While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing. During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Office of Inspector General (OIG), Security Exchange Commission (SEC), state Attorneys General, and the California Department of Public Health (CaDPH).
The FTC has a long history of being proactive in promoting consumer protection and in preventing anti-competitive business practices. The FTC has the power to regulate against unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. In 2011, there were several noteworthy FTC actions in the privacy sector.
- Google Buzz: The settlement with Google arose out of alleged violations of Google’s privacy promise related to the sharing of Gmail user account information to populate Google’s new social network, Google Buzz. The settlement bars the company from future privacy misrepresentations. Google is also required to implement a comprehensive privacy program and submit to independent audits for the next 20 years. Additionally, for the first time, the FTC alleged violations of the U.S.-EU Safe Harbor Framework (which has privacy requirements for the transferring of personal information from the EU to the U.S.).
- Playdom: Playdom, an online game developer, was accused of collecting and disclosing information about hundreds of thousands of children under 13 without parental consent. The FTC announced on May 12, 2011 that it had reached the largest civil penalty settlement under the Children’s Online Privacy Protection Act (COPPA) with Playdom for $3,000,000. COPAA prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent (including name, address, email address, telephone number, social security number, etc.). The FTC has online resources for those interested in learning more about COPPA.
- Facebook: Ending the FTC’s 18-month investigation into Facebook’s user privacy practices, the FTC and Facebook reached a settlement [pdf] in November of 2011. As we reported here, by adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses. The focus of the FTC seemed to be on sharing user information and making certain user information available without clear consent. Similar to the Google Buzz settlement, Facebook agreed to not misrepresent its privacy controls. Independent audits for the next 20 years are also part of the settlement.
With the FTC’s recent workshop on facial recognition technology as it relates to privacy and security concerns, it is clear that we will continue to see FTC activity in 2012. The question remains—will we see any enforcement activity relating to the Red Flag Rules, which we talked so much about between 2008 and 2010?
We have seen investigations by the DOE following data breaches involving educational institutions pursuant to Family Educational Rights and Privacy Act (FERPA). While there is currently no duty to report a breach to the DOE, the agency is reading news reports and utilizing online resources to track breaches that have been made public. We expect that this activity will continue in the new year, particularly since the DOE has been more focused on privacy issues in the past few years with the addition of a new Chief Privacy Officer, establishment of the Privacy Technical Assistance Center (PTAC), and the enhancement of FERPA regulations.
Since the enactment of HITECH, and with its enforcement authority of the HIPAA Privacy and Security Rules in place, OCR has been quite active following data breaches involving healthcare organizations. Typically, the organization receives a laundry list of document requests (and often supplemental requests as well) during the course of the investigation. While penalties are available, we have not seen significant activity in this regard. Still, there were two civil penalties assessed in 2011 that may be a warning call that the HHS is looking carefully at the safeguards in place to protect protected health information (PHI) at healthcare organizations. The first penalty was for $1M and involved Massachusetts General Hospital. There, records of 192 patients of the Infectious Disease Associates outpatient practice were lost on public transportation—some containing diagnoses of HIV/AIDS. The second incident involved a $4.3M penalty against Cignet for refusing to provide 41 patients access to medical records. Additionally, it was alleged that Cignet did not cooperate with HHS’s investigation. With the audits of covered entities commencing just recently, the occurrence of major healthcare breaches in 2011, and the fact that over 30,000 healthcare breaches have been reported since HITECH, we expect that OCR activity will increase in 2012.
2011 brought additional activity by state AGs. AGs have enforcement authority of their own state data breach laws in most cases, as well as enforcement authority under HITECH. Two actions came out of Massachusetts that should be closely followed. The first involved the Briar Group, LLC (“Briar Group”), a restaurant chain. On March 28, 2011, the Briar Group was the first company to be fined under the Massachusetts Data Privacy Law. In addition to the $110,000 in penalties, the Briar Group will have to prove compliance with the Commonwealth’s data security regulations as well as the Payment Card Industry Security Standards. The second action involved Belmont Savings Bank and a $7,500 fine. The fine may seem small, but the incident involved only 13,000 customers, and the back-up tapes at issue were known to be discarded in a trash can by a cleaning company. The focus of this action seems to be an allegation of poor information security practices, including security procedures for handling computer tapes and customer information. Also, in Indiana, the Attorney General settled with Wellpoint, Inc. for $100,000 after the company allegedly delayed in notifying approximately 32,000 residents about a data breach. Wellpoint was also required to provide up to 2 years of credit monitoring and identity theft protection services to Indiana consumers affected by the breach, and reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the incident. The Indiana Attorney General’s Office interprets the timeliness requirement of the Indiana Disclosure of Security Breach Act to require notice to affected individuals within 30 days.
In addition, the HHS conducted training sessions for HITECH enforcement this year to state AGs. Now that the training has been completed, we expect to see increased activity in 2012.
These are some of the 2011 regulatory highlights. Other agencies have been active as well. No matter which agency may have enforcement power over your organization, do not wait until a breach occurs to think about how you will respond to an investigation. As we discussed here, regulators expect a prompt and thorough response, transparency and involvement by the C-Suite.