FTC

Don’t Misrepresent Your U.S. – E.U. Privacy Shield Status: FTC Brings An Enforcement Action

Posted by Ryan Blaney on July 06, 2018
cybersecurity, Federal Trade Commission, FTC, Privacy, Uncategorized / No Comments

As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics.  If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!

On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation.  In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.”  According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.

The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks.  By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States.  To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard.  A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…

About The Author

Third Circuit Puts Penn State Hershey/Pinnacle Merger on Hold

Posted by J. Nicole Martin on October 04, 2016
FTC / No Comments

gavel and bookLast week, the Third Circuit Court of Appeals held that the merger between Penn State Hershey Medical Center and PinnacleHealth System, the two largest hospitals in Harrisburg, Pennsylvania, may not move forward at this time. The Court of Appeals overturned the District Court’s (Middle District of PA) denial of the FTC’s and the Commonwealth of Pennsylvania’s request for a preliminary injunction, directing the District Court to enter a preliminary injunction blocking the merger “pending the outcome of the FTC’s administrative adjudication.”

In reaching its decision, the Court of Appeals held that the critical determination of the relevant market for a proper antitrust analysis should be defined primarily “through the lens of the insurers” and that it “was error for the District court to completely disregard the role insurers play in the healthcare market.” The Court of Appeals ruled that the relevant market was the four- county Harrisburg area. It found that the market was highly concentrated and that the combined hospitals would control 76% percent of the market. As a result the plaintiffs were found to have established a prima facie case that the merger “is presumptively anticompetitive.”

In rebuttal, the hospitals alleged, among other things, that, the merger would result in efficiencies leading to capital savings and enhance the hospitals’ efforts to engage in risk-based contracting, but the Court of Appeals found that these arguments failed to demonstrate tangible, verifiable benefits to consumers, and only constituted “speculative assurances.” It remains to be seen whether the hospitals will continue their pursuit of merger through the FTC’s administrative review process or abandon it.

This decision, like others involving hospitals that have preceded it, underscores the unique nature of the markets in which hospitals and other healthcare providers operate. These markets are not primarily defined by the direct impact of market consolidation upon the behavior of the ultimate consumers, the patients. Instead, the markets are defined by the patients’ purchasing surrogates, their health insurers.

For more information about this decision, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team

About The Authors

Tags: , , , , , , , , , , , , , , ,

ALJ Rules Against FTC in LabMD Data Security Action: Sets High Bar for Proving Consumer Harm

Posted by J. Nicole Martin on November 20, 2015
Federal Trade Commission, FTC, HIPAA / No Comments

shutterstock_157454741Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

About The Author

Tags: , , , , , , , , , ,

ProMedica and the AHA Seek Guidance from SCOTUS on Hospital Consolidations and Mergers

Posted by Ryan Blaney on February 05, 2015
ACA, Federal Trade Commission, FTC, Supreme Court / No Comments

FTCStatueThe New Year started out with a bang in the healthcare antitrust circles with ProMedica Health Systems Inc.’s (“ProMedica”) well-publicized petition to the US Supreme Court and the American Hospital Association’s (AHA) amicus brief in support of ProMedica.  ProMedica hopes that the Supreme Court will hear the case and overturn a Sixth Circuit ruling requiring ProMedica to divest St. Luke’s Hospital, a non-profit hospital in Toledo, Ohio.  As evidence of the complexity and the lengthy litigation challenges between ProMedica and the Federal Trade Commission (“FTC”) this merger occurred almost five years ago in 2010.  The FTC and the Ohio Attorney General had sued to dissolve the deal because they considered it anti-competitive; arguing that ProMedica would control 60% of the hospitals in the greater Toledo area. The FTC ordered ProMedica to divest St. Luke’s (21 HLR 467, 3/29/12).  The Sixth Circuit agreed with the FTC on the grounds that the merger would likely result in higher prices for payors and consumers and lead to unintended precedent for future hospital mergers.

ProMedica’s petition argues that this case is “a rare and uniquely apt vehicle for consideration of the [merger law] issues based on a fully-developed record.”  Hospital merger cases rarely are litigated through appeal and this case is an opportunity for the Supreme Court to clarify fundamental aspects of merger law nearly 40 years after the United States v. General Dynamics Corp., 415 U.S. 486 (1974) decision.  ProMedica argues that over the last 40 years confusion has developed over the FTC’s unilateral-effects theory and consolidation pressures have increased with the passage of the Affordable Care Act and other federal regulations.

ProMedica’s petition focuses on three merger law questions that the lower courts are divided on as the primary reasons why the Supreme Court should hear the case:

  1. How the FTC defines relevant market product for a merger analysis and whether the FTC can base it on supply-side considerations. ProMedica argued that the FTC should have either analyzed hospital services market by market because one kind of surgery is not a substitute for another or the FTC should have considered all four levels of hospital services as a package-deal market.
  2. Where the FTC relies exclusively on a unilateral-effects theory in challenging a merger may a court adopt a strong presumption of anti-competitive harm based solely on market-share statistics?
  3. Can the FTC rely on market-share statistics to preclude consideration of the merger target’s financial weakness to rebut a presumption of harm based on market-share statistics in unilateral-effects cases?

The unilateral effects analysis is the degree to which the merging hospitals are substitutes for each other.  The higher the substitutability between two merging hospitals, the greater the competition among them and the greater the power.  Here, ProMedica argues that Mercy Hospital, not St. Luke’s, is the closest substitute in the Toledo area.

ProMedica received support from the American Hospital Association (“AHA”) on the third issue, the “weakened competitor” doctrine.  On January 21, 2015, AHA filed an amicus brief asking the US Supreme Court to review the Sixth Circuit decision and the lower court’s characterization that the “weakened competitor” argument is a “Hail Mary” that deserves credence only in rare situations.  AHA argues that the Sixth Circuit’s erosion of the “weakened competitor” doctrine leaves the “viability of many small and stand-alone hospitals in jeopardy.”  AHA also argues that there are conflicting interpretations by the lower courts on how to read the General Dynamics decision.  Clarity is needed from the Supreme Court especially in the context of health care mergers.  Hospitals should not have to wait until they are on the edge of bankruptcy to merge.  AHA believes that the Sixth Circuit errored when it did not apply the General Dynamics weakened competitor analysis to the ProMedica acquisition.

The case is ProMedica Health System Inc. v. Federal Trade Commission, case number 14-762, in the Supreme Court of the United States.  The FTC has until March 2, 2015 to file a response.  It is unknown when the Supreme Court will decide about hearing the case.

For further information contact Ryan P. Blaney, Washington, DC, at rblaney@cozen.com.

About The Author

Tags: , , , , , ,

Enforcement Action – FTC Is Not Backing Down and Laboratory Company Goes After a Cyber-Intelligence Company

Posted by Ryan Blaney on June 10, 2014
FTC, HIPAA / No Comments

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

About The Authors

Tags: , , , , , , , , ,

Data Brokers: “Off the Radar” – FTC Calls for Greater Oversight

Posted by Ryan Blaney on June 09, 2014
Federal Trade Commission, FTC, HIPAA / No Comments

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

About The Authors

Tags: , , , , ,