standards for what might be considered “reasonable” security? What if we did everything right and had one screw-up, like an employee violating policy and installing filesharing software on their workstation? Would that one foul-up warrant FTC enforcement and a 20-year auditing program? And if HHS didn’t even think the incident was a reportable breach and later declined to join FTC in its enforcement action, it seems somewhat preposterous for the FTC to claim that patients suffered actual significant injury – even though there was not a single victim identified and the only “proof” of injury was FTC’s claim that it occurred.

There’s always been something very wrong with the FTC’s case against LabMD, and it’s not just its reliance on testimony from a firm that was later shown to be fabricated evidence.

Without doubt, the FTC has done a better job of collaboration, workshops, and outreach in recent years, but what went on prior to 2008 when the LabMD incident occurred? Citing articles from 2010 and beyond as if it justified what they did before the publication of those materials strikes me as well….. deceptive. If you strip every post-2008 reference or action out of the amicus brief, what are amici left with to justify the FTC’s actions and decisions?

Citing recent research based on large corporations or entities says nothing about what small and medium-sized businesses knew at the time, nor whether the positive benefits to society as a result of large corporations taking FTC enforcement to heart also had or has any positive benefit to society when it comes to small and medium businesses. To the contrary, we know that it has had at least one negative outcome: a small cancer-detection lab went out of business, crushed under the burden of fighting the FTC’s over-aggressive enforcement.

As Gus writes:

There are millions of companies in the United States; almost all of them are closer to LabMD than to the Fortune 1000. The empirical research being presented to the court effectively says that firms with privacy- and security-focused subgroups within their legal departments that have budgets exceeding LabMD’s annual revenue pay a great deal of attention to and engage extensively with the FTC.

Not to be snarky, but that kind of makes LabMD’s point. In the FTC’s worldview, every company can be expected to have a million-dollar legal department. The utter unreasonableness of this worldview is apparent on its face – the only remarkable thing is that the FTC has found lawyers willing to make these arguments in court without a bag on their head.

So while I agree with the law professors that the FTC did and does have authority to regulate HIPAA-covered entities, and while I understand the value in not locking in a cookbook list of “unreasonable” data security practices, amici fail to address the reality of functioning as a(n) SMB and fail to demonstrate the benefit to society of aggressively pursuing SMB who have data security failures. Seriously: do any of the amici believe that a heavy-handed 20-year auditing punishment that FTC offered LabMD as part of its “settlement” offer was warranted or appropriate or has any benefit to society?

Even an example amici cite as support for their claim that there was nothing unusual about the LabMD case – the Eli Lilly case – is questionable, as in that case, there was a breach, and patients knew about it and might experience “insecurity” or worry. In this case, there was no evidence that anyone outside of Tiversa and those they shared the data with ever knew about the exposure. Certainly the patients who did not even know of the exposure did not worry or experience “insecurity.” And statistically speaking, while they would have experienced an increased risk of identity theft (if the data had been downloaded by criminals), even the increased risk still could not be shown to be a “likely” harm. But if FTC was so worried about that, then why did they not notify patients back in 2010 or seek an injunction ordering LabMD to notify them back then? Instead, they took no steps to determine if there had been actual tangible injury and waited until 2016 to order LabMD to notify them.

Yes, Congress intended for the FTC to be proactive in preventing breaches that would harm consumers. But the FTC acknowledged in 1980 that they were not concerned with “merely speculative harms” and there generally should be more than just emotional harm for a practice to be considered “unfair:”

First of all, the injury must be substantial. The Commission is not concerned with trivial or merely speculative harms.12 In most cases a substantial injury involves monetary harm, as when sellers coerce consumers into purchasing unwanted goods or servicesl3 or when consumers buy defective goods or services on credit but are unable to assert against the creditor claims or defenses arising from the transaction. 14 Unwarranted health and safety risks may also support a finding of unfairness.15 Emotional impact and other more subjective types of harm, on the other hand, will not ordinarily make a practice unfair. Thus, for example, the Commission will not seek to ban an advertisement merely because it offends the tastes or social beliefs of some viewers, as has been suggested in some of the comments.16

Yet in LabMD, there was no tangible or substantial harm demonstrated – not a single victim – and the FTC wound up tying itself into a pretzel trying to argue that the risk of harm and the exposure of medical information itself constituted a substantial harm. If that’s the case, then every time there’s an exposed database involving protected health information that includes SSN or health insurance account number, can and should the FTC take enforcement action and put a small business under 20 years of monitoring even if the incident was a “near-miss?”

There are many of us who would like to see the FTC (and OCR) enforce more, not less. But when the FTC takes a sledgehammer to a(n) SMB and exaggerates the harm consumers suffered, nobody benefits. Certainly not small and medium businesses who do not have the resources to hire CPOs and entire security teams. And without SMB, where will our country be economically?


About the author: Dissent

Has one comment to “The FTC’s Data Security Error: Treating Small Businesses Like The Fortune 1000”

You can leave a reply or Trackback this post.
  1. Justin Shafer - February 21, 2017

    What about Patterson Dental? =)

Comments are closed.