Tag Archives: enforcement

FTC Brings the Enforcement Hammer for EU-US Privacy Shield Misrepresentations

For the first time, the Federal Trade Commission is holding companies accountable in three enforcement actions for misleading consumers about their Privacy Shield participation.

EU-U.S. Privacy Shield

The Privacy Shield framework allows companies to transfer consumer data across the pond from EU member states to the U.S. while complying with EU data protection laws. The Privacy Shield was birthed to replace the U.S.-EU Safe Harbor framework which was deemed invalid in 2015.

To participate in the framework, companies must certify with the U.S. Department of Commerce and demonstrate compliance with the Privacy Shield Principles. The Department of Commerce maintains the list of active members, while the FTC enforces compliance.

During Safe Harbor’s tenure as the preferred data transfer mechanism between the EU and U.S., the FTC brought 39 enforcement actions against companies for reasons of noncompliance. Now we see the first three enforcement actions under the newer Privacy Shield framework.

Privacy Shield Enforcement

The FTC announced that three companies violated the FTC Act by making false claims regarding their Privacy Shield certification to consumers. The companies never actually completed the certification process.

  • HR software company Decusoft LLC falsely stated in its privacy policy that it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.”
  • Printing services company Tru Communication (aka TCPrinting.net) falsely stated in its privacy policy that it “will remain compliant and current with Privacy Shield at all times.”
  • Real estate management company Md7 LLC falsely stated in its privacy policy that it “complies with the EU-U.S. Privacy Shield Framework.”

Acting FTC Chairman Maureen K. Ohlhausen notes, “Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

In conjunction with the settlements, the FTC prohibits the three companies from misrepresenting their participation in any privacy or data security program sponsored by a government or regulatory agency.

Key Takeaways

What can other companies learn from the mistakes in these cases?

The FTC is committed to enforcing misrepresentations about Privacy Shield participation. Given the prior settlements under the Safe Harbor framework, the FTC remains consistent in their efforts to hold companies accountable.

The FTC advises, “If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield Framework.”

OCR Penalty: Unencrypted Laptops Result in Steep Fines for Small Breaches

The Office for Civil Rights (OCR) sent a strong message to the healthcare community with their third civil monetary penalty totaling $3.2 million.

Children’s Medical Center of Dallas – part of the seventh-largest pediatric health care provider in the nation – was on the wrong end of two data breaches caused by a lack of encryption. The hefty fine stems from the OCR’s investigation uncovering longstanding failures to comply with HIPAA’s rules.

Data Breaches

Children’s first filed a breach report with OCR in January 2010. An employee lost an unencrypted, non-password protected BlackBerry device at the Dallas airport in November 2009. The device contained the electronic protected health information (ePHI) of 3,800 individuals.

Children’s filed a separate breach report with OCR in July 2013. This time it was due to the theft of an unencrypted laptop from the premises in April 2013. The device contained ePHI of about 2,500 individuals.

In this case, it was determined several physical safeguards were in place to protect the laptop storage area – i.e. badge access and a security camera at one entrance. However, access to the area was given to members of the workforce who weren’t authorized to access ePHI.

HIPAA Violations

The OCR levied the civil monetary penalty, rather than coming to terms on a settlement, due to widespread failures related to HIPAA compliance. Specifically, OCR noted two crucial HIPAA failures:

  • Failure to implement risk management plans, contrary to external recommendations
  • Failure to deploy encryption or equivalent alternative measures of safeguard on laptops, work stations, mobile devices, and removable media until 2013

The key issue leading to the penalty was the medical provider’s failure to fix known problems for an extended period of time. Children’s had an independent firm conduct a gap analysis in 2006 and again in 2007, highlighting the risks to unencrypted ePHI by March 2007 at the latest. A separate analysis was performed in 2008 to address threats and vulnerabilities of certain ePHI.

Children’s was aware of the potential risks posed by their unencrypted devices, and failed to act until 2013.

Acting OCR Director Robinsue Frohboese noted, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Key Takeaway

OCR hasn’t slowed down in their HIPAA enforcement so far in 2017. But this case is unique for a few reasons: The total number of affected individuals was less than 6,000, but the case involved multiple breaches of unencrypted devices, and focused on Children’s failure to mitigate known security issues.

OCR demonstrates once again they aren’t afraid of heavy fines for widespread non-compliance in safeguarding ePHI. Healthcare organizations can take this enforcement as a warning: Fix the problems you’ve identified! When your risk assessments identify gaps and vulnerabilities, address and prioritize those areas during risk mitigation efforts.

SEC Cybersecurity Investigations: How-to-Guide

SEC logoHunton & Williams LLP partners Lisa Sotto, Scott Kimpel, and Mathew Bosher published an article in Westlaw Journal’s Securities Litigation & Regulation entitled SEC Cybersecurity Investigations: A How-to-Guide. The article outlines the Securities and Exchange Commission’s (SEC) expanding role in cybersecurity regulation and enforcement.

Here are a few of the tips mentioned for surviving the SEC’s investigative process:

  • React swiftly after receiving an informal inquiry or subpoena. The timing and attentiveness of an organization’s response can help present a proactive approach.
  • Take action to preserve documents and information after hearing from SEC staff. A surefire way to hurt yourself in the investigation is failing to preserve documents or information that the staff may deem relevant.
  • Request access to and a copy of any subpoena or a formal order.
  • Consider the pros and cons to disclosing the investigation to investors.
  • Request to view the staff’s investigative file when there is a Wells notice. Sometimes the staff will allow organizations’ counsel to review documents or testimonies.
  • During the Wells process, request to meet with enforcement staff senior leadership. This will give your organization a chance to find out the senior staff’s theories of potential liability and make the best case for why an investigation should be dropped without enforcement action.

Organizations under SEC jurisdiction should be aware of the expanding oversight the SEC is taking in cybersecurity issues. Enforcement of federal security laws is expected to increase and could cover data breaches along with basic failures to establish adequate information security programs.