Mid-Atlantic Health Law TOPICS
FTC Double Downs on HIPAA
A version of this article was published in The Daily Record on April 19, 2016.
Because health care providers are governed by the Health Insurance Portability and Accountability Act (HIPAA), they do not usually worry about the authority of the Federal Trade Commission (FTC) in regard to data security. However, the FTCĂ•s actions against LabMD and the Wyndham hotels may set that belief on its proverbial head.
A. The FTC Act
The FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." To be unfair or deceptive, acts must cause or be likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits to consumers or competition.
Since 2005, the FTC has been using this unfair or deceptive prohibition to bring enforcement actions against companies with deficient cybersecurity measures that fail adequately to protect consumer data from hackers.
B. The Wyndham Facts
In 2010, Wyndham learned that its computers were hacked on 3 occasions - first in 2008 and then again twice in 2009 - resulting in the theft of personal and financial information of hundreds of thousands of consumers, as well as over $10.6 million dollars in fraudulent charges.
The FTC sued Wyndham in 2012, claiming that Wyndham's deficient cybersecurity practices constituted an unfair practice in that they unreasonably exposed consumers' personal data to unauthorized access and theft. It also claimed that Wyndham's privacy policy was deceptive in that it substantially overstated the company's cybersecurity measures.
In particular, the FTC claimed that:
1. Wyndham allowed storage of payment card information in clear readable text.
2. Wyndham allowed use of easily guessed user IDs and passwords.
3. Wyndham failed to use "readily available security measures" - such as encryption, firewalls and other commercially available means - to limit access between the property management systems, corporate network and the internet.
4. Wyndham allowed its branded hotel property management systems to connect to the Wyndham network without taking appropriate cybersecurity precautions, such as at least installing the latest operating system security updates and requiring more than default user IDs and passwords. And because it did not manage an inventory of devices connected to its network, Wyndham was unable to identify the source of the cybersecurity attacks.
5. Wyndham failed adequately to restrict third party vendor access to its network and servers and those of its branded hotels.
6. Wyndham failed to employ reasonable measures to detect and to prevent unauthorized access to its network or to conduct security investigations.
7. Wyndham did not follow proper incident response procedures, failing to monitor its network for malware used in previous intrusions. If it had, it would have detected that the hackers used similar methods in each attack.
8. Wyndham's published privacy policy stated that it used a variety of different security measures, including 128-bit encryption, to protect personally identifiable information from unauthorized access when, in fact, it did not.
C. The Court's Decision
Wyndham sought to dismiss the case arguing that the FTC did not have the authority to regulate cybersecurity under its "unfair or deceptive acts" mandate. Alternatively, if the FTC did have the authority, Wyndham argued that it did not have fair notice that its cybersecurity practices fell short of the FTC's requirements.
The appellate court ruled against Wyndham in regard to both of its arguments, most importantly affirming the FTC's authority to bring data security enforcement actions under the unfairness prong of the FTC Act. The court also held that the FTC was not required to give companies certainty as to what cybersecurity practices were required to avoid an FTC action.
Furthermore, the court found Wyndham's argument that it did not have fair notice of its cybersecurity obligations to be specious in light of the FTC's various publications. For example, the FTC website includes a guidebook for businesses describing a checklist of practices that form the basis of a sound data security plan, advice that Wyndham did not heed; and the FTC publishes its cybersecurity enforcement actions on its website.
Moreover, the court asserted that the FTC did not allege that Wyndham used weak firewalls, IP address restrictions, passwords and encryption software. Rather it argued that Wyndham failed to use any protections - even after having been hacked previously. By the third incident, Wyndham was not only on notice that its practices fell short, but also that statements made in its published privacy statement about its cybersecurity precautions were deceptive to the consumer.
D. Application to Health Care
The Wyndham decision holds that the FTC can continue its enforcement for cybersecurity breaches. But Wyndham is not a health care provider. So why should the health care industry be concerned? The reason is that in 2013, the FTC filed a complaint against a medical testing laboratory, LabMD, alleging that it failed to protect the security of consumer personal data after LabMD's systems were found to have been breached on 2 separate occasions.
The FTC's allegations against LabMD are similar to those asserted against Wyndham, except this time they are made against an entity regulated by HIPAA. LabMD has asserted that HIPAA trumps FTC jurisdiction.
The FTC's complaint against Lab MD was dismissed on November 19, 2015 because the FTC failed to prove that Lab MD's alleged unreasonable conduct caused or was likely to cause substantial injury to consumers as required by the FTC Act. The FTC has appealed the decision.
Therefore, although the spectre of dual enforcement against HIPAA regulated entities by both the FTC and the Department of Health and Human Services' Office of Civil Rights, the agency charged with HIPAA enforcement, is very real, it is also very unsettled.