As Seen In dri The Voice of the Defense Bar

If you or a client deals with protected health information (PHI), you will want to know the following seven things about section 5 of the Federal Trade Commission Act.

First, section 5 of the Federal Trade Commission Act authorizes the FTC to protect consumers from any “unfair” trade practice that is “likely to cause substantial injury to consumers.” The FTC relies on the statutory standard for unfairness, which defines an unfair practice or act as (1) conduct that caused, or was likely to cause, substantial injury to consumers; (2) consumers themselves could not reasonably have avoided the injury; and (3) the benefits to consumers or competition did not outweigh the injury. See 15 U.S.C. § 45(n).

Second, the FTC has applied this “unfairness” standard to data breaches PHI even when the Department of Health and Human Services has found no underlying violation of the Health Insurance Portability and Accountability Act (HIPAA). See In the Matter of LabMD, Inc., FTC Docket No. 9357.

Third, the FTC readily admits that there is no single location where a covered entity (as defined by HIPAA) can find the FTC’s so-called established standard data security policies, practices, and procedures. In fact, the FTC takes the approach that “information security is an ongoing process of assessing risks and vulnerabilities: no one static standard can assure appropriate security, as security threats and technology constantly evolve.” See FTC Comm’r Swindle’s 2004 Information Security Testimony at p. 3.

Fourth, if your business or a client’s business has had a data breach involving PHI, expect the FTC to find an expert willing to testify that the data security policies, practices, and procedures that the business had in place to protect the PHI were inadequate.

Fifth, to establish that data security practices were “unfair,” the FTC has ruled that it is not required to prove that an actual breach occurred or that a consumer suffered an injury as a result of the data security policies, practices, and procedures. Thus the FTC is only required to prove that such data security practices, policies, and procedures were “likely” to cause substantial injury to consumers. See Comm’n Denial of Respondent’s MTD at p. 18-19. In the Matter of LabMD, Inc., FTC Docket No. 9357.

Sixth, the FTC expects a PHI holder to develop, implement, and maintain a written comprehensive information security program that minimally includes:

Employee training on basic security practices;
Renewing and updating firewalls, antivirus software, anti spyware, and IDS mechanisms;
Patching and applying updates to all known or reasonably foreseeable security vulnerabilities and flaws;
Purging the system periodically of all data that is no longer needed; and
Preventing employees from accessing PHI not needed to perform their jobs.
Seventh, and finally, since Congress has not given the FTC rulemaking authority in the area of cyber security, there are no rules that have been published in the Code of Federal Regulations or anywhere else that you can read to understand the FTC’s data security standards, and unlike the IRS, there is no one to ask for guidance because the FTC will not issue interpretative letters.

In fact, the FTC is on the record as stating that businesses and their counsel are obligated to seek out this information by regularly checking the FTC’s web site; reading the FTC’s testimony before Congress (including footnotes), press releases, speeches, and blog posts; and reviewing FTC administrative complaints, consent decrees, and business education materials.