June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

When the Feds Find Out! Lack of Data Security Leads to Novel and Hefty Settlements

The Federal Government continues ramping up enforcement of data security requirements by deploying significant new enforcement theories and tools in support of cyber and data security controls required by federal law. Specifically, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) recently entered into settlements with private companies that underscore these cybersecurity mandates and the additional investment of resources devoted to enforcing them by the Federal Government.

Why are these cases important?

  • The DOJ settlement is the first False Claims Act case involving DOJ’s Civil Cyber-Fraud Initiative.

  • The FTC settlement involves not only the current owner of the entity that experienced multiple data breaches, but also that entity’s former owner.

First, on March 7, 2022, the DOJ reached a court-approved settlement agreement with Comprehensive Health Services (CHS) to resolve allegations that CHS violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities. Importantly, according to the DOJ, the factual representations and contractual requirements at issue pertain to CHS’s commitment to provide HIPAA-compliant electronic medical records systems and support for the patient care required by the contract. DOJ alleged that CHS did not abide by these requirements and knew of lapses in data security and system protocols. The DOJ stated that even when the issues came to light, CHS did not address them or report them externally, contrary to HIPAA requirements. A whistleblower, Dr. M. Shawn Lawlor, filed suit against CHS under the qui tam or whistleblower provisions of the False Claims Act on these and other issues. The DOJ joined the case and resolved it in this month’s comprehensive civil settlement. Specifically, the DOJ’s civil settlement resolves two separate actions brought against CHS under the False Claims Act.1

The DOJ statement on these cases emphasized that the “investigation and resolution of this matter illustrates the government’s emphasis on combatting cyber-fraud.” Specifically, on “October 6, 2021, the Deputy Attorney General announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Second, on March 15, 2022, the FTC entered into a settlement with the current and former owners of CafePress, an online customized merchandise platform, regarding allegations that CafePress failed to implement “reasonable security measures” to protect consumers’ information and to notify individuals of “multiple” breaches. The FTC alleges that CafePress did not implement encryption, reasonable password protection, threat detection and response, security incident response, and appropriate data deletion. The FTC’s settlement requires CafePress to implement additional security controls, and, notably, requires its former owner, Residual Pumpkin Entity, LLC, to pay a half million dollars to compensate small businesses and other victims of the data breaches.

According to the FTC’s statement on the case,2 CafePress knew that it had vulnerabilities in its systems as early as January 2018, when CafePress determined that certain accounts had been hacked, at which time CafePress took no other action besides closing the accounts at issue and charging the victims a $25 account closure fee. Further, the FTC stated that CafePress used consumers’ email addresses for marketing, even though its consumer policies stated that consumer information would only be used to fulfill orders.

Takeaways

The Federal Government will utilize a strong and growing array of tools to enforce cybersecurity mandates and requirements, whether in the federal contractor community or the private sector as a whole. The Government also indicates that this stepped-up enforcement will continue. As such, the Government will inevitably find out if a company does not have adequate data security controls or did not provide notifications as required by federal law in the event of a data breach and can be expected to take action against any and all entities involved in the lack of compliance, including both current and former business owners. As such, at a minimum, these cases show the importance of:

  • Ensuring a robust data security compliance program that implements all applicable data security requirements;

  • Making complete and accurate representations of fact about data security when bidding for government contracts (or other contracts) and in the course of undertaking administration and performance of such contracts;

  • Maintaining and following a thorough incident response and breach notification plan;

  • Reviewing all government contract requirements related to data security and prioritizing compliance with such requirements; and

  • Responding to employee reports and complaints about data security in a meaningful way.


1 See United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (E.D.N.Y.), and United States ex rel. Watkins et al. v. CHS Middle East, LLC, Case No. 17-cv-4319 (E.D.N.Y.).

2 See FTC listserv announcement on March 15, 2022. Read more here.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XII, Number 81
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

 Iliana L. Peters Data Privacy Shareholder Polsinelli Law Firm
Shareholder

Iliana L. Peters believes good data privacy and security is fundamental to ensuring patients’ trust in the health care system, and to helping health care clients succeed in an ever-changing landscape of threats to data security. She is recognized by the health care industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data.

For over a decade...

202.626.8327
John C. Cleary Polsinelli Shareholder. Commercial Litigation. Health Care .Technology & Innovation. Intellectual Property & Technology Litigation ,Patent Litigation, Privacy and Cybersecurity, Technology Transactions
Shareholder

John Cleary’s practice focuses on serving the Technology Transaction and Data Privacy needs of U.S. companies, with an emphasis on data security incidents and other cyber controversies.

John also brings his dispute resolution skills to bear on problems faced by clients across an array of litigation and pre-litigation settings, principally in the areas of intellectual property, cybersecurity, insurance, banking and maritime law.  John previously served as an Assistant U.S. Attorney in Washington, D.C., representing U.S. government agencies and officials across a range of...

212-413-2837
Advertisement
Advertisement
Advertisement