The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Announces Settlement with Accretive Health over Data Security Practices

On New Year’s Eve, the Federal Trade Commission (“FTC” or “Commission”) announced that it had approved, 4-0, a settlement with Accretive Health, Inc. – a provider of medical billing and revenue services to hospitals nationwide – resolving allegations that the company failed to adequately protect sensitive consumer information, which resulted in a 2011 data breach. The settlement agreement does not impose a civil penalty, but Accretive Health is required to establish and implement a comprehensive information security program.

In the complaint, the FTC alleges that Accretive Health failed to implement reasonable and appropriate security measures and procedures to protect the personal information, which included sensitive health information, such as medical diagnostic information, billing information, and names, dates of birth, and Social Security numbers, of the patients of the company’s hospital clients. The FTC also claims that this failure led to an incident in July 2011, in which a laptop containing the sensitive information of 23,000 patients was stolen from an employee’s car. Permitting employees to transport laptops containing such sensitive personal information created unnecessary risks and exposed the company to theft, the FTC stated. Additionally, Accretive’s security procedures should have prevented employees from retaining consumers’ personal information when no longer needed and placed need-based restrictions on access to personal information.

Under the terms of the consent order, Accretive Health must establish, implement, and maintain a comprehensive information security program reasonably designed to protect consumers’ personal information. The program must: (1) designate an employee responsible and accountable for the program; (2) identify material and external risks that could result in a breach of security, and assess the adequacy of any safeguards; (3) design, implement, and regularly test and monitor the effectiveness of reasonable safeguards; (4) develop and use reasonable steps to select service providers capable of appropriately safeguarding personal information; and (5) evaluate and adjust the program in light of the required testing and monitoring. Additionally, the order requires a certified third party to evaluate the information security program initially and biannually for the next 20 years.

The complaint – the latest data security action the Commission has publicized – alleges that Accretive Health’s lack of adequate security measures constitutes an unfair practice, in violation of Section 5(a) of the FTC Act. This action serves as a reminder to companies that the FTC will continue to exercise its data security enforcement authority under the unfairness prong of Section 5, despite the challenges in court to that authority from Wyndham Worldwide and others.

Leave a comment

California Continues to Expand Consumer Privacy Protections, Enacting Further Amendments to CalOPPA and the Data Breach Notification Law

On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents.  These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.

“Do Not Track” Disclosures

The first bill, AB 370, amends the California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. Code § 22575 et seq.), requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanisms, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding personally identifiable information collection over time and across third-party websites.

The new law states that website operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the privacy policy that links to a description, including the effects, of any program or protocol the operator follows that offers consumers that choice, but defines neither the content of the disclosure nor “do not track.”

Data Breach Notification for Disclosure of Online Account Access Information

The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account.  Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”   A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.

In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means.  If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.

However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by:  (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.