FTC 50th Privacy Case, Settles with Medical Transcript Company

GMR Transcription Servs., Inc., a translation and transcription company, has agreed to settle with the FTC over alleged “inadequate data security measures.” The FTC argued that California-based GMR, along with its president and vice president, failed to provide “reasonable and appropriate security to protect personal information in audio and transcript files.” GMR conducts its business primarily online and relies on independent service providers to transcribe the audio files, including medical files for hospitals. According to the FTC, GMR had failed to ensure that reasonable and appropriate measures, including using anti-virus software and other protections, were implemented to protect information. The FTC alleged that because GMR did not require these protective measures, medical files containing protected personal information were publically available and accessed without authentication using an internet search engine. The proposed consent order requires GMR to establish a fully-documented “comprehensive information security program” requiring service providers and other third-party contractors to implement and maintain appropriate safeguards. The FTC announced that the GMR settlement marked its 50th data security settlement since 2002. The FTC has indicated that while the “Commission has made clear that it does not require perfect security” and that while there is no “one-size-fits-all” approach, it still recommends that companies be guided by the following basic principles: 1) companies should understand the information access controls within the company and what personal information they collect on consumers; 2) companies should restrict the information they collect to legitimate business needs; 3) information should be protected by focusing on “physical security, electronic security, employee training, and oversight of service providers”; 4) companies must properly dispose information; and 5) companies should have a data security incident response plan in place.

Tip: This case is a reminder that even without a federal data security law, the FTC still takes privacy seriously, and is continuing to pursue security issues under the FTC Act as deceptive or unfair practices. Companies are reminded to think about what measures are in place not only internally, but also with third party vendors who handle sensitive data.