Header graphic for print

Workplace Privacy, Data Management & Security Report

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Written by Jeffrey M. Schlossberg

Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If passed, the Attorney General said that the “new law will be the strongest, most comprehensive in the nation.” In announcing the proposal, the Attorney General cited his 2014 report finding that the number of reported data security breaches in New York more than tripled between 2006 and 2013.

The proposal would be a significant change to the state’s current definition of what constitutes private information (which has not been updated since 2005), which includes a person’s social security number; driver’s license number or non-driver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The proposed law would expand the definition of protected personal information to include medical history and health insurance information.

Additionally, and similar to the approach taken in Florida when it rewrote its breach notification law, the proposed bill would require all companies to have reasonable data security measures, including administrative, technical, and physical safeguards and to obtain independent data security certification. As an incentive for adopting strong data security standards, the law would provide companies with some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.

The Attorney General will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, although the New York Assembly has already introduced Bill A10190 which would amend the Empire State’s existing breach notification law to require entities which conduct business in the state, and which own or license computerized data which includes private information to develop, implement, and maintain a comprehensive information security program. However, whether or not either effort is successful, these attempts together with President Obama’s call for a national standard for data breach notification and efforts in other states indicate the heightened attention being given to data privacy and the impact of data breaches.

Top 15 for 2015 – Happy National Data Privacy Day

In honor of National Data Privacy Day, we provide the following “Top 15 for 2015.”  While the list is by no means exhaustive, it does provide some hot topics for businesses to consider in 2015.

  1. Inside Threats for Healthcare Providers and Business Associates.  While news reports of security risks often focus on hackings and breaches caused by individuals, terror groups or even countries around the world, many organizations, including healthcare providers and business associates, face a significant and perhaps more immediate risk with an organization’s workforce members.  However, these organizations are not without recourse and can take several steps to reduce their risk for a data breach, reputational      harm, investigation by federal and state agencies, and litigation.
  2. The Telephone Consumer Protection Act (TCPA).  According to data cited by the U.S. Chamber of Commerce, TCPA suits have increased 30% in the past year, with many of those suits being filed as class actions.  Notably, many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses who may unknowingly violate the TCPA.  With statutory damages ranging from $500 to $1500 per violation (e.g. per fax/text sent or call made) these suits often result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA is a great first step as we enter 2015.
  3. Location Based Tracking As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the  difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to continue to face this issue in the future.
  4. Company Budgets with Respect to Technology.  With each passing year, we see an increase in the amount of technology available to businesses and their employees.  While many tech initiatives are focused on increasing employee productivity or company profits, business also must be prepared to appropriately increase their IT      and data security budgets accordingly.  As more company information is shifted to the cloud or available to employees remotely, budgetary constraints will not provide a justification for poor tech support or data security.      
  5. “HIPAA Litigation.”  While HIPAA does not provide for a private cause of action, cases were brought in 2014 which utilized the HIPAA rules as an element in common law tort claims.  By way of example, the Connecticut Supreme Court held that HIPAA did not preempt a negligence claim in connection with the healthcare provider’s disclosure of patient information in response to a subpoena.  While it remains unclear whether liability will ultimately be determined, these cases will likely give potential plaintiffs legal precedent to file these types of actions and the outcome of these actions should be monitored closely throughout 2015.
  6. BYOD More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Additionally, 2014 saw some companies shy away from BYOD and return to a strict company owned device policy.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  7. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the  future.  However, one of the biggest concerns for 2015 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or      similar devices or applications continue to allow individuals to enter and store more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  8. Risk Assessment. As we have previously mentioned, many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most      important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  9. Develop a Written Information Security Program. Even if adopting a written information security program (WISP)      to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP, and      associated training, better position a company when defending claims      related to a data breach, but it will help the company manage and safeguard critical information, potentially avoid a breach from occurring in the first place, and may even help the company avoid whistleblower claims from employees.
  10. Dealing with Vendors.  One area of high risk for company data is its use or access by a company’s vendors during the course of the vendor services.  Companies need to be aware of the legal requirements concerning the company owned data in this scenario as well as how to negotiate confidentiality and security provisions in the applicable services agreement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  As we have seen this past year, a data breach can not only harm a company’s bottom line, but also can negatively impact the company’s reputation in the marketplace.  Developing a breach response plan is not      only prudent but also may be required under federal or state law.  A proactive approach is often the simplest, and cheapest way, to avoid liability.
  12. Federal Trade Commission (FTC) & Federal Communications Commission’s (FCC) Enforcement Re: Data Security.  2014 saw the FTC continue to regulate      company data security practices by bringing enforcement actions against many types of businesses.  In one of the most significant cases of FTC enforcement, LabMD challenged the FTC’s authority to engage in enforcement activity related to its data security practices absent specific statutory authority to do so.  In a recent ruling, the Eleventh Circuit sided with the FTC and held that companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are      final. Practically speaking, the Eleventh Circuit’s decision means that companies will find no relief from a court until the FTC issues a final agency action.  Similarly, 2014 saw      the FCC issue its first fines against a telecommunications carrier for the carrier’s alleged failure to reasonably secure their customer’s personal information in violation of the companies’ statutory duty under the Communications Act.  We anticipate 2015 will see additional action by the FTC & FCC, as well as legal challenges to any enforcement by either agency.
  13. Investigating Social Media.  Social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  14. Watch for New Legislation.   Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. This is especially true given the number of significant data breaches that occurred throughout 2014.  While no national law requiring them protection of personal information has yet to be passed in the U.S., President Obama has stated that data security is one of the top issues for legislation in 2015.  In the      interim, companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.
  15. Jackson Lewis Webinar Series.  Given the numerous developments in the world of data privacy and security, Jackson Lewis will be hosting a comprehensive webinar series to address these issues and how they may impact your business.  We hope you can join us.

FTC Announces “Concrete Steps” for IoT Privacy and Security

As the vast array of internet-connected devices mushrooms, and technologies permit those devices to communicate with one another, calls for privacy and security can be heard. On the heels of a recent victory in the ongoing LabMD case, the Federal Trade Commission (FTC) announced yesterday “concrete steps” businesses can take to enhance the privacy and security of IoT for consumers. According to FTC Chairwoman Edith Ramirez, “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers.”

Increasingly, computing devices are being embedded with capabilities to connect with one another via the Internet. The FTC report estimates that currently there are 25 billion of these devices worldwide. Many believe these technologies will yield immeasurable benefits including helping organizations to understand more efficient ways to do business, perhaps resulting in lower costs and risks. As the FTC notes, and many have experienced (even if not knowing about “IoT” specifically), IoT is already entrenched in our lives. For example, millions already use FitBit and other health and fitness monitoring devices, as have millions of others deployed these technologies in their home security systems and appliances.

The global consulting firm, McKinsey & Co., discussed a number of other examples of IoT at play today, such as:

  • Pill-shaped microcameras travel through the human digestive system and send back thousands of images to pinpoint sources of illness.
  • Farming equipment communicating with remote satellites and ground sensors to assess crop conditions and adjust farming techniques.
  • Billboards assess the consumer profiles of passersby and change displayed messages based on those assessments

These technologies also can “support longer-range, more complex human planning and decision making.” McKinsey sees this occurring in many industries, such as retail, where collecting and analyzing data from shoppers moving through stores can be particularly useful in understanding buying patterns and what factors may influence the ultimate decision to buy. Clearly, in all of these industries, these same technologies can be used to collect information about a company’s workforce with similar goals in mind, including increased efficiency, improved safety, cost containment and risk avoidance. But, alas, there are significant privacy and data concerns as devices silently capture vast amounts of information about such things as movement, communications, patterns, and surroundings.

Enter the FTC. Consistent with its mission, the FTC’s report states that its focus is on IoT devices that are sold to or used by consumers, not in a business-to-business context, nor does it address broader machine-to-machine communications. Some of the concerns identified by the FTC come from a workshop it held in November 2013 – The Internet of Things: Privacy and Security in a Connected World. The risks that could harm consumers according to the FTC include:

  • enabling unauthorized access and misuse of personal information;
  • facilitating attacks on other systems; and
  • enabling privacy risks from the collection of personal information, habits, locations, and physical conditions over time that companies might use to make credit, insurance, and employment decisions.

The FTC explained, for example, that data gathered by a fitness tracker for a wellness-related purpose such as participation in an employer sponsored wellness program, could be used in the future to price health or life insurance or to infer the individual’s suitability for credit or employment – people who exercise regularly make better credit risks, employees). This creates obvious potential risks under the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act, the Americans with Disabilities Act and other federal and state laws. The FTC report also called attention to a privacy risk involving use of these devices to enable remote eavesdropping into otherwise private spaces.

To address these risks, the FTC’s report makes a number of recommendations, with security being key. Below are some of these “recommendations””

  • build security into devices at the outset – at the design stage – assess risks, collect the minimum necessary information;
  • train employees about the importance of security;
  • make sure third-party service providers maintain appropriate privacy and security protocols – “trust, but verify”;
  • employ a “defense-in-depth” strategy to apply multiple layers of security to defend against a particular risk;
  • stop unauthorized users from accessing a consumer’s device, data, or personal information; and
  • monitor devices, update as needed to address developing risks.

The FTC also recommends that notice be provided to give choices to individuals about how their information will be used, particularly when the data collection is beyond reasonable expectations, and acknowledged there are many ways effective notice could be delivered.

Companies using these technologies should review the FTC report and guidelines and, where appropriate, consider applying them as they adopt IofT. While not currently mandated, many of these guidelines are based on existing principles, best practices and laws concerning the privacy and security of personal information.

FTC’s Hammer Gets Bigger with LabMD Case

The on-going fight to hammer out the extent of the Federal Trade Commission’s authority to bring regulatory enforcement actions in data breach cases took another blow last week in LabMD v. FTC. In that case, the U.S. Court of Appeals for the Eleventh Circuit sided with the FTC holding companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are final. Practically speaking, the Eleventh Circuit’s decision means that companies already beleaguered from investigating and remediating data breaches will be further embroiled with the FTC for the duration of an enforcement action, with no relief from a court until the FTC issues a final agency action.

LabMD provides cancer testing services for doctors. Several years ago, FTC discovered that LabMD files could be inappropriately accessed on a peer-to-peer review network. LabMD has corrected this security issue. FTC investigated LabMD for three years. LabMD filed suit against the FTC seeking an injunction to stay the FTC action from continuing against it. LabMD took the position, among other things, that FTC lacks the authority to regulate healthcare data breaches—an ultra vires argument that has been made, albeit slightly differently by different companies in different contexts. Although LabMD raised numerous legal arguments about FTC’s authority to regulate cybersecurity, the Eleventh Circuit did not reach them on the merits. Instead the Court determined that LabMD’s entanglement with the FTC was not sufficiently final for the Court to rule leaving LabMD to tangle with FTC for a while longer.

According to the Administrative Procedures Act, (“APA”) which governs judicial review of agency actions, only a “final agency action for which there is no other adequate remedy in a court [is] subject to judicial review.” 5 U.S.C. § 704. LabMD argued that FTC’s Order and Complaint were sufficiently “final” and thus ripe for review. The Eleventh Circuit Court of Appeals disagreed. It stated that no “direct and appreciable legal consequences” flowed from the on-going FTC action, and “no rights or obligations had been determined. Thus, the APA barred review of the FTC’s authority to investigate LabMD until agency took a more final action.

LabMD also argued that FTC’s actions in its case were unconstitutional and ultra vires, and that failures of jurisdictional authority made the decision ripe for review. The Court disagreed holding that such matters would better be considered on a more thorough and complete administrative record. The Eleventh Circuit stated that a constitutional challenge is intertwined with a review of the procedures and merits in the context of the agency’s final order. Thus, it would not review such questions in the absence of a final agency record.

LabMD illustrates the practical problem of the decisions regarding the FTC’s authority in the cyber security space. If the FTC has a statutory (and constitutional) authority to regulate in this arena under Section 5 of the Federal Trade Commission Act, then its investigation and enforcement of companies that commit “unfair” or “deceptive” cyber security practices is lawful. However, if FTC does not have such authority, it does not have it—not now, not ever, as a matter of law.  Waiting until it has spent more than four years investigating and sanctioning a company in order to create a final agency action on which to base such a decision seems inefficient and costly for businesses that are left guessing what the law is.

The practical implications of LabMD are similar to those gleaned from other recent FTC jurisdiction cases in other circuits. At this juncture, companies must operate with the assumption that the FTC has the authority to: (1) investigate data breaches; (2) bring enforcement actions for cyber security and privacy practices it believes are unfair or deceptive; (3) enter into consent decrees for penalties, on-going supervision and policy revision and training.

Healthcare Providers and Business Associates: Don’t Ignore the Insider Threats

News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information technology (IT) department can do a tremendous job securing the systems from outside intruders, however, relying too heavily on external risks at the expense of internal risks can be problematic for any healthcare practice or healthcare industry vendor. Whether inadvertently or intentionally, employees are frequently the cause of improper uses or disclosures of patient data, putting the company at risk for a data breach, reputational harm, investigation by federal and state agencies, and litigation.

It is true that no system or set of safeguards is infallible; breaches are going to happen. However, here are some steps providers and business associates can take to reduce the risk that those breaches will be caused by members of the company’s workforce:

  • In-person Training. Many covered entities and business associates use on-line, “in-the-can” training products. These could be a valuable part of any training and awareness program, particularly for conveying general HIPAA privacy and security concepts. But there is no substitute for in-person training about the provider’s own policies as applied to the day-to-day circumstances of that practice or business. Employees need to ask questions and hear how policies interact with their particular job responsibilities to best understand some of the nuances in applying HIPAA and applicable state laws and privileges. The Texas Medical Records Privacy Act (the state’s “mini-HIPAA” law), for example, does not mandate in-person training, but it does require at Section 181.101 that training address “state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.” It is important to make training real, practical and regular. In many cases, it is the more senior employees, physicians and nurses, who could benefit most from such training.
  • Enhance Monitoring. All the training in the world will not protect an organization from an employee who is intent on taking information or improperly accessing information. For example, the employee might be trying to find out information about the diagnosis or drug use of a family member, or the employee may be in fear of losing his or her job and want to collect evidence for subsequent litigation. Other employees may want to steal patient/customer information for a new business, or commit medical identity theft which is reported to be growing rapidly. Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.
  • Manage Devices. The flood of new and more powerful devices carried by employees is a headache for any Privacy Officer. But some of the risks could be relieved through careful planning and policies. Consider the following: (i) should all devices be permitted, (ii) if so, what mobile device management solution, if any, should be used; (iii) which employees should be permitted to use devices at the workplace, and what should they be permitted to access; (iv) what happens to the device when the employee is terminated or purchases a new device; (v) do employees have to be reimbursed for the cost of the device or the data service; and (vi) do we have any labor law considerations, whether or not the workforce is unionized.
  • Plan for a Breach. As noted above, breaches are going to happen, so plan and run drills. Even if on a single page, have a checklist for responding that addresses such things as – who should be involved in the response process, who will coordinate the investigation and ensure systems are secure, what vendors can the organization call upon (legal, forensic, etc.), insurance contacts and requirements, and who makes decisions on such things, as whether to notify, who to notify, and what to say in the notice. Employees hear about these incidents, but many do not have a feel for what a breach is, how to report internally, the steps involved, and how quickly the organization must respond.
  • Assess Confidence in IT Staff. For many practices, it likely is easier to assess a surgeon’s competence than the competence of the practice’s IT director. Often the owners of a healthcare practice do not find this out until it is too late. The business should take steps to ensure it has the right team in this critical department. In some cases, it may need to have an outside vendor assess the performance of its internal team.

Could your healthcare practice or business become the target of an external attacker? Yes. Is it likely? Probably not as likely as an internal incident. The steps outlined above are not exhaustive, and do not promise HIPAA compliance. They are, however, sensible best practices to help avoid inadvertent and intentional activities inside the organization that can cause a data privacy or security incident.

FCC Seeks Comments On Fax Ad Opt-Out Notice

The Federal Communications Commission (FCC) is continuing its efforts to clarify the Telephone Consumer Protection Act (TCPA) and its requirements.

To this end, the FCC is seeking comments by tomorrow, January 13, 2015, on eleven petitions seeking waiver of the FCC’s rule on opt-out notices on fax advertisements to recipients who have provided prior express invitation or permission.   Specifically, the petitioners seek retroactive waiver  of the opt-out notice requirement for fax ads which the petitioners assert were sent where prior express invitation or permission had been obtained from the recipient.  The petitioners argue that good cause exists because they are similarly situated to parties who were previously granted retroactive waivers from this requirement by the FCC because of uncertainty about whether the opt-out notice applied to “solicited” faxes.

Under the TCPA, unsolicited faxed advertisements are prohibited unless the sender has an established business relationship with the recipient; the recipient voluntarily communicated his or her fax number directly to the sender or a directory; and the faxed ad also contains an opt-out notice.

While comments are due tomorrow, reply comments are due January 20, 2015.

President Obama to Call For National Data Breach Notification Law and Other Cybersecurity Measures

About two years ago, President Obama signed an executive order on the date that he delivered his State of the Union address which directed certain federal agencies to develop voluntary standards for achieving cybersecurity. Preparing for his 2015 State of the Union address, Bloomberg and other news outlets are reporting this morning that President Obama will be proposing legislation, including the Personal Data Notification & Protection Act, designed to increase protections for personal data. This announcement comes in advance of the President’s visit to the Federal Trade Commission today, and apparently will be a topic during the coming State of the Union address later this month.

According to the reports, the President wants a national standard for data breach notification, one that requires notice to customers within 30 days of discovering the breach. Criminal sanctions also would be enacted for persons engaged in illegal trading of identities, the economic engine behind massive payment card breaches. The President’s proposal also would tighten protections for student data and consumer data pertaining to energy use. The President also will seek to enact into law provisions of the Consumer Privacy Bill of Rights that the White House issued in February 2012.

White House Press Release

Over the past 10 or so years, there have been many calls for broad-based data security measures at the federal level, including a national data breach notification standard. Many members of the House and Senate proposed a number of laws in this area. Those efforts have largely failed. Whether the President’s call for action following a year of massive data breaches will yield a different result remains to be seen, particularly as the Republican Party has a stronger grip on the legislative branch.

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.

FAQs About the Telephone Consumer Protection Act

Complying with the Telephone Consumer Protection Act (TCPA) is a growing concern for employers and others. This is especially true given that suits under the TCPA have regularly resulted in damage awards of hundreds of thousands, if not millions, of dollars.

We have developed a comprehensive set of frequently asked questions concerning TCPA. If you are interested in learning more about the TCPA, and its impact on your business:

FCC Promises Action Against Those Who Fail to Safeguard

On December 19, 2014, the FCC published Chairman Thomas Wheeler‘s response to Senator Bill Nelson’s (D-FL) letter regarding the FCC’s recent proposed $10 million fine against two telecom companies.

In the response, Chairman Wheeler reiterated the need for FCC action in this area and explained that consumers regularly entrust their most personal, confidential, and sensitive information to communication networks and service providers.  The Chairman went on to state that the FCC has a responsibility to ensure that service providers and network operators are taking reasonable steps to “honor the public trust, and to protect consumers from harm caused by violations of the Communications Act.”

With some of the strongest language to date concerning the FCC’s role in this area, the Chairman said:

As the nation’s expert agency on communications networks, the Commission cannot – and will not – stand idly by when a service provider’s lax security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.  I assure you that the Commission will exercise its full authority against companies that fail to meet their statutory requirements of safeguarding the personal information of consumers.

In light of the prior FCC action and the Chairman’s most recent statements, service providers and network operators must ensure their data security practices are up to date and they are appropriately safeguarding the personal information of consumers with which they are entrusted.