"Reasonable" Data Security: The FTC's Guideposts for Employers
The recent ruling by an administrative judge that the Federal Trade Commission (FTC) must testify about the data security standards it uses to pursue an enforcement action against LabMD, Inc. (LabMD) generated intense interest among data security professionals. Although human resources professionals and in-house employment counsel typically are not close followers of the FTC’s activities, they should take note, too. The FTC’s standards for “reasonable” data security offer employers valuable guidance in navigating their obligations to safeguard employee data.
The FTC has asserted, and one federal district court recently held, that the standard for fair data security practices under the FTC Act is reasonableness, which is also the standard that employers generally must meet when safeguarding sensitive personnel information. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that employers implement “reasonable and appropriate” safeguards for protected health information. As another example, California businesses are required to “implement and maintain reasonable security procedures and practices” for personal information. A majority of states require companies to take reasonable steps to destroy personal information when disposing of records.
The challenge for employers, like that for businesses responsible for safeguarding customers’ data, is how to translate “reasonable” security requirements into actual practices. Data security professionals have followed the LabMD case closely because they hope it will shed light on this question.
Before shutting down operations earlier this year, LabMD conducted clinical laboratory tests on specimen samples from consumers and sent the results to the consumers’ health care providers. The FTC alleges that, in 2008, LabMD made insurance billing information available on a peer-to-peer network installed on an office computer, thereby exposing the personal information of more than 9,000 consumers. In 2013, the FTC filed its complaint against LabMD, alleging that the company had failed to provide “reasonable and appropriate” security for consumers in violation of the FTC Act.
Instead of promptly settling with the FTC, like most other companies have done in similar situations, LabMD fought back. The company filed a motion to dismiss that asserted, in part, that the FTC could not penalize LabMD for allegedly failing to provide adequate security for consumer information because the FTC had not issued any regulations to put LabMD on notice of what that standard entails. The administrative court denied the motion to dismiss. But on May 1, 2014, the judge granted LabMD’s motion to compel testimony regarding the data security standards the FTC intends to use to prove that LabMD’s data security was inadequate.
In a deposition held on May 12 and recently entered into the court record, Bureau of Consumer Protection Deputy Director Daniel Kaufman sidestepped questions about specific data security practices that would fail the reasonableness standard. Instead, he asserted that the FTC’s consent orders, guidance brochures, and other statements create a body of guidance from which companies can derive reasonable practices. Mr. Kaufman emphasized that reasonableness must be determined on a case-by-case basis.
Nevertheless, the FTC has repeatedly identified certain practices as unreasonable in the types of documents mentioned by Deputy Director Kaufman in his deposition testimony. Employers can use the following summary as a checklist of practices (albeit not necessarily all inclusive) that should be avoided when evaluating existing safeguards for sensitive personnel information:
- Failure to properly encrypt data as needed;
- Poor username/password protocol, including the following missteps:
- Failure to require complex passwords to access the computer system;
- Use of common or known passwords;
- Failure to require users to change passwords;
- Failure to suspend users after repeated failed login attempts;
- Allowing username and password sharing;
- Permitting users to store passwords in unsafe cookies;
- Failure to require user information, such as passwords to be encrypted in transit; and
- Allowing new user credentials to be created without checking them against previously obtained legitimate credentials.
- Failure to minimize the processing of personal information (e.g., by collecting no more information than is needed to accomplish the purpose of the collection or by keeping data after it is needed).
- Failure to train employees in proper data security.
- Failure to require by contract that third parties protect personal information;
- Failure to manage third-party access to data; and
- Failure to verify and authenticate the identity of third-party recipients.
- Failure to securely dispose of data.
- Failure to adequately inventory computers connected to the company’s network;
- Failure to employ adequate firewalls;
- Failure to limit computer connectivity to company’s intranet/network;
- Failure to test the security of processes;
- Failure to remedy known security vulnerabilities (e.g., by failing to apply security patches);
- Failure to protect against common attacks, such as Structured Query Language (SQL), injection attacks and Cross-Site Scripting (XSS) attacks;
- Failure to set up a system of public feedback for vulnerabilities; and
- Failure to implement procedures to detect unauthorized access.1
This summary of unreasonable practices is also useful because employers could find themselves in the crosshairs of an FTC enforcement action. Although the FTC focuses its attention primarily on consumer injury, the FTC has pursued enforcement actions for security breaches involving employee data in at least two cases. In one case, a provider of payroll services settled an FTC complaint that it had exposed the personal information of its customers’ employees. This case is not a pure employee data case because the employees worked for the defendant’s customers, not the defendant itself. Nevertheless, the case indicates that the FTC considers employee data to be within its purview.
In the other case involving an enforcement action against a large drugstore chain, the FTC alleged that the company exposed the personal information of both its customers and employees by discarding confidential information in publicly accessible garbage bins without first shredding it. What seems to have emerged then is a “shoulder jurisdiction” in which the FTC may pursue breaches of employee data as long as consumer data has also been compromised. Because many employers manage some consumer data, a breach exposes them to enforcement risk under this approach.
Recommendations for Employers
To reduce enforcement risk, employers should consider taking the following steps:
- Establish an information security program that follows industry data security standards and avoids the pitfalls listed above;
- Implement information security throughout the organization; and
- Seek counsel immediately upon becoming aware of a security incident.
1 Professors Daniel Solove and Woodrow Hartzog include a useful discussion of these guidelines in their article The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014).