In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:
Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D
It is difficult to predict how the FTC will approach privacy. The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States. There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in. In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.
The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year. Effectively, for many companies, the regulators they are paying attention to are across the pond.
The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference. Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers. This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.
In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc), the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security. I strongly criticized the panel decision in an previous blog post.
The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce. Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers. A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.” Common carriers are regulated by the Federal Communications Commission (FCC).
In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC. However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in. This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5. Because these are non-common-carrier activities, the FCC often can’t regulate them either. This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.
Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.
Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.
The press release can be viewed here. The Resolution Agreement can be viewed here.
Also of Interest
HIPAA Enforcement Guide
HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement
Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe
Lessons from 2016, the Biggest HIPAA Enforcement Year on Record
Is HIPAA Enforcement Too Lax?
At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?
I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group. I am particularly interested in the insurer’s perspective, so I interviewed Katherine.
Co-authored by Professor Woodrow Hartzog
The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?
Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
I’m pleased to announce a new training program: Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete. Trainees are asked to spot the risks in an office. Feedback is provided about each risk so trainees learn many of the most important best practices.
A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power. The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.
By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”