Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> FTC’s Proposed Settlement in Data Security CASE Highlights Companies’ Need to Supervise Vendors

March 6, 2014

For its 50th data security settlement, the Federal Trade Commission (FTC) chose to highlight that companies can face liability for failing to properly supervise their vendors.  A company that provides medical transcription services has agreed to settle FTC charges that its inadequate data security measures unfairly exposed the personal information of thousands of consumers on the Internet, in some instances including consumers’ medical histories and examination notes. 

The FTC filed its complaint against GMR Transcription Services, Inc., a company in the business of transcribing digital audio files for individuals and businesses in a variety of professions and industries, including health care providers and hospitals. 

In conducting its online business,
the FTC contended, GMR relied almost exclusively on independent third-party vendors who engaged individual typists to transcribe audio files that GMR assigned to through
an online system. 

After being notified of the assignment, the typist logged in to a GMR website and downloaded the file. After downloading the file, the typist converted the audio file into a Microsoft Word file and then followed the reverse process to upload it back to GMR’s computer network. Thereafter, GMR either emailed the transcript file to its customer or notified its customer to retrieve the file from GMR’s computer network. 

The FTC asserted that the files could “include sensitive information from or about consumers, including children” – including names, dates of birth, addresses, email addresses, telephone numbers, Social Security numbers, driver’s license numbers, tax information, medical histories, health care providers’ examination notes, medications, and psychiatric notes. 

GMR claimed that each transcriptionist within the GMR community was required to sign a Confidentiality Agreement prior to performing any work and that the materials going through its system were highly secure and were never divulged to anyone. GMR also claimed that its systems were compliant with the Health Insurance Portability and Accountability Act (HIPAA). 

The FTC asserted that GMR had engaged in a number of practices
that, taken together, “failed to provide reasonable and appropriate security to protect personal information in audio and transcript files.” According to the FTC’s complaint, among other things, GMR failed to: 

  1. require typists to adopt and implement security measures, such as installing anti-virus applications, or confirm that they had done so; 
  2. adequately verify that the third-party vendor had implemented reasonable and appropriate security measures to protect personal information; 
  3. require the third-party vendor by contract to adopt and implement appropriate security measures to protect personal information in medical audio and transcript files, such as by requiring that files be securely stored and securely transmitted (e.g., through encryption) and authenticating typists (e.g., through unique user credentials) before granting them access to these files; 
  4. take adequate measures to 
  5. monitor and assess whether 
  6. the third-party vendor employed measures to appropriately protect personal information under the circumstances; and
  7. request or review relevant information about the third-party vendor’s security practices, such as written information security program or audits or assessments it may have had of its computer network. 

As a result of “these security failures,” the FTC asserted, GMR was “unaware” that its third-party vendor used a File Transfer Protocol (FTP) application to both store medical audio and transcript files on its computer network and transmit the files between the network and its typists; that the application stored and transmitted files in clear readable text and was configured so that the files could be accessed online by anyone without authentication; and that a major search engine, therefore, was able to reach the FTP application and index thousands of medical transcript files. 

Under the terms of the proposed settlement with the FTC, GMR is: 

  1. prohibited from misrepresenting in any manner, expressly or by implication, the extent to which GMR uses, maintains, and protects the privacy, confidentiality, security, or integrity of personal information collected from or about consumers, 
  2. required to establish a comprehensive information security program that would be “reasonably designed” to protect the security, confidentiality, and integrity of consumers’ sensitive personal information, including information the company provided to independent service providers, and
  3. have its security program evaluated both initially and every two years by a certified third-party for a total of 20 years. 

The FTC lauded this 50th data security case settled by stating, “[w]hat started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into a vital enforcement program that has helped to increase protections for consumers and has encouraged companies to make safeguarding consumer data a priority.”


The Bottom Line

The FTC’s proposed settlement with GMR should highlight the need for all companies that use third-party vendors to process personal information to properly supervise and manage these third-party vendors.  Companies may become liable for the acts
of their vendors.