IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Federal Trade Commission (FTC) is at it again. This time it brings an enforcement action against an ovulation tracking application for:
This is the FTC’s second enforcement action under the HBNR following a settlement announced in February with a telehealth and prescription drug discount provider.
According to the complaint, the company misled users by repeatedly and deceptively representing in its privacy policies that it wouldn't disclose their medical records to third parties without consent and that any data it did collect was non-identifiable and only used for internal analytics or marketing. However, the company violated its promises and deceived the consumers by using third-party automated tracking tools, also known as software development kits (SDKs), and sharing consumers' sensitive health information for the purposes of advertising without obtaining their express consent. Such conduct on behalf of the company constitutes a violation of the FTC’s HBNR.
As a result, the proposed order issued by the FTC imposes a $100,000 civil penalty for violating the HBNR and the company will also be:
On May 18, 2023, the FTC also published some amendments to the HBNR for public consultation, which aim to extend the scope of the HBNR to health apps and other similar technologies. FTC’s proposed amendments to the HBNR come in light of evolving company procedures and technological advancements as more consumer health data is being collected, increasing the likelihood of businesses utilizing or disclosing sensitive data for marketing and other purposes. The FTC has proposed the following changes to the HBNR:
An enforcement action of any magnitude isn’t good for business. Companies dealing with health data have a legal obligation to protect the privacy and confidentiality of this sensitive information and ensure compliance with relevant laws and regulations. Here’s how companies should comply with the HBNR to avoid enforcement actions and noncompliance penalties and build consumer trust:
Learn about the particular specifications included in the HBNR. Review the rule to comprehend what constitutes a breach, who is in charge of reporting it, when it must be reported, and what information must be included in breach notifications.
Develop comprehensive breach response guidelines that specify what must be done in the event of a healthcare data breach. This should include a clear chain of command, employees assigned to handling breach responses, and a strategy for determining and mitigating the breach's impact.
Regularly assess the systems and procedures used by the organization to discover vulnerabilities and potential hazards to protected health information (PHI). This includes assessing physical security measures, personnel training, access controls, and security controls.
Implement appropriate security measures like intrusion detection systems, access controls, firewalls, and encryption. Ensure your organization follows relevant security regulations, such as the HIPAA Security Rule, and complies with industry best practices.
Employees should receive thorough training on the value of protecting PHI, identifying potential breaches, and reporting such incidents immediately. To ensure prompt action in the case of a breach, employees should also get training on breach response methods.
In the event of a data breach or other security issue involving health data, organizations should have a mechanism in place for handling it, including notifying affected individuals and regulatory authorities as required by law.
Maintain comprehensive records of every breach incident, including the type of breach, the people or entities impacted, the actions taken to control and mitigate the breach, and the notifications sent. This documentation demonstrates compliance and answers any regulatory questions.
Breach response strategies should be reviewed and updated frequently to account for new risks and regulatory updates.
Securiti, by harnessing the power of automation, enables organizations to leverage its DataControls Cloud and overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.
Request a demo to witness Securiti in action.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.