A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.
First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.” The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information. An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information. The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data. It appears that the data was not otherwise improperly accessed.
The settlement order alleged that the merchant’s failure to supervise the IT Provider was a violation of 17 C.F.R. § 160.30, which requires certain regulated entities to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” Although the merchant had adopted these policies—known as information systems security programs or “ISSPs”—the alleged failure was that the merchant did not ensure that the IT Provider followed such policies.
As a result of the settlement, the merchant was required to pay a $100,000 fine to the CFTC, and the merchant represented it was taking steps to protect its network going forward.
Second, last week the NYAG announced a settlement stemming from the accidental release of over 80,000 Social Security numbers by a healthcare provider. In conjunction with the settlement, the NYAG reiterated its call for stronger privacy laws, and specifically the proposed “Stop Hacks and Improve Electronic Data Security Act” (or “SHIELD Act”). The SHIELD Act was proposed last November, and remains pending in the New York State Senate.
Similar to the CFTC action, this was not an action stemming from malicious, unauthorized access that led to harm. Rather, the healthcare provider accidentally disclosed Social Security numbers of over 55,000 New York residents—on the outside of envelopes mailed to those residents. According to the announcement, this violated not only HIPAA obligations to safeguard patients’ information, but also a specific New York law prohibiting printing Social Security numbers on a mailer in a way visible from the outside without having to open the envelope. New York General Business Law § 399-ddd(2)(e). Once again however, the order made no reference to any specific, unauthorized use of the Social Security numbers nor did it otherwise note specific harms to the impacted consumer.
As part of the settlement, not only did the healthcare provider agree to pay a $575,000 penalty, but it also agreed to an implement a corrective action plan. Among other details, the plan requires the healthcare provider to conduct a risk analysis and report its finding to the NYAG. Further, it will review and revise its data security policies, and explain changes to those policies.
* * *
In civil cases stemming from data breaches, defendants can file a motion to dismiss for lack of standing if there is no harm to affected individuals (although such arguments have varying levels of success depending on where the suit is filed, as we have previously discussed here). In contrast, data security regulations and statutes often have no injury requirements and thus federal and state regulators with jurisdiction to enforce such provisions may do so, even in the absence of any harm to customers or others. These enforcement actions further highlight the need for companies to create, maintain and enforce data security policies both internally and with respect their third parties with access to company data and systems.