By Mike Semel
Don’t believe “We’re from the government and we are here to help you.”
After a data breach in 2006 the FTC settled with ChoicePoint for $ 10 million and a 20-year monitored compliance program. Twenty-Years!
In 2012 a company that had a HIPAA data breach was forced out of the state for two years by the Minnesota Attorney General. For the same breach the FTC placed the company on a 20-year monitored compliance program. Yes, different agencies can pile on with penalties for a single breach.
In another case, FTC penalties forced LabMD to go out of business after two incidents where the lab failed to protect the security of consumers’ personal data.
The Federal Trade Commission is rejoicing now that its authority to enforce data breach penalties has been affirmed by a federal court. Wyndham Hotels had challenged the FTC’s authority over data security and lost in a big way. The decision affirms a federal district court ruling, which upheld the FTC’s authority to bring data security cases under the provision of Section 5 of the FTC Act that outlaws unfair acts or practices in or affecting commerce.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said Federal Trade Commission Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Every business needs to beware. Anyone can file a complaint.
What should be scary to every medical practice, hospital, and health plan is that the FTC views patients as consumers. The FTC can be far more ferocious than the Office for Civil Rights that enforces HIPAA.
If you have personally identifiable information, consumer financial information, or medical records that could be used for identity theft, you need to adequately protect it against loss, theft, or unauthorized access. The penalties can be huge.
The FTC offers a free ‘Start with Security’ guide that suggests the following steps based on the lessons learned from its enforcement cases.
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
Most businesses do not employ staff with the IT security expertise necessary to implement the FTC’s suggestions. Even with an IT staff you can be vulnerable to attacks. Just ask Target or Sony.
In today’s business environment networks are no longer just for computer data. Phone systems, copiers, security systems, surveillance systems, even heating and air conditioning controls all share the network with your computers and servers.
Focusing on the security in your own network isn’t always enough. Target was breached after an attack on a vendor that had access to its network.
One good place to start is with a Cyber Security Risk Analysis to identify the vulnerabilities to your organization’s data. At Semel Consulting we are certified in security and compliance and follow the government’s recommended standards for conducting risk assessments. Our assessments meet HIPAA and Meaningful Use requirements. We also use ‘under the skin’ tools to identify security weaknesses, and we always find things that others missed.
While it costs money to implement IT security controls, it is much less than the cost of FTC fines and 20-year compliance programs. Or the loss of your business completely.
This article was originally published on Semel Consulting and is republished here with permission.