Broker and Compliance Officer of Broker-Dealer Firm Personally Fined by SEC for Customer Privacy Violations

Posted on April 12, 2011 by Jeff Neuburger

On April 7, 2011, the SEC announced that it had imposed fines of $20,000 each against the former president of a broker-dealer and a former broker for their actions in transferring customer information to a new firm as the defunct firm wound down. The SEC also fined the brokerage firm’s former chief compliance officer $15,000 for compliance failures and security breaches that took place at the defunct firm, some dating back to 2005. Click here to read our client alert about the SEC's recent action.

Tags: , , , , ,

New HIPAA Cop: First AG Settlement for HIPAA Violations

Posted on July 14, 2010 by Proskauer Rose LLP

Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

This settlement resulted from the first ever attorney general action under the HITECH Act, as a result of the loss by Health Net, a health insurer, of a computer disk drive that contained unencrypted protected health information such as claims forms, health plan appeals information, and other sensitive data relating to approximately 1.5 million health plan participants (approximately one-third of whom resided in Connecticut). The Connecticut AG focused upon the several month delay by Health Net in reporting the loss to law enforcement officials. 

As part of the settlement, Health Net has agreed to pay $250,000 to the state, offer two years of credit monitoring for affected participants, obtain $1 million of identity theft insurance, and reimburse affected individuals for security freezes. An additional contingent payment of $500,000 will need to be paid, under specified circumstances, in the event that the lost information is actually accessed and misused. Further, Health Net has agreed to a corrective action plan that includes various privacy and security measures to heighten protections for health information as well as other sensitive data, regular monitoring, and reporting to the attorney general’s office. Many of the steps that Health Net agreed to undertake relate to the handling of portable media and the encryption of sensitive data, such as encryption of hard drives, including those on desktop computers, as well as to the improvement of security training and awareness for personnel. 

While many commentators have understandably focused on the security breach notification provisions of the HITECH Act, the provision of the Act that authorizes state attorneys general to bring civil actions for violations of HIPAA also warrants attention. The inclusion of this provision adds an additional avenue for enforcement of privacy and security violations by HIPAA-covered entities, although the Connecticut action is the only action that has been brought to date since HITECH Act was enacted in February 2009.
Tags: , , , , , , ,

COPPA Enforcement Action

Posted on October 20, 2009 by Proskauer Rose LLP

Earlier today, the FTC announced its latest COPPA enforcement action (http://www.ftc.gov/opa/2009/10/iconix.shtm).  Iconix Brand Group, Inc., the operator of websites featuring its apparel brands, was fined $250,000 for collecting personal information from children without complying with COPPA’s parental consent rubric.

The FTC cited the websites associated with the brands Mudd, Candie’s, Bongo and OP, which are popular with children and teens. The FTC did not characterize Iconix’s websites as ones “directed to children.” According to the FTC's complaint, the websites each have online registration processes that, among other things, collect the birthdate of users; and Iconix violated COPPA by collecting personal information from approximately 1000 users who identified themselves as under 13. The collection occurred both through website and sweepstakes registration, post-registration email marketing, and also through public disclosure at a “Share Your Story” feature on one of the websites.

The FTC also cited Iconix for stating in its privacy policy that it would not collect personal information from children without parental consent, when its practices did not conform to its policy.

General audience websites that collect birthdate or age-related information from their users should employ an FTC-compliant neutral age-screening mechanism to ensure that if a user enters information disclosing that he or she is under 13, the website operator does not collect or disclose personally identifiable information from that user.
 

Tags: , , , , ,