For those companies trying to make sense of all the ways they can get into trouble with data privacy and security matters, it might be helpful (or a little stressful) to know there are new sheriffs in town. O.K., maybe not new, but regulators of all stripes are stepping up enforcement actions related to data privacy and security matters. In the past few weeks we have seen the Federal Communications Commission involved in privacy issues and the Consumer Financial Protection Bureau issue its first data security enforcement action under the Consumer Financial Protection Act. This made me think to provide a quick primer on data sheriffs and their jurisdictions. Depending on the data you use in business and the sectors or jurisdictions in which you conduct business, one or more of these sheriffs might be knocking on your door.
1. Federal Trade Commission ("FTC"). At the federal level, the FTC investigates and prosecutes complaints against businesses in a wide variety of information security and privacy-related matters. Some enforcement authority for the FTC comes from federal statutes, such as Gramm Leach Bliley Act ("GLBA"), the Childrens' Online Privacy Protection Act ("COPPA") and the Fair Credit Reporting Act ("FCRA"). These statutes regulate the use of personal information in financial services, children Internet use (kids 13 years old and younger) and consumer reports, respectively. More often, the FTC gets involved in data governance failures under its broad authority to protect consumers under Section 5 of the FTC Act. In short, businesses are expected to honor their privacy and security representations to consumers just like any other business commitment. Failures to do so may be considered "unfair and deceptive," and thus trigger FTC involvement.
Who should take notice. Because of the FTC's broad mandate, recently affirmed in court, businesses in all sectors of industry should make themselves aware of FTC data governance guidance and enforcement activity in properly planning their data governance strategy.
2. Office of Civil Rights ("OCR"). OCR is tasked with investigating and enforcing compliance with the Health Insurance Portability and Accountability Act ("HIPAA"). As there is no private right of action under HIPAA, patients can petition the OCR to investigate healthcare covered entities and business associates for failures to comply with HIPAA's Privacy, Security and Data Breach Rules. OCR may simply issue compliance letters, or level enforcement actions for systemic failures with hefty fines. We expect to see increased audit and enforcement activity by the OCR in 2016. HIPAA also allows for criminal prosecution. Such criminal actions are taken up by the U.S. Department of Justice. And remember, HIPAA does not preempt state law. So, states can develop their own, more restrictive requirements for the PHI use.
Who should take notice. HIPAA regulated entities, such as hospitals, pharmacies and insurers likely understand their HIPAA obligations and risks. However, any companies that handle protected health information ("PHI") on behalf of covered entities should make sure they have a data governance plan that enables them to comply with HIPAA and any agreements they have with covered entities.
3. Consumer Financial Protection Bureau ("CFPB"). As noted above, the CFPB investigates and enforces actions under the Consumer Financial Protection Act, as well as the FCRA. In the recent consent decree entered with Dwolla, the CFPB stated the start-up company "failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access," while telling consumers that the information was "securely encrypted and stored."
Who should take notice. In a similar capacity to the FTC, the CFPB has broad enforcement under the CFPA and the FCRA. As almost all businesses collect and use financial data of some kind or another, following FTC and CFPB guidance and keeping up on enforcement activity will help all companies development sound governance plans and keep them up to date.
4. Federal Communications Commission ("FCC"). An agency we do not hear too much from in the privacy space is the FCC. However, once in a while, as evidenced by the recent $1.35M consent decree into which it entered with Verizon over the communications provider's use of "Supercookies," the agency does delve into privacy and security matters. The FCC derives such authority under Section 222 of the Communications Act. With Verizon, the FCC held that the company was not being transparent in its use of tracking technology as required under the agency's Open Internet Transparency Rule.
Who should take notice. The FCC regulates interstate and international communications by radio, television, wire, satellite and cable. So, companies subject to the 47 CFR Rules and Regulations should include data privacy and security in their compliance approach.
5. States' Attorneys General. Similar to the FTC at the federal level, we cannot forget about attorneys general at the state level, which often act on behalf of residents under state consumer protection laws. Additionally, such attorneys general can also take action under HIPAA and other state laws that are more restrictive than existing federal laws.
Who should take notice. Similar to the FTC, businesses operating within the state jurisdictions of these attorneys general should work to ensure data privacy and security practices do not run afoul of consumer protection statutes, including healthcare and financial laws.
If you are thinking, "Scot, my business bumps up against all of these authorities! How do I possibly comply with it all?" you're not alone. This why implementing sound data governance practices, specifically addressing privacy and security across your enterprise is so critical. The good news is a lot of what qualifies as best practice in one sector or jurisdiction often meets the requirements of others. So, thinking broadly is the way to go. Furthermore, just understand that good data governance and dealing with the threat of data breach is the "new normal." It will never stop. Regulators understand this. More times than not, they are simply looking for you to show that you are accounting for these important practices and working to ensure you collect, store and transfer information properly, and keep it secure.