This is the latest in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month. (Follow @bTradeLLC for other cyber security awareness information shared on our Twitter feed). As mentioned in a previous case study, bTrade will examine documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned from data security mistakes identified in the documents. The next case we will examine involves a company named GMR Transcription Services, Inc.
GMR Has a Transcription Business
GMR is a US-based company that provides a variety of services, including general transcription for individuals and businesses in a variety of professions and industries. GMR’s customers include university students and faculty, well-known corporations (including retailers, insurers, and telecom and financial service providers), government agencies, and health care providers and hospitals.
To Conduct Its Business, GMR Exchanged Data Electronically with Numerous Contractors
GMR conducts its transcription business almost entirely online using its own computers and devices, various websites, and computers and devices leased from third-party service providers that are operated by or for GMR. GMR relies almost exclusively on independent service providers to transcribe audio files that GMR assigns to them. The data transmission process went something like this:
- GMR’s transcription process began when a customer logged in to one of GMR’s websites and uploaded an audio file to a leased server located on GMR’s computer network.
- GMR assigned non-medical audio file transcriptions to at least 100 independent typists located in North America.
- All medical audio file transcriptions were assigned to an entity in India named Fedtrans Transcription Services, Inc., and Fedtrans then assigned GMR’s files to independent typists for transcription.
- After being notified of the assignment, the typist or Fedtrans logged in to the website and downloaded the file.
- Fedtrans followed a similar process through which an independent typist downloaded the file from Fedtrans’ computer network.
- After downloading the audio file, the typist converted it into a Microsoft Word file (“transcript file”) and then followed the reverse process to upload it back to GMR’s computer network.
- Thereafter, GMR either emailed the transcript file to the customer or notified the customer to retrieve the file from GMR’s computer network.
The Electronic Data Consisted of Highly Sensitive Information
The audio files and transcript files contained sensitive personally identifiable information (PII) from or about consumers, including children. For example, the Fedtrans files included such PII as health care provider names, examination notes, medical histories, medications, and, in some cases, employment histories and marital status. Some of the files contained children’s’ examination notes and highly sensitive medical information, such as information about psychiatric disorders, alcohol use, drug abuse, and pregnancy loss.
The Contractor Problem
GMR’s data security practices drew the scrutiny of the Federal Trade Commission (FTC) after it was learned that transcriptions of audio files provided by GMR’s customers were being indexed by a major search engine and made publicly available to anyone using the search engine. The FTC alleged that Fedtrans, the contractor in India, used a File Transfer Protocol (“FTP”) application to both store medical audio and transcript files on its computer network and transmit the files between the network and its typists. As a result, the application stored and transmitted files in clear readable text and was configured so that the files could be accessed online by anyone without authentication.
The Veracity Problem
GMR disseminated privacy policies and statements representing how they ensure the privacy and security of personal information. The FTC alleged that GMR’s data security representations were false and misleading.
The FTC settled its charges after GMR and its owners, Ajay Prasad and Shreekant Srivastava, agreed to the following terms:
- GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information.
- GMR must establish a “comprehensive information security program” that will protect consumers’ sensitive personal information, including information the company provided to independent service providers.
- GMR must have its information security program evaluated both initially and every two years by a certified third party.
And here’s the kicker–the settlement will be in force for the next 20 years.
Know your contractors/vendors. Pay close attention to and scrutinize the data security practices of individuals/entities with which you exchange PII or other sensitive data. MFT Nation has written previously about the efforts of some companies to vet the data security practices of their vendors. In this post, for example, MFT Nation noted that Bank of America was auditing its outside law firms’ data security practices because the FBI and others had “flagged concerns over cyber security at law firms—given the value of their corporate clients’ information to potential attackers, and law firms’ often slow adaptation to new technologies.” Follow the lead of Bank of America and conduct some data security due diligence for businesses with whom you exchange sensitive PII.
Require use of encryption. GMR could have included a contractual provision requiring each contractor to adopt reasonable security precautions, including the use of encryption.
Verify compliance. According to the FTC, “including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process.” The FTC has advised that businesses can no longer operate on a “take our word for it” basis when it comes to verifying the data security practices of third parties with which they are exchanging PII. As U.S. President Ronald Reagan said frequently when discussing U.S. relations with the Soviet Union: “Trust, but verify.”
Don’t misrepresent yourself. The FTC sanctioned GMR because its privacy policies and statements misrepresented its actual data security and privacy practices. It seems so obvious, but based on what happened in the GMR case, I guess the old adage bears repeating: “Honesty is the best policy.”
We could’ve helped you, GMR: A particular type of managed file transfer solution would have avoided the pain that GMR experienced from this sad situation. For example, bTrade’s TDXchange solution could have provided a secure data storage mailbox for each of the individuals working in the transcription process, providing a completely secured, encrypted, end-to-end channel for transmission of the audio files, as well as when the files were at rest in a mailbox. Because the data would have been transferred and held in an encrypted state in a password-protected mailbox, GMR could have circumvented the dreaded open FTP server that got GMR in trouble. Encrypting data (whether in-transit or at-rest) and authenticating users are just two of the many TDXchange features that GMR could have used to avoid FTC scrutiny.