by Daniel J. Solove
In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.
Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.
A recent FTC case suggests otherwise. Since the 1990s, the FTC has been regulating companies under Section 5 of the FTC Act. This statute prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has brought an extensive number of cases for problematic privacy and data security practices.
The FTC case, In the Matter of GMR Transcription Services, Inc. (Jan. 31, 2014), involves the inadvertent exposure of people’s medical data maintained by GMR, a company that provides medical transcription services. What makes this case particularly noteworthy is that it faults GMR for its data service provider management practices.
According to the FTC complaint, GMR failed to “adequately verify that their service provider, Fedtrans, implemented reasonable and appropriate security measures to protect personal information in audio and transcript files on Fedtrans’ network and computers used by Fedtrans’ typists.”
Moreover, the FTC faults GMR for failures in contracting with its data service provider. The FTC complaint alleged that GMR failed to “require Fedtrans by contract to adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted to typists (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to such files; take adequate measures to monitor and assess whether Fedtrans employed measures to appropriately protect personal information under the circumstances.”
The FTC additionally found GMR to be deficient in doing due diligence before hiring its data service provider: “Respondents did not request or review relevant information about Fedtrans’ security practices, such as, for example, Fedtrans’ written information security program or audits or assessments Fedtrans may have had of its computer network.”
Looking broadly at the complaint, there are three key things that the FTC is now requiring companies to do when it comes to contracting with data service providers:
1. Exercise due diligence before hiring data service providers;
2. Have appropriate protections of data in their contracts with data service providers; and
3. Take steps to verify that the data service providers are adequately protecting data.
The Implications of this Case
The GMR case has a number of very important implications.
1. The Blame Game
The GMR case indicates that organizations that hire data service providers may be directly at fault in many instances. The case solidifies the principle that companies have duties of data service provider management – in choosing, contracting with, and overseeing vendors. This means that if a vendor has a problem, the organization that hired the vendor will also be under scrutiny.
Organizations that use data service providers for data processing might not just be victims if the data service providers make a blunder. They might be to blame if they didn’t engage in appropriate data service provider management practices.
2. The Development of a New Standard of Care in Data Service Provider Management
FTC enforcement based on inadequate data service provider management signals that standards in this area are starting to mature. The FTC has been conservative in its enforcement. The FTC is more of a standard codifier than a standard maker. Instead of blazing a trail by creating new norms and standards, the FTC has waited until norms and standards have developed and then begun enforcement.
Once the FTC has enforced based on a particular standard, that standard achieves a new level of legitimacy and formality. For all intents and purposes, the standard becomes law.
Because the law of privacy and data security is so fragmented, so magma-like in its nature, the FTC has had an unusually influential role in shaping the law of privacy and data security by embracing certain standards and norms that have achieved a decent level of consensus. I discuss in more detail how the FTC has gone about crafting a law of privacy from the ground up in my forthcoming article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review (forthcoming 2014) (with Professor Woodrow Hartzog).
Privacy and data protection attorneys at the large law firms, in house counsel, and everywhere else follow the FTC closely. They look to the FTC for guidance about standards to follow.
Now, the word is out that poor data service provider management might run afoul of the FTC Act. Even without a data breach, poor data service provider management alone might still be a cause for enforcement.
The GMR case does not define the precise contours of what constitutes adequate data service provider management, but the details will be fleshed out over time. This FTC case has signaled that more attention should be devoted to the issue, and expect more companies to take a closer look at their own data service provider management practices.
3. Schools Contracting with Cloud Service Providers
I recently blogged about a Fordham University CLIP study that revealed that contracts between K-12 school district and cloud service providers did not have adequate measures to protect privacy and data security. Although the FTC generally cannot enforce against public-sector entities, the GMR case still has important implications. The case now establishes more clearly that there is a standard of care when it comes to contracting.
The principles in this case apply to nearly all businesses and FTC decisions reflect the consensus norms about privacy. If nearly all companies are legally obligated to do what the FTC demands in this decision, then this puts a lot more pressure on schools to do so.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter