The Federal Trade Commission (FTC) recently announced that it had settled its data privacy case against medical transcription firm GMR Transcription Services, Inc. (GMR) following allegations that GMR had failed to adequately protect the personal information of its consumers. The consent order signed by the parties is a particularly notable milestone in that it marks the FTC’s 50th settlement involving its data security program since the agency began enforcing data security more than a decade ago.
GMR found itself in the FTC’s crosshairs when a major search engine indexed medical transcript files GMR had prepared on behalf of its customers and made them publicly available on the Internet. According to the FTC complaint, these files contained sensitive personal information of adults and children, including names, dates of birth, social security numbers, driver’s license numbers, tax information, medical histories, healthcare providers’ examination notes, medications and psychiatric notes. In some cases, the files even contained information concerning drug abuse, alcohol use, mental health matters and pregnancy loss.
The company had made a number of statements and other representations, however, to its customers concerning its privacy and security practices, e.g., per its website and related marketing materials: “Why GMR Transcription Service?. . . Security Measures to Protect Your Confidentiality” and “From compliance training and secure systems to the confidentiality agreements, [GMR] covers all the aspects involved in HIPAA regulations.” Moreover, GMR stated on its website that it was a “HIPAA Compliant Medical Transcription Service.”
Notwithstanding these representations, the FTC alleged that GMR had engaged in practices that, “taken together, failed to provide reasonable and appropriate security to protect personal information in audio and transcript files.” For example, GMR failed to “require typists to adopt and implement security measures, such as installing anti-virus applications [and] adequately verify[ing] that [its service provider] had implemented reasonable and appropriate security measures to protect personal information.” According to the FTC, GMR could have corrected these failures “using readily available, low-cost security measures.” More importantly, however, affected individuals had no way of independently knowing that their sensitive personal information was at risk and therefore had no way of protecting themselves from harm arising from such failures. Based on the foregoing, the FTC argued that GMR’s acts and practices affected commerce unfairly and deceptively in violation of Section 5(a) of the Federal Trade Commission Act.
Per the terms of the settlement, GMR agreed, among other things, (1) not to misrepresent in any manner the extent to which it uses, maintains and protects privacy and security of consumers’ personal information; (2) to implement a comprehensive information security program reasonably designed to protect the privacy and security of consumers’ personal information; and (3) to obtain initial and biennial assessments and reports from an independent third-party professional (e.g., a CISSP, a CISA, a GIAC or some other qualified person or organization as approved by the FTC). The settlement agreement remains subject to public comment from January 31 to March 3, 2014, after which time the FTC will decide whether to make the proposed settlement final.
In light of the foregoing, we offer the following practical pointers for all FTC-regulated entities:
Stay the course or have it enforced.
If you represent in your privacy policies (or otherwise) that you have implemented certain privacy and security measures, be sure you are doing so. Inaccurate or misleading policies can be as harmful as having none at all.
For return on investment, perform risk assessments.
Risk assessments often serve as the foundation upon which an entity’s entire privacy and security program is based. We cannot overemphasize the importance of performing thorough and complete risk assessments on your organization, and in appropriate circumstances, on your contractors and subcontractors. Taking the time on the front end to thoroughly evaluate your privacy and security infrastructure lessens the risk of loss, builds consumer trust, and boosts your corporate image.
Avoid FTC reach by preventing a breach!
While even the best practices may not always prevent a breach 100 percent of the time, FTC-regulated entities should nonetheless take reasonable and appropriate steps to avoid breaches, particularly those that may be foreseeable based on the results of a risk assessment.