Everyone knows that the regulators have been going after businesses that don’t protect consumer information. Some people say they are to overreaching. Others say that they are not doing enough. Either way, the reality is that you have to deal with them. So who are they and who do they go after? Read on.
The FTC. The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices. Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security. Unfortunately, the courts did not agree and Wyndham settled (see article). Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.
The FCC. The FCC is a new player in the privacy regulation business. Their jurisdiction is limited to communications and broadcasters. Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price. Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article). This is a low risk regulator to most businesses.
The CFPB. The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010. Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers. CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc. In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions. The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.
HHS Office Of Civil Rights (OCR). Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information. They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy. Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement. Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs. Still, they seem to be behind the power curve. Recently, they finally created a full time office to handle enforcement.
Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data. This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.
Also this month, HHS OCR fined the Feinstein Institute $3.9 million. This fine also was the result of an unencrypted laptop being stolen out of an employee’s car. This time it had 13,000 patient records on it. They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed. HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.
They two cases date back to 2012. I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.
These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.
I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.
So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.
Information for this post came from Health Data Management.