Opening statements were held today in FTC vs. LabMD, one of only two data security enforcement cases that have not resulted in a consent order to settle charges.
FTC attorney Alain Sheer provided the overview of the FTC’s complaint, alleging that LabMD failed to have a reasonable and appropriate data security program. He was only just into his opening statement, however, when Chief Administrative Law Judge D. Michael Chappell interrupted him to ask, “Is it your position that the information that was on the peer-to-peer file-sharing program, LimeWire, that was a violation of the law, merely posting it on that? Is that your position?”
Sheer responded that it was a consequence of the company’s unreasonable security practices and indicative of the way the practice had failed to protect sensitive information.
Judge Chappell persisted: “But if I heard you correctly, mere posting of the information is not a violation.
Sheer responded, “The posting of the information makes the information available to anyone who searches on the P2P network to find it. It is there for the world to see. And by simply disclosing that information and making it available, the company has demonstrated that its practices were not reasonable and appropriate.”
That’s a pretty amazing statement, as it suggests that the FTC can argue that any entity that has a breach resulting in exposure of information had data security practices that were not reasonable and appropriate. Considering that the FTC denied using such circular analysis in Wyndham, I’m not sure what to make of Sheer’s statement here. In any event, Judge Chappell tried again: “So that’s a yes or no to my question? I asked you twice. ”
Sheer responded, “A breach itself may not by itself be a law violation, but it is indicative that security practices are not reasonable and appropriate, and that’s the circumstances here.”
Sheer continued, claiming that the FTC would prove that LabMD failed to have reasonable and appropriate security because it allegedly:
- failed to adequately assess risks – with the result of that “very serious, well-known and easily fixed vulnerabilities went unpatched for years on the company’s servers that handled sensitive information;”
- allowed employees with access to sensitive information to log into their computers using, “LabMD” as their password instead of requiring strong passwords that were periodically changed;
- did not use readily available security measures top prevent and detect unauthorized access to its network;
- failed to adequately train employees about information security;
- failed to maintain and update operating systems and other devices on its network;
- failed to use adequate controls to limit employee access to just the sensitive information they needed to perform their jobs; and
- failed to have a written comprehensive information security program.
Many of these allegations we’ve certainly seen in other data security enforcement actions, so there was no real surprise there.
William Sherman, representing LabMD, focused on the absence of any demonstration of harm in his opening statement.
“This case is more about what could have happened, it’s more about what might happen, what might have happened, but it’s certainly not about what happened,” Sherman stated.
“And the evidence will show that the government is unable to establish the link between what they allege are LabMD’s data security practices and any harm to any consumer.”
“What about the likelihood of harm?” Judge Chappell inquired. Sherman replied that the evidence will show that the FTC doesn’t know how the 1718 File escaped the possession of LabMD or how the day sheets that were found in Sacramento escaped the possession of LabMD:
So there’s no causal connection between the alleged data security inadequacies and the appearance of these documents. And what the evidence will show, Your Honor, is that there are a number of ways that these documents could have escaped the possession of LabMD even if LabMD’s data security practices were perfect.
While the FTC emphasized the security of electronic records, LabMD claims that none of the files involved in the two incidents – the 1718 file and the day sheets found in Sacramento – were electronic files that were saved or stored on their system. According to their opening statement, those files were created on a daily basis for billing purposes, and were created by populating a form, printing it out for billing, and then shredding the printed sheet when billing was done with it. So presumably, the day sheets could not have been hacked, or shared electronically because they were never saved. Neither was the 1718 file ever supposed to be saved electronically.
So what does that do to the FTC’s case, if anything?
And does it matter that the FTC allegedly isn’t even sure how or when the 1718 file was obtained by Tiversa? It actually should matter, I think. If Tiversa found the file while conducting research in conjunction with Dartmouth and if Dartmouth had received federal funding for the research as LabMD claims, then the 1718 file was in the possession of a research associate who would be obligated to protect the file and not disclose it further – meaning that there would be a low risk of harm or injury. Of course, that doesn’t negate all problems if the file was also found on other servers, but can FTC prove that it was? And if they have no evidence of any harm or injury, is Sherman right that this case boils down to a case about what might have been or what could have happened? Or will Judge Chappell find that the fact that the day sheets wound up in the possession of criminals and the 1718 file was reportedly found on other servers is sufficient to prove that LabMD had an unreasonable and inappropriate data security program that was likely to cause significant injury to consumers that they could not reasonably avoid and that was not offset by any benefits?
The first witness called by the FTC was Professor Raquel Hill of Indiana University, who reviewed LabMD’s security program and found it lacking in many respects.
The hearing resumes tomorrow with cross-examination of Professor Hill.