FTC and HHS Deliver One-Two Punch This Week – A Sign of Things to Come?
The Federal Trade Commission (FTC) announced yesterday that it notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has leaked from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks.
Notices went to both private and public entities, ranging in size from as few as eight people to those with tens of thousands of employees. The letters state that “at least one computer file containing sensitive personal information . . . has been shared from your computer network, or the network of one of your service providers, to a peer-to-peer file sharing (P2P) network.”
In a separate but similar turn of events, the U.S. Department of Health and Human Services website today posted its first list of breaches of unsecured protected health information affecting 500 or more individuals. As required by the HITECH Act, a covered entity must provide the Secretary with notice of the breach “without unreasonable delay and in no case later than 60 days from discovery of the breach.” The list dates back to September 2009, and covers thirty-six data breach events.
Regulatory scrutiny of organizations that have breached consumer data was once cast in varying shades of gray. That scrutiny has certainly become clearer and more pointed as of late – particularly within the healthcare industry. The timing of these two events this week may be coincidental, but they illustrate that agencies, such as the FTC and HHS, which are charged with protecting consumers’ personal information, take the duty very seriously.
Businesses, both public and private, are encouraged to view these developments with equal merit.