Cbr Systems, a cord-blood bank, has agreed to settle with the US Federal Trade Commission over a number of charges. Among them lies the accusation that Cbr didn’t provide adequate data security, a situation that could have been partially addressed via the use of AlertBoot endpoint encryption for laptops and external hard drives.
Over 300,000 Affected in 2011
In 2011, I had lightly covered the Cbr situation, noting that “customer names, SSNs, driver’s license numbers, and credit card numbers” were lost due to the theft of a laptop computer and backup tapes from an employee’s car. However, my biggest question at the time was, is this or is this not a HIPAA breach?
To HIPAA or Not to HIPAA?
Cbr had expressly stated that HIPAA does not apply to them, despite the fact that they worked in a sector that many would consider as “medical”: handling blood and tissue from umbilical cords of newly-born infants. Today, we know that the statement must have been true because the company came to a settlement with the FTC and not with the Office of Civil Rights at the Department of Health and Human Services (HHS), which is in charge of enforcing HIPAA regulations.
You might be wondering what’s going. In a nutshell, it comes down to this: Not all medical organizations are subject to HIPAA/HITECH. That’s because organizations need to meet certain conditions before they are subject to HIPAA. For example, an organization is subject to HIPAA if it receives payments electronically. Consequently, those who only deal with cash wouldn’t need to follow HIPAA (not that this is the only condition).
However, this does not mean that medical organizations not subject to HIPAA do not need to follow the rules found under HIPAA: Those who are not accountable to the HHS, which enforces HIPAA, are accountable to the FTC, which, according to some experts, has even stricter rules. For one thing, not only do they require that an organization protect personal data at the same level that HIPAA requires (well, they don’t actually state that…but it’s a given, really), the FTC can add other charges that are unrelated to medical issues.
Like charges of fraud and deception.
FTC Works to Prevent Fraudulent, Deceptive, and Unfair Business Practices
The mission of the FTC reads as follows:
To prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity. [ftc.gov]
What is “deceptive,” though, exactly? Well, if we are to take a cue from the FTC’s past actions, it turns out that promises made but not kept are deceptive business practices. For example, take the Cbr case:
The non-use of proven and established security technologies like full disk encryption for laptops, which are de rigueur in any company that handles sensitive personal data – and, dare I say, pretty well established as a breach prevention policy – can only add fuel to the charges in this case.