FTC Enforcement

Federal Trade Commission regulatory and enforcement actions related to the privacy and security of sensitive consumer information, including but not limited to consumer health information, that is accessed, collected, transmitted or maintained via internet websites, cloud servers, peer-to-peer (P2P) networks, etc.

FTC issues Final Order and data security lessons in LabMD case

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security , , , , , , ,

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

Kathie McDonald-McClure Data Privacy & Security, FTC Enforcement, Health Information Technology , , , , ,

Healthcare_Apps_for_Android_TabletsOn Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time.  ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties.  ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading

Kentucky Chamber To Host Cyber Security Seminar on December 17, 2015

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement ,

KY Chamber Cyber Security Seminar 2015

Data privacy and security issues are bursting at the seams in ALL industry sectors due to the ability to connect to the internet through networks, apps and a multitude of devices that enable individuals and organizations to collect, transmit, store and use information in a multitude of ways.  Connecting to the internet poses privacy and security risks regarding confidential information that, if used or disclosed in certain ways, can result in significant financial and reputational harm to the entity, its employees, clients, customers and others.

  • Is your company counting on you to make sure it doesn’t have a data breach and end up on the front page?
  • Do you know the latest ways that cyber thieves are trying to gain access to your data?
  • Are you learning from others’ mistakes, so that your company doesn’t have to learn the hard way?
  • Are your policies in step with state and federal laws and regulations as well as government enforcement trends?
  • Do you have a plan for dealing with the financial hit that would accompany a data breach?

If these questions have been weighing on you, as your company’s CEO, CFO, IT manager, HR manager, in-house counsel or risk officer, come to a one-day conference on December 17, 2015, in Lexington, Kentucky, hosted by the Kentucky Chamber of Commerce and sponsored by Wyatt, Tarrant & Combs, LLP.  Learn about trends in security, legal compliance, risk management and law enforcement on cyber security and data protection and gain practical, hands-on information that you can take back to your company, which will begin paying dividends right away.  Continue reading

FTC Releases Report and Practical Advice on the Internet of Things

Margaret Young Levi FTC Enforcement, Privacy & Security , , , , , , , , ,

On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.

InternetOfThings-01The FTC Staff Report defines the Internet of Things (IoT) as “the ability of everyday objects to connect to the Internet and to send and receive data.” Examples of such objects are bracelets that track fitness activities and share the data with friends, cameras that post pictures online, RFID tags to monitor inventory, and home automation systems to monitor lights, temperature and security and report to homeowners when they are away. In health care, such objects include medical devices that monitor vital signs and other patient data, such as insulin pumps and blood pressure cuffs, and then share this data with physicians and caregivers. Basically, the IoT is “essentially any other Internet-connected device that isn’t a mobile phone, tablet, or traditional computer.”

The number of “things” connected to the Internet is greater than the number of people, and, as of this year, there will be 25 billion devices connected to the Internet. But this increased connectivity comes with increased privacy and security risks. First, financial and personal data stored on these devices can be stolen. Second, when the objects are connected to a network, security vulnerabilities in the objects may Continue reading

After LabMD: FTC, What Do We Comply With?

Ann Feldkamp Triebsch Federal Law Resources, FTC Enforcement, Health Information Technology, Privacy & Security , ,

by Ann F. Triebsch

clip_image002As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches.  In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not.  For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough?  Should they be doing more to also demonstrate compliance to the FTC? Continue reading