Feds Are Serious About Data Security

In what could be a landmark ruling in the data breach legal field, a New Jersey district court recently ruled that the FTC's lawsuit against Wyndham Hotels for unfair and deceptive  trade practices related to a major data breach could proceed. Although the breach did not happen in a health care setting, it nevertheless has implications for health care providers.

Background: the FTC filed suit against Wyndham as a result of (alleged) poor data security and lack of a proper response to a 2008-10 data breach. Wyndham challenged whether the FTC had the authority to bring an action against an entity that suffered a data breach. The court ruled this month that the FTC had the authority to regulate data security and could proceed with the suit. In particular, the court held that the FTC has the authority to regulate how companies secure their data and, more importantly, that the FTC does not need to issue specific data security guidelines before it can bring this type of lawsuit. 

The case was brought by the FTC's Bureau of Consumer Protection under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. An argument in the case was whether the FTC had authority over the alleged security practice. The court ruled that it did have such authority because new laws governing privacy complemented the FTC's power.

In the health care context, there is an argument that the FTC would not have the power to bring an enforcement action against a health care provider for a data breach as the Office of Civil Rights is charged with enforcing HIPAA. Historically, joint enforcement with another agency is not an issue, as the FTC Bureau of Competition has worked alongside the Department of Justice Antitrust Division in enforcing the antitrust laws. Thus, it is not unprecedented for the FTC to have dual jurisdiction over certain types of conduct. An additional argument is whether the FTC has jurisdiction over not-for-profit entities. The FTC, however, has largely been able to exercise jurisdiction over not-for-profit entities by arguing that the not-for-profit was engaged in activities similar to those of a for-profit entity. In any event, the FTC has traditionally interpreted its jurisdiction broadly under Section 5 when it comes to consumer protection.

Finally, the FTC has enforcement authority under the Red Flag Rules. While many physicians will not fall within the definition of a "creditor," many health care providers will. Given the media attention to the problem of identity theft, it would not be surprising to see the FTC attempt to broaden its jurisdiction into health care.

Takeaways: Health care data security is an ongoing threat and moving target for providers. The recent "Heartbleed" virus brings home the concern that any entity is vulnerable to a security breach. Both the HIPAA Security regulations and the Red Flag Rules require that providers assess their security on an ongoing basis. Security audits are not one-time events but must be done on a regular basis to assess new and increasingly sophisticated threats. A failure to comply with current security practices could give rise to enforcement actions by the OCR and, now possibly, the FTC. If you have not reviewed your security practices recently, now is the time to begin before the FTC or OCR conducts the review for you.