On January 5, 2015, the Federal Trade Commission (FTC) entered into a consent order with dental software manufacturer Henry Schein Practice Solutions, Inc. (“Schein”) in connection with allegations that Schein had made misleading security-related representations about its software. The consent order underscores that while security-enhanced product features are in high demand, companies must be careful to avoid unfair or deceptive marketing of such features.
Schein sells a dental practice management software called Dentrix G5 that stores medical and dental patient information. In 2012, Schein added a new feature to Dentrix G5, and marketed it heavily in 2014. Among other things, Schein represented that the feature:
- “provides new encryption capabilities that can help keep patient records safe and secure . . . and stay compliant with HIPAA security standards”
- “offers improved protection by storing your patient data in an encrypted format. With ever-increasing data protection regulations, [product] provides an important line of defense…”
- “delivers several distinct benefits . . . including . . . improved data protection by storing customer data in an encrypted format. With medical professionals under strict regulatory obligations to protect their patient’s PHI, [product] provides an important line of defense…”
Schein continued to make these representations despite being put on notice by the third-party manufacturer of the feature, as well as by the United States Computer Emergency Readiness Team (“US-CERT”), that the security feature utilized an untested algorithm that was “less secure and more vulnerable than widely-used, industry standard encryption algorithms such as Advanced Encryption Standard (“AES”) encryption.”
Based on allegations that Schein’s disclosures to customers relating to its level of security were false and misleading under Section 5 of the FTC Act, Schein agreed to pay a $250,000 fine and notify all customers who purchased the product prior to January 2014 (when Schein made corrective disclosures about the true nature of the security algorithm) in a non-admission settlement.
There are several takeaways from this most recent Section 5 FTC enforcement action in relation to an organization’s cybersecurity practices:
- In many ways, this case is an extension of the FTC’s Wyndham strategy (that we posted on in “Third Circuit to Wyndham (Part II)“) and is a typical example of the FTC’s power to police misleading statements or implications regarding cybersecurity. The FTC alleged that Schein’s data security statements were deceptive because they implied that the provider encrypted data sufficient to meet a certain regulatory standard (HIPAA), which could lead a dentist to reasonably believe that the provider’s security features – particularly, encryption – were consistent with the dentists obligation to protect data under HIPAA.
- The allegations in the complaint, however, raises questions, and may foretell that the FTC is moving toward recognizing that “industry standard” encryption means AES encryption, as recommended by the National Institutes of Standards and Technology (“NIST”) in Special Publication 800-111. This is an important consideration for organizations as they decide how to encrypt data in motion and at rest. It also has significant implications as companies prepare terms of service and use policies that make representations regarding their internal security measures. The phrase “encryption” should not be used lightly unless the encryption methodology meets a recognized, industry standard encryption methodology.
- The FTC consumer protection mandate extends to B2B situations where the deceived “consumers” are small businesses. Here, the FTC noted that deceptive statements made by the B2B service provider to its customers could have a downstream deceptive impact on consumers. For example, if a dentist using the software experienced a data breach, it may fail to notify its patients under the mistaken belief that it encrypted data to a degree sufficient to meet the HIPAA Breach Rule encryption safe harbor, or it may misinform its patients about their risk of identity theft by telling them that the data was “encrypted.”
- Both the HIPAA breach notification rule and virtually all of the state data breach notification laws establish a safe harbor that allows organizations that encrypt personal data to avoid notification obligations in the event that such data is compromised. The complaint and consent order strongly suggest that the FTC believes that reasonable encryption must utilize AES encryption (as recommended in NIST SP 800-111) or higher. Accordingly, organizations that implement encryption strategies should be aware that the FTC may very well expect the company to issue consumer breach notifications, unless the data at issue was AES encrypted or better. This is certainly true in Washington where, as we previously reported, the notification safe harbor applies if the data is “encrypted in a manner that meets or exceeds” NIST standards, and also in California where the safe harbor applies to encryption that is consistent with “industry standards.”