Federal Trade Commission finalises order against GMR Transcription Services for weak privacy protections

August 22, 2014 |

While those in the privacy sphere in Australia watch and wait to see how the Privacy Commissioner will excercise his newly acquired (since 12 March 2014) powers of enforcement under the Privacy Act 1988 the Federal Trade Commission (“FTC”) moves apace in taking to task those engaging in privacy intrusive conduct (via claims that the miscreants misrepresented that they protected their customers privacy).  After announcing orders against Credit Karma and Fandango earlier this week (and posted here) the FTC approves final orders against GMR Transcription Services whose security practices were so deficicent as to expose personal information of thousands of consumers on line, some of which were medical histories adn examination notes.  The settlement was first announced on 31 January 2014.   The period of the settlement order is 20 years.  Onerous by any measure but given the nature of the breach reasonable, particularly as the FTC has no power to fine GMR.  In the UK the Information Commissioner may have been able to impose a monetary penalty. In the last 3 – 4 years the FTC has proven to be quite a vigorous regulator using the limited powers available to it in privacy regulation.  It has also been active in calling for greater privacy controls through appearances before Congressional Committees.

In Australia the Privacy Commissioner may bring  civil penalty proceedings in the Federal and Federal Magistrates Court for serious interferences with privacy under the Privacy Act 1988.  The maximum penalty for an individual is $370,000 and for a corporation $1.7 million. And of course there are legal costs and reputational damage associated with such a proceeding.  Of course it is necessary for the Privacy Commissioner to actually bring a proceeding before the court will impose any civil penalty.  And there is the rub.. so far at least.

The facts in the GMR case are best set out in the January statement which provides:

A company that provides medical transcription services has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed the personal information of thousands of consumers on the open Internet, in some instances including consumers’ medical histories and examination notes.

In its complaint against California-based GMR Transcription Services, Inc. and the company’s two principal owners, the FTC alleges that GMR hired contractors to transcribe audio files received from the company’s customers.  The contractors downloaded the files from the company’s network, transcribed them, and then uploaded transcripts back to the network.  GMR then made the transcripts available to customers either directly or by e-mail.

Because of inadequate security, the complaint alleges, medical transcript files prepared between March 2011 and October 2011 by Fedtrans, GMR’s service provider, were indexed by a major internet search engine and were publicly available to anyone using the search engine.  Some of the files contained notes from medical examinations of children and other highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse, and pregnancy loss.

The FTC’s consent order with GMR marks the 50th  data security case the Commission has settled since undertaking its data security program 12 years ago.  The Commission issued a statement today reaffirming the basic principles behind the FTC’s data security enforcement program.

“What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into a vital enforcement program that has helped to increase protections for consumers and has encouraged companies to make safeguarding consumer data a priority,” the Commission statement says.

In the case of GMR, the files handled by the company included sensitive information about consumers, including their driver’s license numbers, tax information, medical histories, notes from children’s medical examinations, medications and psychiatric notes, according to the FTC’s complaint.

According to the complaint, GMR’s privacy statements and policies promised that “materials going through our system are highly secure and are never divulged to anyone.” However, the company never required the individual typists it hired as contractors to implement security measures, such as installing anti-virus software.  In addition, an independent service provider GMR hired to transcribe medical files stored and transmitted the files in clear and readable text on a server that was configured so that they could be accessed online by anyone without authentication.

Under the terms of GMR’s settlement with the FTC, GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information.  They also must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers.  In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The Commission vote to issue the statement also was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 3, 2014, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

The FTC’s announcement of the final orders relevantly provides:

Following a public comment period, the Federal Trade Commission has approved a final order resolving FTC allegations that GMR Transcription Services, Inc., engaged in deceptive and unfair information security practices that exposed the personal information of thousands of consumers online, in some instances including consumers’ medical histories and examination notes. The settlement was first announced by the Commission in January.

In its complaint, the agency alleged that GMR’s data security practices were inadequate and resulted in transcriptions of audio files provided by GMR’s customers being indexed by a major search engine and made publicly available to anyone using the search engine.

Under the settlement, GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information.  They also must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers.  In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.

The order is found here.

One Response to “Federal Trade Commission finalises order against GMR Transcription Services for weak privacy protections”

  1. Federal Trade Commission finalises order against GMR Transcription Services for weak privacy protections | Australian Law Blogs

    […] Federal Trade Commission finalises order against GMR Transcription Services for weak privacy protect… […]

Leave a Reply