August 2013 saw two significant developments in the Federal Trade Commission’s (FTC) ongoing efforts to make companies responsible for protecting the privacy and security of consumer data. First, the FTC announced that it had brought an administrative action against LabMd, a medical testing company that performs lab tests on patient samples provided by physicians. The FTC alleges that LabMd’s failure to take adequate and reasonable security measures resulted in the unauthorized disclosure of private consumer information including names, Social Security numbers, dates of birth, health insurance provider information, bank account information and standardized diagnostic codes for medical procedures. Second, TRENDnet, the maker of an Internet-connected home security video camera, settled charges the FTC had brought against it after hundreds of its customer’s private home security video feeds were made public on the Internet. The key insights these cases reveal can help inside counsel understand both the current risks associated with a data breach of consumer information and the best ways to avoid data privacy-related scrutiny from the FTC – and the attendant media spotlight that could follow.
1. The FTC uses the FTC Act to police U.S. business data security standards.
Analysis of the complaints filed against TRENDnet, LabMd--and others--reveal the kinds of conduct the FTC considers to be “unfair” when it allows third parties to access a consumer’s private information. Challenged conduct includes: