FTC Consent Order Highlights Importance of Proper Email Encryption Standards
The Federal Trade Commission (FTC) recently issued a consent order against Henry Schein Practice Solutions, Inc. (Schein), a software provider for dental practices, for allegedly marketing its software using deceptive assertions. The FTC fined Schein $250,000 for alleged false marketing advertisements related to the level of encryption the company provided to protect patient health data.
Schein advertised that its software provided industry-standard encryption methods to protect sensitive patient information as required by the Health Insurance Portability and Accountability Act (HIPPA). However, the FTC alleged that Schein was aware that its software did not comport to the Advanced Encryption Standard, which the National Institute of Standards and Technology (NIST) recognizes as the industry standard that meets the regulatory data encryption obligations under HIPPA. By failing to meet the encryption standards identified by the NIST, Schein was found to have misled patients about the level of protection its software provided.
The significant fine the FTC assessed for Schein’s deceptive marketing correlates with the type of data Schein was encrypting. “Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”
The primary lesson that title insurance and settlement companies should take from this consent order is the importance of clearly and accurately identifying encryption methods. When marketing software qualifications or security, it is better to be specific about what the software is capable of doing instead of using puffery or broad statements. Implying that the services meet certain regulatory standards may be seen as deceptive, as Schein’s advertising was found by the FTC in this case.