Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

Posted on November 29, 2011 by Colin J. Zick

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

  • set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
     
  • explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
     
  • explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
     
  • certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.

Tags: , , , , , , , , , ,

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

Posted on March 2, 2011 by Colin J. Zick

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

Tags: , , , , , , , ,

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

Posted on July 7, 2010 by Colin J. Zick

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

 

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

 

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Tags: , , , , , ,