Tag Archives: FTC

FTC Gets Thumbs Up to Act as Cybersecurity Cop: What Does It Mean for Your Business?

Cybersecurity Cop

A recent federal court decision upheld the Federal Trade Commission’s (FTC) authority to take enforcement action on behalf of consumers against businesses that fail to take reasonable steps to secure sensitive consumer information.

The U.S. Court of Appeals for the Third Circuit ruled that the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. was, at least in part, responsible for the three unauthorized intrusions it experienced over the span of two years that compromised the credit card numbers of 619,000 customers and lead to more than $10.6 million in fraudulent charges (click here to read the ruling). The FTC alleged that Wyndham had engaged in cybersecurity practices that, collectively, were unfair and unreasonable, resulting in unnecessary exposure of consumers’ sensitive data. Such Wyndham cybersecurity practices cited by the FTC as unfair and unreasonable, included but were not limited to, lax password management, lack of appropriate firewall protection for consumer data, use of outdated software and its failure to follow proper incident response procedures.

Going forward, based on the reasoning of the Wyndham decision, it is going to be difficult for any business, large or small, to take the position that it was somehow unaware of the importance of cybersecurity. As such, it is imperative that your business have appropriate cybersecurity practices and policies in place for the protection of sensitive consumer information. When reviewing your business’s current cybersecurity practices and policies, keep in mind the following principles:

    • Be aware of all the personal information collected, retained and shared. Review your system to learn how your business and/or vendors use consumer data. Restrict access to sensitive data to only those “need to know” employees or vendors.
  • Keep only personal information required for legitimate business operations. If you don’t need it, don’t keep it.
    • Use physical and electronic security to protect the information your business retains.  Such security could include firewalls, encryption of sensitive data or implementing password management rules.
  • Properly dispose of personal information as soon as it is no longer necessary for business operations. When disposing of old computers and portable storage devices, use software for securely erasing data.
  • Have a plan to respond to security incidents. Designate someone on your staff to someone with sufficient authority within your organization to coordinate and implement the response plan. Investigate security incidents immediately.

Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions or would like to discuss your business’s cybersecurity practices and policies.

Share Button

EEOC And The Federal Trade Commission Remind Employers Of Their Duties When Using Background Checks

In two technical assistance documents issued earlier this year, the EEOC and the Federal Trade Commission (FTC) joined together to remind employers and employees of their obligations and rights when employers conduct background checks of employees. Such background checks must comply with the provisions of the Fair Credit Reporting Act, which is enforced by the FTC.

Pre-Report Obligations. Prior to obtaining background information, such as a credit or criminal background report, the employer must act as follows:

1. In writing, and in a stand-alone format, the employer must advise the applicant that the company may use the information for decisions about their employment. That notice cannot be in an employment application. Additional information may be communicated to the applicant at that time only if it does not confuse the notice.

2. If the employer seeks a report based upon interviews with acquaintances of the applicant concerning character, lifestyle, personal characteristics or reputation, the company has to tell the applicant of the right to obtain a description of the nature and scope of the investigation.

3. The employer must obtain the employee’s written permission to do the background check. That permission can be obtained in the same document used to notify the applicant that the employer will obtain a report. If that authorization is to extend to additional background reports during the employee’s employment, the authorization must clearly and conspicuously make that statement.

4. The employer must, obviously, certify to the company from which it is obtaining the report that it had notified the employee and received their permission, that they complied with all the FCRA requirements, and that they will not discriminate against the applicant or otherwise misuse the information.

Adverse Action. When an employer takes an adverse employment action against an applicant or an employee based on background information, it must act as follows:

1. Before taking an adverse employment action the employer must give the applicant or employee a notice that includes a copy of the consumer report the employer relied on and, a copy of “A Summary of Your Rights Under the Fair Credit Reporting Act.” That form has been updated.

2. After the employer takes an adverse employment action it must inform the employee (orally, although a better practice is in writing or electronically) that they were rejected because of the information in the report, provide the name, address and phone number of the company that provided the report, confirm that the company selling the report did not make the hiring decision and cannot provide the reasons for which the decision was made, and inform the employee that they have a right to dispute the accuracy or the completeness of the report and to get an additional free report from the reporting company within 60 days.

The new information also provides that the employer may dispose of background reports when it is done using them, but only securely by, for example, burning or shredding them.

The importance of complying with these requirements is that there have been a number of class actions by employees or applicants against employers for violating the provisions of the FCRA. Employers who use background reports with regularity should reexamine their protocol for providing information to the applicant or the employee to avoid becoming the target of yet another class action.

Share Button

New Sheriff In Town: FTC Enters The Fray As A Federal Enforcer Of Healthcare Data Breaches

SheriffOver the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013.   Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.

In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing  to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information.  The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act.  In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act.  On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding.  Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.

Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches.  Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button