FTC Settles Case Involving Stolen Laptop Containing Unencrypted Sensitive Information

Published On January 3, 2014 | By Dan Sachs | FTC & State AG, Litigation
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

In a recent settlement, the Federal Trade Commission (“FTC”) signaled to companies maintaining sensitive medical or financial information about consumers that they must carefully manage employees’ access to and stewardship of such data when held in unencrypted form. The FTC alleged that Accretive Health Inc., a provider of recordkeeping services to hospitals, failed to take reasonable and appropriate measures to protect the sensitive information it stored about patients—including names, dates of birth, billing information, diagnostic information, and Social Security numbers—from unauthorized access.  In July 2011, a company employee’s laptop containing the unencrypted sensitive information of 23,000 patients was stolen from the employee’s car. In its Complaint, the FTC alleged that the company:

  • transported laptops containing sensitive information in a manner that made them vulnerable to theft;
  • failed to restrict access to sensitive information to employees with a need for such access;
  • failed to delete information from employees’ computers when they no longer had need for such access; and
  • failed to delete sensitive information placed on employees’ computers during training sessions.

The Commission alleged that these data security practices were “unfair” in violation of Section 5 of the FTC Act. In the Consent Order, the company agreed to establish and implement a comprehensive information security program and obtain and present to FTC regulators a security assessment from a third party auditor every 2 years for the next 20 years.

About The Author

Dan Sachs, ZwillGen’s inaugural Fellow, assists ZwillGen attorneys on a broad range of matters, including litigation, investigations, product counseling, regulatory compliance, and policy. Prior to joining the firm, Dan worked at Facebook, where he assisted the Chief Privacy Officer for Policy in responding to federal, state, and international policy developments, engaging with regulators and stakeholders, and advising business units on privacy issues. During law school, Dan was a member of the George Washington Law Review and served as a research assistant to Professor Jeffrey Rosen, focusing on U.S. and international consumer privacy and surveillance issues. He was a legal intern with ZwillGen in the summer of 2012. Dan also worked as a legal intern with the U.S. Attorney’s Office for the District of Columbia.