Cybersecurity: Finally Some Law – Understanding U.S. Standards Post-LabMD

This bulletin is the second of a two part series reviewing recent Canadian and U.S. regulatory guidance on cybersecurity standards in the context of sensitive personal information.  In the first bulletin, previously published on January 10^th, we reviewed guidance from the Office of the Privacy Commissioner of Canada (the “OPC”) and the Australian Privacy Commissioner (together with the OPC, the “Commissioners”) in their published report (the “Report”) on their joint investigation of Avid Life Media Inc. (“Avid”).  In this second bulletin we review additional guidance provided by the U.S. Federal Trade Commission (the “FTC”) in its opinion LabMD, Inc. v. Federal Trade Commission (the “FTC Opinion”), and draw certain conclusions as to what Canadian and U.S. regulators consider to be reasonable and appropriate privacy security measures.

1. The FTC Opinion:  Protecting Networks and Employing Adequate Risk Assessment Tools

The FTC Opinion is helpful in that it reinforces the importance of risk assessment, which the Commissioners had also emphasized in the Report as a key element of a risk management process (which in turn was one of the three requirements of an information security governance framework).

Like the Commissioners, the FTC identified risk assessment to be a fundamental starting point to any data security practice. The FTC pointed to three examples of sources setting out the standard for such risk assessment;

1. the regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which require covered entities like LabMD that transmit health information to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected information held by the covered entity,”[1] are identified as providing “a useful benchmark for reasonable behavior;”
2. the National Institute of Science and Technology guidelines regarding risk management for information technology systems, which are identified by the FTC as providing a framework for risk management for information technology systems that includes testing for the presence of vulnerabilities;[2] and
3. the industry standard, since 2005, to use intrusion detection systems and file integrity monitoring products to assess network risks.

(i)     Safeguards that LabMD had in Place

In its investigation, the FTC found that LabMD only employed the following risk assessment tools:

1. antivirus programs,
2. firewall logs, and
3. manual computer inspections.

(ii)     Safeguards that LabMD should have had in Place

However, the FTC found that LabMD failed to employ adequate risk assessment processes and to protect its computer network as it did not:

1. have any intrusion detection systems;
2. perform any file integrity monitoring;
3. perform system penetration testing before the data breach in question;
4. in connection with the antivirus programs, consistently update virus definitions, or run and review virus scans;
5. use the manual inspections to detect security risks, but merely to respond to complaints about computer performance, and or to identify more than only a limited scope of vulnerabilities (LabMD did not establish “walk-around inspections,” until the data breach in question, at which point even then the inspecting IT employees did not follow-any written checklist); or
6. implement effective firewalls, as (a) the firewalls were not configured properly, and (b) the firewall logs and network activity logs were not reviewed except in connection with troubleshooting a problem (thus, for example, there was no effort to monitor outgoing traffic for items like social security numbers).

2. The FTC Opinion:  Restricting and Monitoring the Computer Practices of Users

The last information privacy safeguard failure emphasized by the FTC Opinion was LabMD’s inadequate restrictions on, and monitoring of, the computer practices of its users in order to ensure that the “need to know” principle was being followed by those users.

The FTC again identified two benchmarks as substantiating this requirement:

1. the National Research Council, which has recommended that “[p]rocedures should be in place that restrict users’ access to only that information for which they have a legitimate need;” and
2. HIPPA, which requires covered entities to implement policies and procedures for authorizing “access to electronic protected information” and “to prevent those workforce members who do not have access … from obtaining access to electronic protected health information.”

(i)     Safeguards that LabMD had in Place

The LabMD employee handbook stated that:

1. sharing health information unnecessarily was illegal, and
2. users must obtain approval before adding or removing programs from their computers.

(ii)     Safeguards that LabMD should have had in Place

However, the FTC found that LabMD in practice did not adequately limit or monitor employees’ access to the sensitive personal information of patients or restrict employee downloads to safeguard the network. Specifically, LabMD:

1. turned off the feature preventing employees from accessing personal information not needed to perform their jobs on its laboratory information software, allowing even college students hired on a part-time basis to access patients’ medical and other sensitive information;
2. permitted sales representatives to use login credentials of its physician-clients to log in to its laboratory information software, which gave the sales representatives access to patient information;
3. did not have a data deletion policy and never destroyed any patient or billing information it received since it began operating, exacerbating the issue by greatly increasing the amount of personal information that it held;
4. did not adequately restrict or monitor what employees downloaded onto their work computers; and
5. until 2009 - the year following 2008 when the data breach was detected - allowed both LabMD’s management and sales employees to have administrative rights over their computers, allowing them to change security settings and download software applications and music files from the Internet; and did not follow the Software Monitoring Policy included in the LabMD Policy Manual, that stated that each user’s “’add/remove’ programs file” would be reviewed to ensure there were appropriate applications for that specific user.  The FTC Opinion noted that, if LabMD had merely followed this Policy, the software program that ultimately caused the personal data to be exposed would have been detected or prevented from being installed.

3. Conclusion

The Report and the FTC Opinion provide some additional insights, at a minimum (for the Report, under Canadian privacy law and, for the FTC Opinion, under U.S. law) into what is required in order for the privacy security measures of an organization to be considered to be reasonable and appropriate in connection with the collection, use or disclosure of sensitive personal information.

Some of the key requirements include:

1. Implementation of an adequate and coherent governance framework, which includes (a) documented information security policies and practices; (b) an explicit risk management process; and (c) adequate training.
2. Use of multi-factor authentication, and implementation of strong key and password management practices.
3. Protecting networks and employing adequate risk assessment tools, including using intrusion detection and prevention systems; performing data loss prevention monitoring, file integrity monitoring, and login monitoring; implementing a security information and event management system; performing system penetration testing; consistently updating virus definitions and running and reviewing virus scans; using manual inspections to detect security risks; and implementing effective firewalls.
4. Restricting and monitoring the computer practices of users on a need-to-know basis.

While the additional guidance above is helpful, we nevertheless have two conclusions:

First, we advise all Canadian organizations to note that these compliance requirements are strictly based on the sensitivity of the personal information, irrespective of the size, revenue or profile of the organization holding such information. 

We direct our second conclusion at the privacy regulators.  It remains extremely troubling that in order for organizations to obtain practical details as to how the privacy regulatory authorities expect the principle of appropriate and reasonable privacy safeguards to translate into specific physical, organizational and technological policies, procedures and measures, other organizations must first be investigated and penalized for failing to have implemented such undefined measures in the first place.  At best this weakens the ability of well-intentioned organizations to comply with the law, and at worst this breaches the principle of legal certainty – that is, the key principle in national and international law which holds that the law must provide those subject to it with the ability to regulate their conduct.

In light of the foregoing, and in particular given increasing concerns regarding cybersecurity risks, it remains incumbent upon the regulators to provide greater guidance – a priori – as to what physical, organizational and technological measures will meet the reasonable and appropriate standard for privacy safeguards.

[1] 45 C.F.R. 164.308(a)(1)(ii)(A).

[2] CX0400 at 17-18 (NIST Special Publication 800-30 (Risk Management Guide for Information Technology Systems) (2002).