FTC Sharpens Its Claws; OCR Has Its Cut
With the distractions of the holidays, SolarWinds, and the NDAA, 2 interesting cybersecurity law updates were overlooked in the fields of healthcare and finance. In one corner, the Federal Trade Commission battered a financial institution for poor vendor management, while the Department of Health and Human Services Office of Civil Rights finds more constraint in issuing fines for data breaches. Fortunately, my favorite CISO sent a research tip (maybe as a hint to turn off the Netflix).
1. HEALTHCARE: According to its authority under Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Department of Health and Human Services Office of Civil Rights (“OCR”) issues monetary penalties against “Covered Entities” and “Business Associations,” as defined under the Health Insurance Portability and Accountability Act (“HIPAA”). In addition to suffering monetary fines (often in the millions of dollars), these hospitals, providers, clinics, and their associates also appear on the HITECH “Wall of Shame,” err…online breach report. The fines imposed by OCR purportedly reflect factors such as the measure of failure to meet HIPAA Security Rule standards, the duration of time spent failing to meet Security Rule standards, and the facts surrounding the breach (response time, remedial acts, etc.). However, on Christmas Eve, H.R. 7898 was sent to the President’s desk, which if signed, will amend the HITECH Act. The amendment provides that if a covered entity or business associate implements “recognized security practices” developed by NIST under section 405(d) of the Cybersecurity Act of 2015 for a minimum of 12 months before a cyber incident, OCR “SHALL” consider this fact for the following purposes: 1) Potential mitigation of fines; 2) Allowing early, favorable termination of an audit; and 3) Mitigating the remedies agreed to for HIPAA violations. In short, follow the security protocols laid out in section 405(d) of the Cybersecurity Act of 2015 and OCR is required to consider these efforts before imposing regulatory or monetary penalties. Furthermore, the covered entity’s decision to decline to follow the “recognized security practices” cannot be held against it (used to increase fines or impose liability). This a is a great rule and incentive, especially as it looks to distinguish “recognized security practices” between small versus large organizations.
2. BANKING: On December 15, 2020, the Federal Trade Commission published a proposed settlement with Ascension Data & Analytics, LLC (“Ascension”), a mortgage analytics company, claiming that the company failed to ensure its third-party vendor, OpticsML, was actually safeguarding consumer data as required under the Gramm-Leach Bliley Act (“GLBA”) Safeguard’s Rule, 16 C.F.R. Part 314. According to the FTC Complaint, OpticsML was hired by Ascension to conduct Optical Character Recognition (“OCR”) scanning on the mortgage documents. Per Ascension’s internal policies, it was required to vet OpticsML’ s security measures to ensure the safety of consumer PII. However, Ascension failed to conduct its due diligence before providing mortgage documents to OpticsML. OpticsML stored the Ascension customer data in a misconfigured cloud server without password protection. In 2019, it was discovered that approximately 52 unauthorized IP addresses accessed customer PII, many of which were from Russia and China. The FTC claims that in failing to conduct its due diligence into OpticsML’ s security practices, Ascension failed to oversee and take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information and requiring service providers to implement such safeguards as required under 16 C.F.R. §§ 314.3 and 314.4. FTC enjoys enforcement power of the Safeguards Rule under 15 U.S.C. § 6805(a)(7). In its proposed settlement with Ascension, FTC allows Ascension to avoid any admission of wrongdoing. However, it is requiring the following actions by Ascension: A) the implementation of a data security program; 2) undergo biennial assessments of the effectiveness of its data security program by an independent organization, subject to FTC approval; C) require a senior company executive to certify annually that the company is complying with the order (very similar to SOX requirements); and D) report any future data breaches to the Commission within 10 days.
Lessons to readers: 1) Healthcare entities should implement 405(d) of the Cybersecurity Act of 2015 now; and 2) Financial Institutions must vet the security practices of their vendors, in both contract and in actual practice. The due diligence process must also be documented.