The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative. The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.
The OCIE Summary made the following observations:
- the majority of examined broker-dealer and advisers have adopted written information security policies;
- the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
- most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
- almost all of the examined firms make use of encryption in some form.
The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to: (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.
FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management. FINRA’s Report recommends:
- a sound governance framework with leadership engagement on cybersecurity issues;
- risk assessments;
- technical controls and strategy that fit the firm’s individual situation;
- testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
- exercising due diligence when contracting with and using a vendor;
- training staff to prevent unintentional downloading of malware; and
- engaging in collaborative self-defense with other firms by sharing intelligence.
For more information and resources related to the SEC and FINRA’s examination of cybersecurity, check out Christopher Varano‘s post on Fox Rothschild’s Securities Compliance blog.
Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.
The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.” The guiding principles of the draft bill are: individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.
But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.
FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.” However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House. FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.
Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”
To review the administration’s proposed bill, click here.
New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey. Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person). “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:
* Social security number
* Driver’s license number or State identification card number
* Individually identifiable health information as defined under HIPAA
Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law. “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”
The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA. For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier. A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.
On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.
In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.
The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message. Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.
Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.
In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.” For more information from the FTC on marketing apps, click here.
More often than not companies are realizing that they have a consumer provide her information after she has previously opted-out of marketing. For example, a company collects contact information online, sends a consumer email marketing its services, and she opts-out of further email marketing by following the “opt-out” procedures in that email. Six months later the same consumer participates in a survey sponsored by the same company, the terms of which state that by participating in the survey the consumer consents to receive further marketing communications from the company. Is the company bound by the prior opt-out by the consumer, or does her participation in the survey under the rules permitting marketing override the original opt-out?
There is no one size fits all answer to the above situation. Undoubtedly the company would be in a much better position if there is an unpopulated checkbox on the survey asking the consumer if she would like to receive future marketing. In that case, there is an affirmative act by the consumer that almost certainly revokes the prior opt-out.
If your company finds itself in a situation where it is receiving a consumer’s information repeatedly, or it is reasonably likely that scenario could arise, speak with you privacy counsel to discuss your options and the risks associated with each such option. Planning this scenario in advance will provide your company with much greater flexibility when and if the issue arises.
Fox Rothschild Partner Scott L. Vernick was recently a guest on The Willis Report to discuss the fallout from the hacking of Sony Pictures Entertainment.
Click here to view the segment.
The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.
The Atlanta-based medical billing provider operated a website where consumers could pay their medical bills, but in 2012, the company developed a separate service, Patient Health Report, that would provide consumers with comprehensive online medical records. In order to populate the medical records, the company altered its registration process for the billing portal to include permission for the company to contact healthcare providers to obtain the consumer’s medical information, such as prescriptions, procedures, medical diagnoses, lab tests and more.
The company obtained a consumer’s “consent” through four authorizations presented in small windows on the webpage that displayed only six lines of the extensive text at a time and could be accepted by clicking one box to agree to all four authorizations at once. According to the complaint, consumers registering for the billing service would have reasonably believed that the authorizations related only to billing.
The settlement requires the company to destroy any information collected relating to the Patient Health Report service.
This case is a good reminder for companies in the healthcare industry looking to offer new online products involving consumer health information that care must always be taken to ensure that consumers understand what the product offers and what information will be collected.
This week the Federal Trade Commission (FTC) fined TRUSTe, a company that endorses the data privacy practices of businesses, for misrepresenting its certification programs to consumers. TRUSTe offers Certified Privacy Seals, representing TRUSTe’s guarantee that e-commerce websites, mobile apps, cloud-based services, and child-centric websites are compliant with applicable regulatory mandates and employ best practices in protecting consumer information. To earn a Certified Privacy Seal, businesses must share their data privacy practices with TRUSTe, meet TRUSTe’s requirements for consumer transparency, and allow consumers to choose how personal information is collected and used.
However, once TRUSTe bestowed a Certified Privacy Seal on some companies, the FTC alleges that TRUSTe did little to ensure that these companies continued to follow TRUSTe’s best practices. TRUSTe admitted that it failed to conduct annual audits of previously certified websites, but reiterated that less than 10% of TRUSTe’s certifications were part of this oversight. You can read TRUSTe’s statement on its blog.
So, if you’re a business that deals with consumer personal information, is it worth the time and expense to receive third party certifications like those given by TRUSTe? It depends. Third party oversight may be valuable reassurance for your business, instilling confidence that all best practices and regulatory frameworks are identified and followed. However, don’t rely too heavily on such third party certification. While the FTC was silent on any ramifications for customers of TRUSTe, businesses should engage any third party certification with the mindset that the business itself is ultimately responsible for ensuring its privacy practices follow industry standards and meet all regulatory requirements.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing. Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations. For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage?
Data use and confidentiality agreements used outside of the HIPAA context may also include indemnification provisions that are triggered in the event of a privacy or security breach. Parties to these agreements should take a close look at these “standard” provisions and Michael’s list and proceed carefully before agreeing to indemnify and/or be indemnified by the other party.
On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for allegedly failing to safeguard the personal information of their customers.
Both TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) allegedly collected customers’ personal information, including names, addresses, Social Security numbers, and driver’s licenses, and stored it on servers that were widely available on public websites online through a simple Google search. The information could be accessed by “anyone in the world” exposing their customers “to an unacceptable risk of identity theft and other serious consumer harms.”
According to the FCC, TerraCom and YourTel violated Sections 201(b) and 222(a) of the Communications Act of 1934 by:
- Failing to properly protect the confidentiality of consumers’ personal information, including names, addresses, Social Security numbers, driver’s licenses;
- Failing to employ reasonable data security practices to protect consumer information;
- Engaging in deceptive and misleading practices by representing to consumers in the companies’ privacy policies that they employed appropriate technologies to protect consumer information when they did not; and
- Engaging in unjust and unreasonable practices by not notifying consumers that their information had been compromised by a breach.
Whether the FCC’s announcement signals its intention to become yet another regulator of data security remains to be seen. But companies that collect and store customer personal information must take the initiative to ensure information is stored properly with appropriate data security safeguards in place. And safeguards are not enough. If, after investigation, a company uncovers a breach, it must timely notify customers in accordance with state law and federal regulations.
For more information about the FCC’s announcement, click here.