The FTC, LabMD, EBay, and Cybersecurity: What Do Reasonable Precautions Actually Mean?
The Federal Trade Commission’s effort to force businesses to take reasonable precautions to protect their clients’ sensitive personal information from data breaches is back in the news this week, as is at least one big, new data breach. What the FTC does, and what it tries to get businesses to do, about cybersecurity, should be important to everyone. Sooner or later, it seems, any business could have their customers’ data stolen and face FTC charges as a result.
Why you should pay attention: EBay just announced a large data breach. According to an article published in the Seattle Times on May 21, 2014, hackers stole some of the company’s employees’ log-in credentials and used them to gain access to EBay’s corporate network, which includes customers’ names, addresses, dates of birth, and encrypted passwords. It happened between late February and early March 2014 but was discovered only two weeks ago. EBay said there was no evidence that any of its customers were harmed by the breach. They did, however, ask each of their active users to change their passwords. To put it into perspective, they reportedly have 145 million active users. There might not be any damage, but it is a big deal.
What you should pay attention to: The latest FTC enforcement action to make the news is the administrative law trial of the medical testing company, LabMD, Inc. The FTC has alleged that its lax security measures exposed, and compromised, the private information of almost 10,000 customers. One of the main issues, according to a report in the May 20, 2014 National Law Journal by Jenna Greene, is whether the FTC overstepped its bounds by bringing the charges.
The FTC’s effort to enforce what amounts to a “reasonable precautions” cybersecurity standard is not new. As we noted a few weeks ago, in a separate case the FTC brought against Wyndham Worldwide Corp, Federal District Court Judge Esther Salas on April 7, 2014, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices under its authority, pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce.
The Wyndham case was interesting because it involved hundreds of thousands of people who allegedly had their debit and credit card information stolen because they did something everyone does: pay for a hotel room. The LabMD case might be a lot smaller, but there was a lot more at stake.
LabMD did more than merely expose the personal financial information of its customers; it allegedly exposed their confidential medical information as well, according to the FTC’s August 29, 2013 press release. These allegedly included the results of medical tests, including for cancer, according to the National Law Journal Report. Those medical records make the case important.
Medical records, including how they should be protected and under what conditions they should be disseminated, already are regulated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA. Can, and should, the FTC be able to add their own rules? LabMD reportedly argues they should not.
If the FTC does have the authority to enforce its own standard of care, shouldn’t that standard be clear? Right now it’s not clear what a business has to do to adequately protect its customers’ information; what reasonable precautions it should take. The FTC’s lawyer in the LabMD case, Alain Sheer, according to the National Law Journal report, argued that reasonableness was flexible and depended on the overall circumstances. He was sure, however, that merely having, and relying on, anti-virus and anti-spyware programs, was not enough.
Think about this for a second. How many companies do you suppose currently believe all they have to do is rely on current, up-to-date, anti-virus and anti-spyware programs, with some cursory employee training thrown in? Look at how easily that might get them into trouble.
The LabMD data breach occurred in an aw-shucks, everyone can make that sort of mistake, kind of way. According to the National Law Journal report, an employee installed a peer to peer file sharing application on her work computer. The idea, reportedly, was to share music files; it wasn’t necessarily a bad idea and it probably was good for morale. The problem was the employee inadvertently shared an insurance file containing information on approximately 9,300 patients. Anyone can click on the wrong file; it’s a simple mistake. It’s just hard to undo the damage because once you share a file you really can’t control what someone else does with it. In a separate incident, police in Sacramento, California, allegedly found LabMD documents for approximately 500 patients in the hands of identity thieves.
How many companies, do you think, would have allowed, or maybe even overlooked, an employee putting a music file sharing application on her work computer?
Out of all of the other mistakes the FTC alleges LabMD made, the one that stands out the most is that it allowed employees to log on for years using “LabMD” as their password. When you think about it, is there anything sillier than making the key to unlock LabMD’s secrets, the word “LabMD”?
How many companies, though, actually police their employees’ passwords or enforce any kind of standards for them? Look at what can happen, though, when someone gets ahold of the key to vault: 145 million customers are asked to change their password; just ask EBay.
Maybe this all will get straightened out sometime soon. Maybe there will be a clear-cut standard for whose rules a business has to follow and what those rules are. Maybe someone will tell us exactly what reasonable precautions a business should take to protect its customers’ private information. Maybe we should all keep watching until we find out; it’s just a thought.
Go raibh maith agat.