« TRID Q&A: How to Handle Walkthrough Changes | Main | ALTA CEO Talks with NPR About FinCEN Order for Title Insurers to Provide Info About Suspicious All-cash Deals in Miami, Manhattan »

01/12/2016

FTC Consent Order Highlights Importance of Proper Email Encryption Standards

The Federal Trade Commission (FTC) recently issued a consent order against Henry Schein Practice Solutions, Inc. (Schein), a software provider for dental practices, for allegedly marketing its software using deceptive assertions. The FTC fined Schein $250,000 for alleged false marketing advertisements related to the level of encryption the company provided to protect patient health data.

Schein advertised that its software provided industry-standard encryption methods to protect sensitive patient information as required by the Health Insurance Portability and Accountability Act (HIPPA). However, the FTC alleged that Schein was aware that its software did not comport to the Advanced Encryption Standard, which the National Institute of Standards and Technology (NIST) recognizes as the industry standard that meets the regulatory data encryption obligations under HIPPA. By failing to meet the encryption standards identified by the NIST, Schein was found to have misled patients about the level of protection its software provided.

The significant fine the FTC assessed for Schein’s deceptive marketing correlates with the type of data Schein was encrypting. “Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”

The primary lesson that title insurance and settlement companies should take from this consent order is the importance of clearly and accurately identifying encryption methods. When marketing software qualifications or security, it is better to be specific about what the software is capable of doing instead of using puffery or broad statements. Implying that the services meet certain regulatory standards may be seen as deceptive, as Schein’s advertising was found by the FTC in this case.

ALTA’s Title Insurance and Settlement Company Best Practices require that title insurance and settlement companies encrypt electronically transmitted non-public personal information. The ALTA Best Practices also require companies to provide a copy of their privacy policy to customers and to alert customers if a security breach occurs as required by law. Click here for more information about the Best Practices and their encryption requirements.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.