Regulators expanding enforcement reach in data security cases

By Michael Carroll | Mar 16, 2016

A Florida judge is suing the United States Office of Personnel Management (OPM) over an alleged breach in security that saw government employees’ information potentially released.   Shutterstock

WASHINGTON (Legal Newsline) - A recent Federal Trade Commission settlement with a company that allegedly made deceptive claims about the encryption in its software demonstrates how regulatory agencies are going after a wider pool of defendants in data security cases, a San Francisco attorney says.

Jim DeGraw, a partner in Ropes & Gray’s corporate technology group, says regulatory agencies such as the FTC have traditionally focused their attention on the liability of companies suspected of placing customers’ personal data at risk in some way, but now are also going after both software and product manufacturers.

He explained that the broad issue of “data handling,” which includes cases of data breaches, is becoming more of a concern among government regulators.

“It’s just that a whole series of agencies has gotten into the act,” he told Legal Newsline. “They’ve gotten into the ‘information technology ecosystem.’“

DeGraw said regulators “have set an example that everyone in the software chain needs to take data security seriously, with privacy and security in mind from the ground up.”

Cases have been brought against the makers of smartphones and a web browser toolbar, as well as financial services software.

In the case against Henry Schein Practice Solutions Inc., which makes office management software for dental services providers, the FTC in January announced a tentative settlement in which the company will pay $250,000.

The agency alleges that the firm falsely told its clients that its Dentrix G5 software provided encryption that is consistent with the industry standard favored by the National Institute of Standards and Testing. The FTC complaint charged that the software’s encryption was much less rigorous and didn’t meet the national standard.

In addition to the payment, the company must also notify customers who purchased the software and explain that it doesn’t meet the industry standard for encryption. The company, however, has not admitted to the allegations the FTC made in its complaint.

The FTC’s focus – particularly in the area of health information security – thus seems to be expanding to include allegedly deceptive statements by a software vendor to a customer, even though the statements weren’t made directly to customers whose personal data was supposedly at risk.

Plaintiffs attorneys are entering the fray, as well.

DeGraw notes that class action attorneys are also focused on this area, explaining that any time there’s a public disclosure or public investigation involving a possible lapse in data security, enforcement actions and lawsuits may follow. In addition, many data privacy laws have statutory damages provisions, he said.

DeGraw’s advice to companies involved in data security and related technology products is to be prepared and understand the federal guidelines relating to information security. Information technology departments need to run through scenarios and test their systems for potential known threats, he said.

Of course, the situation is constantly changing - requiring companies to be diligent in protecting customer information.

“Rules are a moving target,” DeGraw said, “and security is an evolving concept.”

He noted that some employers have been putting together privacy teams to ensure security compliance in an effort to make it part of their culture. They also need to understand that with more processing power and more groups collecting data come greater challenges for unauthorized access, DeGraw said.

More News

The Record Network