The FTC’s recently announced “50th data security settlement,” with GMR Transcription Services, has been highlighted by the Commission as a “golden opportunity to check your [data security] practices.” We agree.
The facts behind the settlement read like a veritable case study of what not to do and how companies get into hot water with regulators when various data security promises, representations made in privacy policies or marketing materials don’t ultimately match with actual practices and procedures.
In addition, the settlement highlights what we’ve long advised clients: that third-party vendors or contractors must be carefully monitored and that contracts with such third-parties must include detailed security schedules (if personal or sensitive information is delivered to the third-party) and robust right to audit and review the third-parties data security practices, policies and actual procedures.
According to the FTC complaint, GMR’s:
“[S]ervice provider Fedtrans used a File Transfer Protocol (FTP) application that stored and transmitted files in clear, readable text. What’s more, the application was configured so that files could be accessed online without any authentication. That means that a major search engine was able to index thousands of medical transcript files Fedtrans completed for GMR, making them just a click away for people using the search engine. * * *
“GMR didn’t make typists take basic steps like installing anti-virus software. In addition, the FTC says GMR didn’t require Fedtrans to use appropriate measures to protect the medical files – like making sure they were secure when stored or sent to the typists (for example, through encryption) or having typists enter user credentials before accessing the files. The lawsuit also alleges that GMR didn’t monitor what Fedtrans was doing to protect the highly sensitive information in its possession. “
I’ve underlined the notable egregious errors Fedtrans and its vendor committed. Most are basic mistakes that, in today’s data and threat environment, are in effect negligent.
In settling with the FTC, GMR agreed to many obligations common in FTC data-related settlements, including:
- Putting a comprehensive written information security program (WISP) in place (which we should not that our neighbor state to the north, Massachusetts requires whenever the personal identifiable or sensitive information of its residents are stored) that “appropriate to the its size, the nature of what it does and the sensitivity of the information.”
- Name a specific employee to be accountable for the program.
- Identify inside and outside risks.
- Using reasonable steps to choose service providers who are up to the task and ensuring that any contract with them obligates the providers to meet GMR’s provided data security requirements.
- Continuously monitor the state of data security and “adjust their security program as things change.”
- Every other year for 20 years GMR is required to bring in an independent certified data security expert to audit and certify GMR’s security programs and practices (and report to the FTC on its findings).
In short, data security is a continuous process. Merely having a “policy” isn’t enough. Feel free to contact us to discuss the settlement or your own data security practices or risk assessments.