Data Privacy Regulation Roundup for February and Facebook’s FTC Response
You may sometimes wonder why we spend so much time on data privacy for a company in the big data and analytics business. Well, as I said in a past post , we should all be concerned about the privacy of our data—industries, companies, and consumers alike. This is also self serving because anyone in the big data business is dependent on individuals’ and corporations’ willingness to input and share their data digitally. Without this commitment, ad-driven sites (like Google) and analytics platform providers (like PatternBuilders) have no reason to exist. For us, this means keeping abreast of regulatory actions to better understand how companies may, wittingly or otherwise, find themselves on the wrong side of the privacy fence. So, on with the regulatory roundup!
Now for those of you interested in following data privacy regulation issues, I highly recommend subscribing to the Information Law Group’s blog and following them on twitter (@InfoLawGroup). In a recent blog post, they cover several announcements made by enforcement agencies and FINRA (Financial Industry Regulatory Authority):
- The U.S. Department of Health and Human Services (HHS) imposed a $4.3 million penalty on the Cignet Health of Prince George’s County, Maryland (Cignet) for violating the HIPAA Privacy Rule. The HHS found that Cignet had denied patients’ requests for access to their records over a period of time. The civil money penalty included: $1.3 million for the initial violation and then an additional $3 million for Cignet’s failure to comply with HHS’s investigation or further requests for information.
- The FTC charged three credit report reseller companies for not taking “reasonable steps to protect consumers’ personal information, failures that allowed computer hackers to access that data.” These resellers bought credit reports from consumer reporting agencies Equifax, Experian, and TransUnion and then combined them into special reports that were sold to mortgage brokers and others. The companies allegedly allowed their clients to access this information without basic security measures in place which resulted in a data security breach and after the companies became aware of the breach, did not take further security measures to prevent future breaches. The settlement requires that the companies strengthen their data security measures and submit to audits for the next 20 years.
- FINRA imposes $600,000 in fines against Lincoln Financial Securities ($450,000) and Lincoln Financial Advisors ($150,000) for failure to protect confidential customer information. More than 1 million customer records were not properly safeguarded due to the fact that they could be accessed by shared users names and passwords (this is why passwords are so important). To the firms’ credit, once they were aware of the violations they made extensive efforts to contact and notify all affected customers of a potential security breach and offered them a year’s worth of credit monitoring and restoration services.
Certainly, these actions are a sign that all companies should maintain rigorous data security policies in order to avoid data privacy breaches and of course, stay on the “right side of the privacy fence.” If you are curious about the regulations and policy in place for companies who collect sensitive consumer and employee information, check out the FTC’s Privacy and Security page.
And to my final roundup note: Facebook responded to the FTC’s privacy investigation, noting that it can “create a framework that is sensitive to the different expectations of privacy users have in different contexts, maximizes users’ ability to control their privacy as they see fit, and promotes continued innovation.” Let’s all hope that’s the case! You can read the full response here.