FTC Settles Case Involving Stolen Laptop Containing Unencrypted Sensitive Information
In a recent settlement, the Federal Trade Commission (“FTC”) signaled to companies maintaining sensitive medical or financial information about consumers that they must carefully manage employees’ access to and stewardship of such data when held in unencrypted form. The FTC alleged that Accretive Health Inc., a provider of recordkeeping services to hospitals, failed to take reasonable and appropriate measures to protect the sensitive information it stored about patients—including names, dates of birth, billing information, diagnostic information, and Social Security numbers—from unauthorized access. In July 2011, a company employee’s laptop containing the unencrypted sensitive information of 23,000 patients was stolen from the employee’s car. In its Complaint, the FTC alleged that the company:
- transported laptops containing sensitive information in a manner that made them vulnerable to theft;
- failed to restrict access to sensitive information to employees with a need for such access;
- failed to delete information from employees’ computers when they no longer had need for such access; and
- failed to delete sensitive information placed on employees’ computers during training sessions.
The Commission alleged that these data security practices were “unfair” in violation of Section 5 of the FTC Act. In the Consent Order, the company agreed to establish and implement a comprehensive information security program and obtain and present to FTC regulators a security assessment from a third party auditor every 2 years for the next 20 years.