Federal Trade Commission

Don’t Misrepresent Your U.S. – E.U. Privacy Shield Status: FTC Brings An Enforcement Action

Posted by Ryan Blaney on July 06, 2018
cybersecurity, Federal Trade Commission, FTC, Privacy, Uncategorized / No Comments

As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics.  If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!

On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation.  In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.”  According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.

The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks.  By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States.  To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard.  A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…

About The Author

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

Posted by Gregory M. Fliszar on August 25, 2016
Federal Trade Commission, HIPAA, OCR / No Comments

On July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

For more information about the FTC’s opinion, contact Gregory M. Fliszar or a member of Cozen O’Connor’s Health Law team.

About The Author

Tags: , ,

ALJ Rules Against FTC in LabMD Data Security Action: Sets High Bar for Proving Consumer Harm

Posted by J. Nicole Martin on November 20, 2015
Federal Trade Commission, FTC, HIPAA / No Comments

shutterstock_157454741Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

About The Author

Tags: , , , , , , , , , ,

“It’s Not Easy to Unscramble the Eggs” … Despite the FTC’s Win at the U.S. Supreme Court, the Phoebe Putney Hospital Merger Remains Intact

Posted by Ryan Blaney on April 03, 2015
Antitrust, CON Laws, Federal Trade Commission, Hospital, Merger / No Comments

EggsNearly four years after the Federal Trade Commission (“FTC”) first challenged the combination of the only two hospitals in Albany, Georgia, the FTC, Phoebe Putney Health Systems, Inc. (“Phoebe Putney”), Hospital Authority of Albany – Dougherty County (“Hospital Authority”) and HCA, Inc. (“HCA”) agreed to enter into a Consent Agreement. The FTC’s vote finalizing the Consent Agreement was 3-0-2, with Commissioners Joshua D. Wright and Terrell McSweeny not participating.  The Phoebe Putney litigation illustrates the challenges that the FTC and entities attempting to consummate a deal face in the merger process.  In Phoebe Putney, the FTC lost in two federal lower courts, won at the U.S. Supreme Court but ultimately was unable to unscramble a hospital merger that was found to be (1) anti-competitive and (2) a monopoly for inpatient general acute-care.

In addition to the Consent Agreement, a Statement was issued by Chairwoman Ramirez on March 31, 2015 summarizing the extensive procedural history of the litigation, the reasons the FTC challenged the merger, why the FTC did not require a divestiture and an explanation of the obligations that Phoebe Putney must meet under the Consent Agreement.  The March 31st Statement may provide insights into the FTC’s strategies when challenging future hospital mergers.  As explained below in the practice pointers, we anticipate the FTC citing Phoebe Putney in support of their preliminary injunctions and also citing to state certificate of need [CON] laws as evidence of barriers to entry for hospital competitors.

By way of background, since 1890 federal laws have supported national policies in favor of competition.  In Parker v. Brown, a 1943 U.S. Supreme Court decision, the state action doctrine provided that state governments have immunity from federal antitrust laws when they authorize economic activity that normally would be anticompetitive and illegal.  In 1941, Albany, Georgia and surrounding Dougherty County set up the Hospital Authority.  The Hospital Authority acquired an existing hospital, Phoebe Putney Memorial Hospital.  Two miles away Palmyra Medical Center was operated separately by HCA, Inc., one of the largest health care providers in the United States.  Palmyra and Phoebe Putney merged with the Hospital Authority as the buyer of Palmyra with the funds coming from Phoebe Putney.  Palmyra hospital was leased to Putney for $1 a year.  The Hospital Authority approved the merger in December 2010 but was not involved in the merger talks or management of the hospital.

The FTC and the State of Georgia filed a preliminary injunction in federal court to block the transaction but the federal district judge held that the state action doctrine applied and refused to stop the merger.  The FTC appealed to the 11th Circuit, which also found that the merger was insulated from antitrust inquiry under state action immunity concluding that harm to competition was the “foreseeable result” of the legislature’s establishment of the Hospital Authority.

The 11th Circuit decision dissolved the injunction pending appeal and on December 15, 2011 the merger was finalized.  The FTC appealed the 11th Circuit’s decision to the U.S. Supreme Court.  The two issues were: (1) whether the legislature had expressed its intentions clearly enough in allowing hospital proxies to operate in anti-competitive ways, and (2) whether the local hospital arrangement did not have immunity because the hospital authority had not played a large enough role in the merger.

The Supreme Court unanimously answered the first question, ruling that the state legislature had “not clearly articulated and affirmatively expressed a policy to allow hospital authorities to make acquisitions that substantially lessen competition.”  Following the Supreme Court decision, the FTC proceeded with the administrative litigation and proposed a 2013 consent agreement.  However, the 2013 consent agreement was withdrawn after a newly formed health care entity, North Albany Medical Center LLC, expressed interest in Palmyra hospital and sought clarification on Georgia’s CON laws.

In October 2014, the Georgia Department of Community Health (“DCH”) Hearing Officer issued a written finding that the CON laws would preclude Phoebe North from purchasing Palmyra since the Albany region was deemed “over-bedded.”  Given the DCH’s decision, the FTC determined that divestiture of Palmyra – Phoebe Putney was impossible.

The March 31st Settlement is very similar to the one proposed in 2013.  The Settlement requires:

  • Phoebe Putney and the Hospital Authority to notify the FTC in advance of acquiring any part of a hospital or a controlling interest in other health care providers in Albany for the next 10 years.
  • Phoebe Putney and the Hospital Authority cannot object to regulatory applications made by potential new hospital providers in the same region for 5 years.
  • Phoebe Putney and the Hospital Authority stipulate that the transaction was anti-competitive.

Practice Points:

  • The FTC’s March 31st Statement by Chairwoman Ramirez emphasizes the importance of the FTC and private plaintiffs in obtaining preliminary injunctive relief prior to a transaction closing. The health care industry should anticipate the FTC citing the Phoebe Putney case as supporting authority for why there will be irremediable harm if a hospital transaction closes before all appeals are exhausted.
  • We also anticipate that the FTC will use the Phoebe Putney case in support of arguments that state CON laws are additional barriers for entry of potential competitors and should be significant factor when analyzing proposed mergers.

For further information contact the author Ryan P. Blaney (Washington, DC) or other members of Cozen O’Connor’s healthcare antitrust team, R. Christopher Raphaely (Philadelphia, PA), Melissa H. Maxman (Washington, DC) and Jonathan Grossman (Washington, DC).

About The Author

Tags: , , ,

ProMedica and the AHA Seek Guidance from SCOTUS on Hospital Consolidations and Mergers

Posted by Ryan Blaney on February 05, 2015
ACA, Federal Trade Commission, FTC, Supreme Court / No Comments

FTCStatueThe New Year started out with a bang in the healthcare antitrust circles with ProMedica Health Systems Inc.’s (“ProMedica”) well-publicized petition to the US Supreme Court and the American Hospital Association’s (AHA) amicus brief in support of ProMedica.  ProMedica hopes that the Supreme Court will hear the case and overturn a Sixth Circuit ruling requiring ProMedica to divest St. Luke’s Hospital, a non-profit hospital in Toledo, Ohio.  As evidence of the complexity and the lengthy litigation challenges between ProMedica and the Federal Trade Commission (“FTC”) this merger occurred almost five years ago in 2010.  The FTC and the Ohio Attorney General had sued to dissolve the deal because they considered it anti-competitive; arguing that ProMedica would control 60% of the hospitals in the greater Toledo area. The FTC ordered ProMedica to divest St. Luke’s (21 HLR 467, 3/29/12).  The Sixth Circuit agreed with the FTC on the grounds that the merger would likely result in higher prices for payors and consumers and lead to unintended precedent for future hospital mergers.

ProMedica’s petition argues that this case is “a rare and uniquely apt vehicle for consideration of the [merger law] issues based on a fully-developed record.”  Hospital merger cases rarely are litigated through appeal and this case is an opportunity for the Supreme Court to clarify fundamental aspects of merger law nearly 40 years after the United States v. General Dynamics Corp., 415 U.S. 486 (1974) decision.  ProMedica argues that over the last 40 years confusion has developed over the FTC’s unilateral-effects theory and consolidation pressures have increased with the passage of the Affordable Care Act and other federal regulations.

ProMedica’s petition focuses on three merger law questions that the lower courts are divided on as the primary reasons why the Supreme Court should hear the case:

  1. How the FTC defines relevant market product for a merger analysis and whether the FTC can base it on supply-side considerations. ProMedica argued that the FTC should have either analyzed hospital services market by market because one kind of surgery is not a substitute for another or the FTC should have considered all four levels of hospital services as a package-deal market.
  2. Where the FTC relies exclusively on a unilateral-effects theory in challenging a merger may a court adopt a strong presumption of anti-competitive harm based solely on market-share statistics?
  3. Can the FTC rely on market-share statistics to preclude consideration of the merger target’s financial weakness to rebut a presumption of harm based on market-share statistics in unilateral-effects cases?

The unilateral effects analysis is the degree to which the merging hospitals are substitutes for each other.  The higher the substitutability between two merging hospitals, the greater the competition among them and the greater the power.  Here, ProMedica argues that Mercy Hospital, not St. Luke’s, is the closest substitute in the Toledo area.

ProMedica received support from the American Hospital Association (“AHA”) on the third issue, the “weakened competitor” doctrine.  On January 21, 2015, AHA filed an amicus brief asking the US Supreme Court to review the Sixth Circuit decision and the lower court’s characterization that the “weakened competitor” argument is a “Hail Mary” that deserves credence only in rare situations.  AHA argues that the Sixth Circuit’s erosion of the “weakened competitor” doctrine leaves the “viability of many small and stand-alone hospitals in jeopardy.”  AHA also argues that there are conflicting interpretations by the lower courts on how to read the General Dynamics decision.  Clarity is needed from the Supreme Court especially in the context of health care mergers.  Hospitals should not have to wait until they are on the edge of bankruptcy to merge.  AHA believes that the Sixth Circuit errored when it did not apply the General Dynamics weakened competitor analysis to the ProMedica acquisition.

The case is ProMedica Health System Inc. v. Federal Trade Commission, case number 14-762, in the Supreme Court of the United States.  The FTC has until March 2, 2015 to file a response.  It is unknown when the Supreme Court will decide about hearing the case.

For further information contact Ryan P. Blaney, Washington, DC, at rblaney@cozen.com.

About The Author

Tags: , , , , , ,

Data Brokers: “Off the Radar” – FTC Calls for Greater Oversight

Posted by Ryan Blaney on June 09, 2014
Federal Trade Commission, FTC, HIPAA / No Comments

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

About The Authors

Tags: , , , , ,