Some business owners operate under the belief that as long as their firm or business isn’t the victim of a successful cyberattack they won’t face any consequences for failing to comply with required rules and regulations. As the Federal Trade Commission’s announcement this morning of a settlement with Medable, Inc., shows, however, that isn’t the case.
California-based Medable, Inc.—which provides technology solutions to business customers operating in pharmaceutical, biotechnology, and research industries—falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. While the company initiated an application with the Department of Commerce in December 2017, it did not complete the steps necessary to participate in the framework. (The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.)
The Commission issues an administrative complaint when it has “reason to believe†that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.
With the California Consumer Privacy Act (CCPA) entering into force in January 2020, it’s important business owners ensure they are compliant with it and other regulations. Businesses don’t need to be the victim of an attack or catastrophe to face consequences for failing to maintain compliance.
