In October, at the Privacy & Security Forum at George Washington University, Federal Trade Commissioner Terrell McSweeny emphasized that companies that outsource data security to third parties can still be liable in an FTC enforcement action. This position follows what we have heard previously from the Office of Civil Rights, the agency charged with enforcement of HIPAA.
The FTC has authority under Section 5 of the FTC Act to prosecute companies for unfair business practices, which includes “unreasonable” data security practices. What is “unreasonable” can cause uncertainty, and the FTC has provided little guidance as to what constitutes a reasonable procedure other than what may be gleaned from its prior enforcement actions. Rather, the Commissioner said that a company should look at its data security from an expert’s perspective and determine whether its practices fall inside or outside the box of what is reasonable. Hopefully, following the recent decision in LabMD, the FTC may be forced to provide more guidance or concede the unfairness prong is only applicable in extreme cases – i.e., cases where there is demonstrable harm to the consumer without counterweighing benefits.
As is clear from the Commissioner’s comments, this analysis must include vendor oversight. If a vendor fails to perform adequately, risks consumer information, or stores customer data in vulnerable places, it is likely that the FTC will find the primary business at fault. This may be the case, even when a business otherwise has good compliance and testing procedures and is truly misled by a vendor. Additionally, if a business should have known what was happening, there is even more risk of an enforcement action.
The Commissioner offered two recommendations to businesses to avoid potential vendor liability. First, companies’ written contracts with vendors should clearly establish how to handle and secure consumer data. Second, companies should perform due diligence inquiries into a vendor’s capacity to comply with its promises and verify compliance. The FTC has also offered guidance on best practices for businesses to avoid an enforcement action, based upon more than 50 prior data security settlements. The Commissioner reiterated at the Forum that such best practices may include creating strict rules about employee access to networks, requiring strong password standards, and keeping software current to eliminate vulnerabilities that may arise.
In the end, sound information governance practices following “fair information practice principles” (“FIPPs”) will continue to be key, including reasonable controls as to vendors. A number of organizations have issued FIPPs, including the FTC and the National Institute of Standards and Technology.