Readers of this blog know that we have been tracking the FTC’s recent data security enforcement activities with a particular focus on the FTC v. LabMD case. As reported by Cause of Action, a nonprofit organization involved in the defense of LabMD, the LabMD trial was put on hold on May 30, 2014 until June 12, 2014 because the House Oversight Committee is investigating Tiversa Holding Co, the cybersecurity firm that found the patient data leading to the FTC’s investigation. The unofficial transcript from the May 30th trial proceeding is available via the Cause of Action report.
While we don’t yet know how the LabMD case will end or whether the FTC will eventually decide to defer to the Department of Health and Human Services (“HHS”) and its detailed HIPAA requirements for data privacy and security, businesses involved with protected health information (PHI) might want to consider including a paragraph on the FTC’s data security enforcement activities in disclosure statements provided to investors or other third parties (such as those viewing website privacy statements). A statement to be included in a private placement memorandum might provide as follows:
Section 5 of the Federal Trade Commission Act (“FTC Act”) prohibits unfair or deceptive acts or practice in or affecting commerce. The FTC has taken the position that unfair practices include those related to the use or protection of a consumer’s personal information, and has taken enforcement action against businesses based on its determination that the businesses had unfair practices relating to deficient data security measures. The FTC has taken such enforcement action against businesses, such as [COMPANY], that must protect data in accordance with HIPAA, even where no HIPAA violation has been alleged and no HIPAA penalties have been imposed. Management of [COMPANY] has no reason to believe that [COMPANY] will not comply with Section 5 of the FTC Act; however, the failure to do so could result in the expenditure of significant sums incurred in responding to an administrative complaint and navigating the consent order process, and COMPANY could face the imposition of civil penalties, bans on certain activities, and requirements for corrective actions, including reporting, audit and compliance requirements for periods of up to twenty years.
Businesses subject to HIPAA may also want to consider including a statement related to applicable state privacy and security standards or requirements, specifying those that are more stringent than the HIPAA standards and requirements.