Wyndham Worldwide Corp. Settlement with the Federal Trade Commission: Consumer Data Protection Isn’t Only About HIPAAJanuary 1, 2016 | |
On December 9, 2015, the Federal Trade Commission (“FTC”) announced a settlement ending its two-and-a-half year-long litigation with Wyndham Worldwide Corp., the parent of Wyndham Hotels Group (“Wyndham”). The case arose from three breaches of Wyndham’s computer systems by hackers in 2008 and 2009 during which personal financial information of thousands of consumers was stolen. The breaches resulted in over $10 million in fraudulent charges and should serve as a reminder to any company handling sensitive consumer information of the obligation to ensure that data is adequately protected.
Following an August 24, 2015, ruling by the Third Circuit Court of Appeals (linked here) that the FTC’s powers did indeed extend to cybersecurity, Wyndham agreed to establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the agreement requires Wyndham to conduct annual information security audits and to maintain safeguards in connections to its franchisees’ servers. Copies of the security program, modifications thereto and the annual audits are required to be provided to the FTC every year for the next 20 years. While the agreement calls for no direct financial payments by Wyndham, the implementation of the information security program and annual reporting will require a significant financial commitment from the company, in addition to the costs it occurred in its 30-month long litigation.
Throughout the Wyndham litigation, the FTC emphasized that its consumer data security initiative is not limited to financial information, but covers all sensitive personal data – including personal data covered by HIPAA. The FTC’s interest in this area is understandable given that Dell Secureworks estimated that an individual healthcare record is worth more on the black market ($50, on average) than a U.S.-based credit card and personal identity with social security number.
A December 17th announcement that LifeLock, Inc. has agreed to pay $100 Million to consumers to settle FTC allegations that it violated 2010 federal court order requiring the company to secure consumers’ personal information and prohibiting it from engaging in deceptive advertising further demonstrates the seriousness with which the FTC treats consumer privacy issues. This settlement is the largest monetary award ever obtained by the FTC in an order enforcement action.
In addition to the Lifelock Inc. settlement, other notable FTC enforcement actions involving mishandling of personal health information resulting in administrative settlements have included:
- Payments MD (December 2014) – An Atlanta-based health billing company and its CEO (FTC matters often involve personal liability by responsible corporate officers) settled charges that they misled consumers who signed up for use of an online billing portal by failing to properly disclose that the company would be seeking “highly detailed medical information from pharmacies, medical labs and insurance companies” in order to create personalized online health records. Under the terms of the administrative settlements, the company and its former CEO were required to destroy any information collected related to the health records. In addition, the respondents were banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party. Finally, the company must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.
- GMR Transcription Services (January 2014) – This was an enforcement action against a medical transcription service and its two principal owners. The FTC alleged that inadequate cybersecurity measures unfairly exposed personal information of thousands of consumers on the open internet when the transcripts, including patient medical histories and/or medical examination transcripts, were placed on a server with inadequate security, indexed by a major search engine and thus available to anyone using the search engine. This breach occurred despite the company’s privacy statements’ assurances that “materials going through our system are highly secure and are never divulged to anyone.” Under the terms of the settlement, GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information. They also must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provides to independent service providers. Finally, the company must have the program evaluated both initially and every two years thereafter by a certified third party. The settlement will be in force for the next 20 years.
- Accretive Health (December 2013) – This matter arose following the theft of a company employee’s laptop containing 20 million pieces of sensitive information on 23,000 patients. The Administrative Complaint alleged that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft. The Complaint further charged that the company failed to employ reasonable procedures designed to ensure that employees removed consumers’ personal information that they no longer needed from their computers and that in certain instances, when the personal health information of consumers was used in training sessions for employees, Accretive failed to remove that information from employees’ computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to consumers’ personal information based on an employee’s need for the information. Under the terms of its settlement with the FTC, Accretive must establish a comprehensive information security program designed to protect consumers’ sensitive personal information. In addition, the company must have the program evaluated both initially and every two years thereafter by a certified third party. The settlement will be in force for the next 20 years.
While none of these cases raised the question of preemption of FTC’s authority to treat the exposure of HIPAA protected data as an unfair practice, the issue is at the center of an ongoing administrative proceeding involving Lab MD, a cancer detection services company alleged to have engaged in unfair conduct resulting the exposure of over 9,000 patient records on a peer-to-peer file sharing network and a separate loss of over 500 patient records discovered in the hands of identity thieves. In addition to raising a number of substantive issues concerning the FTC’s apparent inability to show actual consumer harm through a breach of the peer-to-peer network, Lab MD claimed that assertion of the FTC’s authority conflicted with health information security regulations under HIPAA. This jurisdiction challenge was rejected by the FTC in January, 2014 and the parties have been engaged in an Administrative proceeding ever since. Most recently, an Administrative Law Judge dismissed the complaint against the company, agreeing that no unfair practice could take place in the absence of actual consumer injury. FTC staff have appealed the ruling to the FTC itself and Lab MD has noticed a conditional appeal again raising the HIPAA preemption theory. This case seems to be inevitably headed for the DC Circuit Court of Appeals, which will be called upon to resolve the preemption issue in what is sure to be a closely watched matter.
- Marc S. Ullman