If you had asked me ten years ago whether privacy would become the focus of government enforcement actions, I would have brushed aside the issue with a cavalier – “No Way!!” In the aftermath of 9/11, there was always a focus on privacy concerns when it comes to government surveillance and collection. In the last five years, we have seen a dramatic increase in privacy surveillance and collection by the private sector.
In the past, the government’s focus on protecting privacy grew out of personal health information and the importance of protecting a patient’s privacy. With the advent of technology, smartphones and our digital society, consumer privacy is becoming an issue for compliance officers and information technology specialists.
The FTC is now leading the charge on this issue – and they are gearing up for major enforcement actions. Companies would be wise to add this to the list of risks for evaluation and ranking.
In a recent speech, FTC Chairwoman Edith Ramirez warned companies which collect and store consumer data that the FTC is going to monitor industry efforts to protect the privacy of consumer information. In particular, she cited “big data” companies which collect, store and manage such information, especially when it comes to information about consumers’ health, Internet activity and purchasing practices.
The FTC wants Congress to enact new privacy legislation which would address today’s technologies. Right now, the FTC is stuck with applying the broad “unfair or deceptive” practices standard to protect consumer privacy interests. It is not as clear cut a standard when it comes to privacy concerns since it hinges on whether companies adhere to privacy promises they make to consumers. In more specific cases involving credit reports and credit reporting, the FTC can rely on the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.
Chairwoman Ramirez warned companies to avoid wholesale collection of consumer data without regard to specific reasons for collecting categories of information; to restrict use of consumer data to authorized purposes; to implement reasonable security measures; and lack of transparency on use of information and disclosures to consumers how such information will be used.
The FTC has taken significant steps to back up its warnings – it recently subpoenaed nine data brokers to produce voluminous information about their collection and disclosure practices and policies.
In a recent administrative action, in response to two separate data breaches affecting a toal of approximately 10,000 consumers, the FTC filed a complaint against LabMD, Inc., a medical testing laboratory for failing to reasonably protect personal and medical information. The first breach involved the theft of information of 500 individuals by identity thieves, and the second breach involved around 9,500 consumers’ billing information (e.g. SSNs, dobs, medical treatment codes, financial information).
In its complaint the FTC cited LabMD for failing to (1) implement a “comprehensive data security program;” (2) identify security risks and vulnerabilities relating to storage of this information; (3) use appropriate measures to prevent employees from accessing personal information; (4) training employees on security policies and practices.