February Brings a Privacy Enforcement Storm: HHS, FTC and FINRA Act
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
U.S. Department of Health and Human Services -- $4.3M fine, $105,000 per record
On February 22, 2011, the HHS issued a Notice of Final Determination finding that a health plan, Cignet Health of Prince George’s County, Md., violated the HIPAA Privacy Rule, and imposing a fine of $4.3 million on company. This marks the first time the HHS has imposed a civil monetary penalty for an entity’s violation of the HIPAA Privacy Rule. The HHS determined that Cignet violated 41 patients’ rights by denying the patients' requests for access to their medical records between September 2008 and October 2009. The HHS took action as a result of the patients’ individual complaints. The HHS has alleged that, during its investigation, Cignet refused to respond to the agency’s demands to produce the records. Additionally, Cignet is alleged to have failed to cooperate with the agency’s investigation of the complaints or produce the records in response to a subpoena. The HHS has found that Cignet failed to cooperate with the agency’s investigations on a continuing basis due to the company’s willful neglect to comply with the HIPAA Privacy Rule. The investigation was conducted by the HHS Office for Civil Rights.
Federal Trade Commission – 20-year consent order, over 1,800 records
On February 3, 2011, the FTC announced that three companies in the business of reselling consumers’ credit reports agreed to settle charges that they did not take reasonable steps to protect consumers’ personal information. According to the FTC’s complaint, the three resellers bought credit reports from the three nationwide consumer reporting agencies and combined them into special reports sold to clients such as mortgage brokers and others to determine consumers’ eligibility for credit. The FTC alleged that the resellers lacked information security policies and procedures and allowed clients that did not have basic security measures in place (such as firewalls or current antivirus software) to access their reports. According to the FTC, hackers exploited these vulnerabilities to access more than 1,800 credit reports without authorization through the resellers’ clients’ networks. In addition, the FTC alleged that after becoming aware of the data breaches, the companies did not make reasonable efforts to protect against future breaches.
The settlements require the resellers to strengthen their data security procedures and submit to audits for 20 years. David Vladeck, Director of the FTC’s Bureau of Consumer Protection noted that this enforcement action “should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it.” “Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system,” added Vladeck.
FINRA -- $600,000 fine for failure to secure over 1M records
On February 17, 2011, the Financial Industry Regulatory Authority (FINRA) -- the largest independent regulator for all securities firms doing business in the United States -- imposed fines of $600,000 against a securities firm, Lincoln Financial Securities, Inc. and its affiliate, Lincoln Financial Advisors Corporation. FINRA alleged that the firms failed to adequately protect customer information, including by failing to require brokers working remotely to install security software on personal computers used to conduct securities business. FINRA found that for extended periods of time (between two and seven years) the firms’ employees were able to access customer account records through any Internet browser by using shared login credentials. According to FINRA, between 2002 and 2009, more than one million customer records were accessed through the use of shared user names and passwords. FINRA found that the firms did not have policies or procedures to monitor the distribution of the shared credentials, and were unable to track how many or which employees gained access to the customer information during this extended period security vulnerability. FINRA determined that these failures put at risk confidential customer information, including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details. FINRA also found that the firms did not have procedures to disable or change the shared user names and passwords on a recurring basis even after an employee had been terminated. This prevented the firms from determining whether former employees continued to access confidential customer information using the shared credentials.
In assessing sanctions, FINRA took into consideration the firms’ efforts to notify all customers whose account information was or may have been exposed and the firms' offer to the customers of credit monitoring and restoration services for a period of one year.
With privacy enforcement on the rise, it is not worth the financial and reputational risk to wait for a breach, an enforcement action or a critical media report before establishing a robust privacy and information security governance program. If your organization does not have such a program in place, now is the time to act. Legal compliance function, vendor management and appropriate privacy and information security provisions in vendor and customer agreements are just a few of the hallmarks of a program that could have helped avoid these enforcement actions.