Cloud Adopters & the Pending FTC Security Requirements – Are You Ready?

If you’ve adopted cloud computing strategies within your organization, you’ve already taken strides to keep up with the times in the ever-changing world of technology. As a result, your decisions have enabled scalability, reliability, and (hopefully) top performance — but did you know that most cloud infrastructures lack the security features required in the upcoming FTC Privacy Compliance Regulations? Not to mention the numerous processes and procedures your team MUST follow to obtain compliance and avoid major fines! 

At DataYard, we consider data security to be part of the foundation of our solutions – it’s a theme in every design, implementation, and managed cloud engagement we have. The reality is infrastructure and software alone are NOT enough under the current regulations. Companies must implement incident recovery, training, documented policies, and assign a dedicated owner / single point of contact of the organization’s privacy compliance efforts and strategy. So the question is: Do you really have your yard in order when it comes to data security?

Third-party data service providers, especially those providing cloud computing services, are faced with unique and difficult privacy and data security challenges. While many companies that directly collect data from consumers are bound by the promises they make to individuals in their own privacy policies, cloud service providers are usually not a part of this arrangement. It is not entirely clear what, if any, obligations cloud service providers have with regards to protecting the data of individuals with whom they have no contractual relationship. This problem is especially acute because many institutions sharing personal data with cloud service providers fail to include significant privacy and security protections in the contracts that govern the exchanges. As such, individuals can be placed at the mercy of contracts that they did not negotiate and that offer insufficient protection of their data.

Since the 1990s, the FTC has been regulating companies in privacy and security matters under Section 5 of the FTC Act. This statute prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ 6 The FTC has brought an extensive number of cases for problematic privacy and data security practices. We discuss in more detail how the FTC has gone about crafting a law of privacy from the ground up in our forthcoming article, ‘‘The FTC and the New Common Law of Privacy.’’ 7 Privacy and data protection attorneys at the large law firms, in-house counsel, and attorneys everywhere else follow the FTC closely. They look to the FTC for guidance about standards to follow. Thus far, the FTC has been more of a standard codifier than a standard maker. Instead of blazing a trail by creating new norms and standards, the FTC has waited until norms and standards have developed and then begun enforcement. Once the FTC has been enforced based on a particular standard, that standard achieves a new level of legitimacy and formality. For all intents and purposes, the standard becomes law. Because the law of privacy and data security is so fragmented, so magma-like in its nature, the FTC has had an unusually influential role in shaping the law of privacy and data security by embracing certain standards and norms that have achieved a decent level of consensus. For a long time, these standards have focused on what companies must do to protect the privacy and data security of personal data that they maintain. This year, however, there is an existing FTC case focusing on the standards for how a company, GMR Transcription Services, Inc., shares personal data with external data service providers.

In this case, the FTC found GMR to be deficient in doing due diligence before hiring its data service provider.12 Looking broadly at the complaint, there are three key things that the FTC is now requiring companies to do when it comes to contracting with data service providers: (1) exercise due diligence before hiring data service providers; (2) have appropriate protections of data in their contracts with data service providers; and (3) take steps to verify that the data service providers are adequately protecting data. This GMR case has several important implications. It indicates that organizations that hire data service providers may be directly at fault in many instances. The case also solidifies the principle that companies have duties of data service provider management — in choosing, contracting with, and overseeing vendors. This means that if a vendor has a problem, the organization that hired the vendor will also be under scrutiny.

Organizations that use data service providers for data processing might not just be victims if the data service providers make a blunder. They might be to blame if they failed to follow appropriate data service provider management practices. FTC enforcement based on inadequate data service provider management signals that standards in this area are starting to mature. The GMR case does not define the precise contours of what constitutes adequate data service provider management, but the details will be fleshed out over time. This FTC case has signaled that more attention should be devoted to the issue, and we can now expect more companies to take a closer look at their own data service provider management practices. The word is out that poor data service provider management might conflict with the FTC Act. Even without a data breach, poor data service provider management alone might still be a cause for FTC enforcement. Although the FTC generally cannot enforce against public-sector entities, the GMR case still has important implications. The case now establishes more clearly that there is a standard of care when it comes to contracting. The principles in this case apply to nearly all businesses, and FTC decisions reflect the consensus norms about privacy. If nearly all companies are legally obligated to do what the FTC demands in this decision, then this puts a lot more pressure on schools and other public-sector organizations to do so.

Protections of Third-Party Beneficiaries 

The FTC is also not limited in protecting consumers only when they have a direct relationship with an entity that maintains their personal data. In its early cases, the FTC focused primarily on enforcing company privacy policies. Since then, the FTC has broadened its enforcement far beyond privacy policies. Deception is a broad concept, and it is not limited to the explicit promises a company might make. Unfairness is even broader. An ‘‘unfair’’ trade practice is one that ‘‘causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.’’13 An exceptionally wide range of activities has been included in the FTC’s unfairness and regulatory efforts.14 Many of the alleged unfair actions seek to take advantage of vulnerable consumers, making exploitation the focus of many unfairness allegations.15 Thus, the FTC has very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection. Because FTC enforcement is not tethered to any specific privacy policy and is primarily focused on protecting consumers, it becomes quite apparent that the FTC has the authority to regulate entities maintaining personal data even if those entities do not make any promises directly to the people to whom the data pertain.

The FTC’s power to protect third-party beneficiaries of institutional bargaining extends to companies that provide cloud services to public-sector entities. Although the FTC can generally only regulate commercial entities under Section 5,22 when public-sector institutions such as schools use private-sector cloud service providers, the FTC can regulate the cloud service provider. Although the cloud service provider might not have a direct relationship with the individuals whose data they maintain, these individuals are third-party beneficiaries of the privacy promises made by those who provide data to cloud service providers. As such, if a school enters a contract with a cloud service provider where student data is shared with the provider, that provider must live up to consumer expectations. Moreover, if the provider negotiates a deficient contract with a school, the deficiencies in this arrangement might themselves be contrary to student expectations. 

Cloud Service Providers as Data Stewards 

The FTC has started to embrace a larger philosophy that third-party data service providers should act as data stewards. In other words, companies that collect, use, and share personal data have certain responsibilities owed to the data subjects. These responsibilities could include ensuring harm from the use and distribution of data is minimized using technical safeguards, administrative procedures, and contractual terms. Data stewardship is already a concept embraced in certain specific areas, such as health care. The FTC’s approach draws upon the tradition of ‘‘third-party beneficiaries’’ in contract law, whereby intended third party recipients of benefits of a contractual term are entitled to enforce that term even though they are not technically a party to the agreement.23 Good stewardship even has a fiduciary-like quality whereby relationships with stark disparities in power are sometimes treated differently than those who negotiate at arm’s length. In this way, the FTC approach is similar to that of courts when finding implied obligations of confidentiality.24 Consumers have very little ability to ensure that cloud service providers protect the personal data that were entrusted to them, which makes these consumers vulnerable and largely unable to reasonably avoid risk. The FTC has laid the foundation for establishing standards of data stewardship on each side of the cloud service relationship. The next steps have yet to be taken, but the path is there, waiting to be traversed.

the FTC staff has also issued extensive guidance on online behavioral advertising, emphasizing four principles to protect consumer privacy interests:

  1. transparency and control, giving meaningful disclosure to consumers, and offering consumers choice about information collection;
  2. maintaining data security and limiting data retention;
  3. express consent before using information in a manner that is materially different from the privacy policy in place when the data was collected; and
  4. express consent before using sensitive data for behavioral advertising.

The FTC has not, however, indicated that opt-in consent for the use of non-sensitive information is necessary in behavioral advertising.

In terms of enforcement, the FTC has frequently brought successful actions under Section 5 against companies that did not adequately disclose their data collection practices, failed to abide by the promises made in their privacy policies, failed to comply with their security commitments, or failed to provide a ‘fair’ level of security for consumer information. Although various forms of relief (such as injunctions and damages) for privacy-related wrongs are available, the FTC has frequently resorted to settling cases by issuing consent decrees. Such decrees generally provide for ongoing monitoring by the FTC, prohibit further violations of the law and subject businesses to substantial financial penalties for consent decree violations. These enforcement actions have been characterized as shaping a common law of privacy that guides companies’ privacy practices

Cybersecurity and Data Breaches – Federal Law

Cybersecurity has been the focus of intense attention in the United States in recent years, and the legal landscape is dynamic and rapidly evolving. Nonetheless, at the time of writing, there is still no general law establishing federal data protection standards, and the FTC’s exercise of its Section 5 authority, as laid out above, remains the closest thing to a general, national-level cybersecurity regulation.

That said, recent years have brought a flurry of federal action related to cybersecurity. In 2015, Congress enacted the Cybersecurity Information Sharing Act (CISA), which seeks to encourage cyber threat information sharing within the private sector and between the private and public sectors by providing certain liability shields related to such sharing. CISA also authorizes network monitoring and certain other defensive measures, notwithstanding any other provision of law. In addition to CISA, Presidents Obama, Trump and Biden have issued a series of executive orders concerning cybersecurity, which have, among other things, directed the Department of Homeland Security and several other agencies to take steps to address cybersecurity and protect critical infrastructure and directed the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework. The latter, in particular, has been a noteworthy development: while the NIST Cybersecurity Framework provides voluntary guidance to help organizations manage cybersecurity risks, there is a general expectation that use of the framework (which is laudable, accessible, and adaptable) is a best practice consideration for companies holding sensitive consumer or proprietary business data. (The federal government’s response to the recent wave of cyberattacks is further detailed in Section II above.)

Specific Regulatory Areas – Federal Law

Along with the FTC’s application of its general authority to privacy-related harms, the United States has an extensive array of specific federal privacy and data security laws for the types of citizen and consumer data that are most sensitive and at risk. These laws grant various federal agencies rulemaking, oversight and enforcement authority, and these agencies often issue policy guidance on both general and specific privacy topics. Congress has passed robust laws that prescribe specific statutory standards for protecting the following types of information:

  1. financial information;
  2. healthcare information;
  3. information about children;
  4. telephone, internet and other electronic communications and records; and
  5. credit and consumer reports.

We briefly examine each of these categories and the agencies with primary enforcement responsibility for them below.

Financial Information

The Gramm-Leach-Bliley Act (GLBA) addresses financial data privacy and security by establishing standards pursuant to which financial institutions must safeguard and store their customers’ ‘nonpublic personal information’ (or ‘personally identifiable financial information’). In brief, the GLBA requires financial institutions to notify consumers of their policies and practices regarding the disclosure of personal information; to prohibit the disclosure of such data to unaffiliated third parties, unless consumers have the right to opt-out or other exceptions apply; and to establish safeguards to protect the security of personal information. The GLBA and its implementing regulations further require certain financial institutions (i.e., banks) to notify regulators and data subjects after breaches implicating nonpublic personal financial information, often referred to as NPI.

Various financial regulators, such as the federal banking regulators (e.g., the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency) and the Securities and Exchange Commission (SEC), have authority to enforce consumer privacy under the GLBA, while the FTC (for non-bank financial institutions) and the Consumer Financial Protection Bureau (CFPB) (for certain banks and non-bank financial institutions) do as well. (Insurance is regulated at the state level, so GLBA financial privacy in this sector is administered by state insurance commissions.)

The SEC has also increasingly used its broad investigative and enforcement powers over public companies that have suffered cybersecurity incidents. In doing so, the SEC has relied on multiple theories, including that material risks were not appropriately disclosed and reported pursuant to the agency’s guidance on how and when to do so and that internal controls for financial reporting relating to information security did not adequately capture and reflect the potential risk posed to the accuracy of financial results. Of particular note, in 2018, the SEC published interpretive guidance to assist publicly traded companies in disclosing their material cybersecurity risks and incidents to investors. 

The SEC has suggested that all public companies adopt cyber disclosure controls and procedures that enable companies to:

  1. identify cybersecurity risks and incidents;
  2. assess and analyze their impact on a company’s business;
  3. evaluate the significance associated with such risks and incidents;
  4. provide for open communications between technical experts and disclosure advisers;
  5. make timely disclosures regarding such risks and incidents; and
  6. adopt internal policies to prevent insider trading while the company is investigating a suspected data breach.

Healthcare Information

For healthcare privacy, entities within the Department of Health and Human Services (HHS) administer and enforce the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) Congress enacted HIPAA to create national standards for electronic healthcare transactions, and HHS has promulgated regulations to protect the privacy and security of personal health information. In general, HIPAA and its implementing regulations state that patients generally have to opt-in before covered organizations can share the patients’ information with other organizations.

HIPAA’s healthcare coverage is quite broad. It defines PHI as; ‘individually identifiable health information . . . transmitted or maintained in electronic media’ or in ‘any other form or medium’. Individually identifiable health information is in turn defined as a subset of health information, including demographic information, that ‘is created or received by a health care provider, health plan, employer, or health care clearinghouse’; that ‘relates to the past, present, or future physical or mental health or condition of an individual’, ‘the provision of health care to an individual’, or ‘the past, present, or future payment for the provision of health care to an individual’; and that either identifies the individual or provides a reasonable means by which to identify the individual. Notably, HIPAA does not apply to ‘de-identified’ data.

With respect to organizations, HIPAA places obligations on ‘covered entities’, which include health plans, healthcare clearinghouses and healthcare providers that engage in electronic transactions as well as, via HITECH, service providers to covered entities that need access to PHI to perform their services. It also imposes requirements in connection with employee medical insurance.

Moreover, HIPAA also places obligations on ‘business associates,’ which are required to enter into agreements, called business associate agreements, to safeguard PHI. A business associate is defined as an entity that performs or assists a covered entity in the performance of a function or activity that involves the use or disclosure of PHI (including, but not limited to, claims processing or administration activities).Such agreements require business associates to use and disclose PHI only as permitted or required by the agreement or as required by law and to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the business associate agreement. The agreements also include numerous other provisions regarding the confidentiality, integrity, and availability of electronic PHI.

HIPAA and HITECH not only restrict access to and use of PHI, but also impose stringent information security standards. In particular, HHS administers the HIPAA Breach Notification Rule, which imposes significant reporting requirements and provides for civil and criminal penalties for the compromise of PHI maintained by covered entities and their business associates. The HIPAA Security Rule also requires covered entities to maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

Information About Children

The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to operators of commercial websites and online services that are directed to children under the age of 13, as well as general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. The FTC is generally responsible for enforcing COPPA’s requirements which include, among other things, that these website operators post a privacy policy, provide notice about collection to parents, obtain verifiable parental consent before collecting personal information from children, and other actions.

Telephone, Internet, and Other Electronic Communications and Records

A number of legal regimes address communications and other electronic privacy and security, and only the briefest discussion of this highly technical area of law is possible here. In short, some of the key statutory schemes are as follows:

  1. the Electronic Communications Privacy Act of 1986 (ECPA) protects the privacy and security of the content of certain electronic communications and related records;
  2. the Computer Fraud and Abuse Act (CFAA) prohibits hacking and other forms of harmful and unauthorized access or trespass to computer systems, and can often be invoked against disloyal insiders or cybercriminals who attempt to steal trade secrets or otherwise misappropriate valuable corporate information contained on corporate computer networks;
  3. various sections of the Communications Act protect telecommunications information, including what is known as customer proprietary network information, or CPNI;
  4. the Telephone Consumer Protection Act (TCPA) governs robocalls and texts; and
  5. the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act governs commercial email messages, generally permitting companies to send commercial emails to anyone provided that the recipient has not opted out of receiving such emails from the company, the email identifies the sender and the sender’s contact information, and the email has instructions on how to easily and at no cost opt-out of future commercial emails from the company.

The Federal Communications Commission (FCC) is the primary regulator for communications privacy issues, although it shares jurisdiction with the FTC on certain issues, including notably the TCPA.

Credit and Consumer Reports

The Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003, imposes requirements on entities that possess or maintain consumer credit reporting information or information generated from consumer credit reports. Consumer reports are ‘any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility’ for credit, insurance, employment, or other similar purposes.

The CFPB, FTC and federal banking regulators (e.g., the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency) share authority for enforcing FCRA, which mandates accurate and relevant data collection to give consumers the ability to access and correct their credit information and limits the use of consumer reports to permissible purposes such as employment, and extension of credit or insurance.
For more information on how DataYard can help you prepare for the implementation of new FTC regulations, please visit us at www.datayard.us/contact