A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.
As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.
According to the FTC complaint, GoodRx is subject to the Rule as a vendor of personal health records and GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” In a proposed order filed by the Department of Justice on behalf of the FTC, GoodRx will pay a $1.5 million civil penalty for its violation and be prohibited from sharing user health data with third parties for advertising purposes. GoodRx denies any wrongdoing and stated that it agreed to the settlement to avoid a costly legal battle.
Hunton partner Phyllis Marcus, who works on FTC compliance cases, commented that, “While some have said they would have wanted a higher penalty, this cost sets the bar for future [FTC] actions.” But, the FTC’s unprecedented use of the Health Breach Notification Rule also highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.
With regulators such as the FTC increasing cybersecurity enforcement, regulatory defense coverage is increasingly important. Enforcement actions can result from security failures to protect data (including employee information), improper data collection practices, failure to disclose a data breach or deceptive privacy practices. A comprehensive cyber policy covers attorneys’ fees and costs associated with formal regulatory or administrative investigations, including any resulting in penalties or fines. However, policyholders should be aware of the terms of their policies.
For example, not all policies expressly cover regulatory fines that federal or state regulators may impose for a company’s violation of a privacy statute where no underlying cyber incident occurred. Instead, some policies link reimbursement to the existence of a breach and its documentation. With the adoption of more federal and state laws on cybersecurity, however, some insurers are starting to offer cyber coverage that includes a “compliance” element. This is important because regulatory fines could present significant costs for a policyholder.
As another example, some cyber insurance policies exclude coverage for claims arising out of unauthorized data collection practices or alleging violations of collection, use and disclosure practices not reflected in the company’s privacy policy. Ensuring that the company’s privacy policies and opt-in and opt-out practices are accurate and transparent can be challenging. Companies collecting consumer data information must understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies, or risk an insurance coverage denial. According to the FTC’s complaint, GoodRx shared sensitive personal health information for years with advertising companies, contrary to the promises made in GoodRx’s privacy policies. Among other violations, the FTC alleged that GoodRx failed to report the unauthorized disclosures which is required under the Health Breach Notification Rule. The failure to properly disclose information sharing practices in a privacy policy could not only violate the FTC Act and lead to an investigation and enforcement action, but also preclude coverage under a cyber insurance policy for regulatory investigations and third-party claims.
Today, the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for businesses of all sizes. All cyber insurance policies are not created equal, so having experienced coverage counsel to help you find a policy that suits your business needs when the policy is negotiated, and understand your obligations under the policy to maximize insurance recovery, can help you avoid issues after a claim arises.
- Associate
Olivia’s practice focuses on complex insurance litigation and advising policyholders in insurance coverage matters. Olivia has represented clients in all stages of complex insurance coverage actions, with matters involving ...
- Counsel
Latosha helps policyholders maximize insurance recoveries with sound advice and effective solutions. Latosha delivers comprehensive end-to-end counsel to help clients with all of their insurance coverage needs from policy ...
Search
Recent Posts
- Ninth Circuit Continues to Clarify When Reference to Back Label is Appropriate in False Advertising Cases
- FTC adopts final “Click-to-Cancel” Rule aimed at recurring subscription services
- From Produce to Insurance Coverage: What Businesses Concerned About Illinois Biometric Information Privacy Act (BIPA) Risks Can Learn From Tony’s Finer Foods
Categories
- Advertising & Marketing
- Bankruptcy
- Class Action
- Competition/Antitrust
- Consumer Protection
- Corporate Governance
- Environmental
- General
- Health Care
- Insurance
- IP
- Labor and Employment
- Mergers & Acquisitions
- Patent Infringement
- Patents
- Privacy & Cybersecurity
- Product Liability
- Real Estate
- Regulatory
- Regulatory
- Technology & E-Commerce
Tags
- 29 C.F.R. § 785.48
- 396-r
- 3D Printer
- 3D Printing
- A. Todd Brown
- A.S. Research (ASR)
- Aaron P. Simpson
- Advertisers
- Advertising
- Advertising Claims
- Advertising Idea
- Agency Guidance
- AI
- AI Interviewing Platforms
- Algorithmic Accountability Act
- Align
- Americans with Disabilities Act
- Americans with Disabilities Act (ADA)
- Andrea DeField
- Ann Marie Buerkle
- Annual Reports
- anti-aging
- Anti-Discrimination
- APEX Agreement
- Arbitration
- Arbitration Agreements
- Arizona
- Arkansas
- Arthritis
- Artificial Intelligence
- Artificial Intelligence (AI)
- Asbestos
- Assembly Bill 51 (AB 51)
- ATDS
- Australia
- Auto-renewals
- automatic telephone dialing system (ATDS)
- Automobile
- Automotive Body Parts Association (ABPA)
- Back to Work Emergency Ordinance
- biased endorsements
- Biden Administration
- Biometric Data
- Biometric Information
- Biometric Information Privacy Act (BIPA)
- BIPA
- Bitcoin
- Blockchain
- Board Diversity Disclosure
- Boards of Directors
- Bonuses
- Braille
- Branding
- Breach
- Breach of Contract
- Business Interruption Loss
- Businessowner’s Insurance
- California
- California Assembly Bill 2011
- California Employment Laws
- California Fair Employment and Housing Act
- California False Claims Act
- California Labor Code
- California Senate Bill 6
- California’s Unfair Competition Law
- CAMS
- Canada
- Cannabis
- CBD
- CBP
- CCPA
- Celebrity Endorsers
- Center for Disease Control (CDC)
- CFIUS
- CGL
- Chatbot
- Children’s Advertising
- Children’s Advertising Review Unit
- Children’s Online Privacy Protection Act (COPPA)
- China
- Christopher J. Dufek
- Christopher W. Hasbrouck
- Christy Kiely
- Class Action
- Class Actions
- Clawback
- Click-to-Cancel
- Climate Change
- clinical trials
- Collective Action
- Colorado
- Commercial General Liability
- Commercial Leasing
- Commodity Futures Trading Commission
- Compliance
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Data
- Consumer Financial Protection Bureau
- consumer loyalty program
- Consumer Product Safety Act
- Consumer Products
- Consumer Products Safety Commission (CPSC)
- Consumer Protection
- Consumer Review Fairness Act of 2016 (CRFA)
- Consumer Reviews
- Contamination
- Contract Law
- Controlled Substance Act
- Cookware
- COPPA
- Copyright
- Coronavirus/COVID-19
- Corp Fin
- Corporate Governance
- Corporate Sustainability
- Counterfeit Goods
- Counterfeit Goods Seizure Act of 2019
- CPRA
- CPSA
- CPSC
- Crack House Statute
- CRFA
- Cryptocurrency
- CSPA
- Cuba
- Currency
- Customs and Border Protection
- Cyber Coverage
- D&O
- D&O policies
- D. Andrew Quigley
- Damages
- Data Breach
- Davidson
- DEI
- Delaware
- DEP
- Department of Justice
- Department of Labor
- Development Impact Fee
- Digital Assets
- digital currency
- Disclosures
- Distribution
- Division of Corporation Finance
- Dodd-Frank
- DOJ
- DOL
- Duty to Defend
- Duty to Indemnify
- e-liquid products
- Eddie Bauer
- EEOC
- Electric Vehicles
- Eleventh Circuit
- Emily Burkhardt Vicente
- Employee Rights
- Endorsement
- Endorsement Guides
- Endorsement Notice
- Endorsements
- endorser monitoring requirements
- Enforcement
- Environmental Protection Agency
- Environmental Protection Agency (EPA)
- EPA
- Epidemic
- ESG
- ESG Disclosure
- EU Regulation
- European Union
- European Unitary Patent
- EV Charging
- Exceptions
- Exclusions
- Exercise Machines
- Extended Producer Responsibility (EPR)
- FAA
- Fair Labor Standards Act
- Fair Labor Standards Act (FLSA)
- fair use
- False Advertising
- False Advertising Claims
- False Advertising Law
- False Claims Act
- Family Leave Policies
- FCC
- FCRA
- FDA
- Federal Arbitration Act (FAA)
- Federal Communications Commission
- Federal District Court
- Federal Trade Commission
- Federal Trade Commission (FTC)
- FFDCA
- FIFRA
- Fifth Circuit
- Fireworks
- First Amendment
- Fixing America’s Surface Transportation (FAST) Act
- Florida
- Florida House of Representatives (HB 963) and Florida Senate (SB 1670)
- Florida Legislature
- FLSA
- FLSA/Wage & Hour
- food delivery
- Food Safety
- Form 10-K
- Formaldehyde Standards for Composite Wood Products Act of 2010
- fractional interests
- Franchise
- Frederic Chang
- Free Trials
- FTC
- FTC Act
- Gavin Newsom
- GDPR
- General Liability
- Geoffrey B. Fehling
- Georgia
- Gift Cards
- GoodRx
- Gramm-Leach-Bliley (GLB) Act
- Green
- Green Guides
- Greenhouse Gas
- Gun Safety
- Hart-Scott-Rodino
- Hart-Scott-Rodino (HSR)
- hashtag
- Hawaii
- Health Care
- Health Claims
- Hedge Fund
- HIPAA
- hoverboards
- human capital
- Human Rights
- Illinois
- Illinois Artificial Intelligence Video Interview Act (the Illinois Act)
- Illinois Biometric Information Privacy Act (BIPA)
- Indiana
- Influencer Marketing
- Infringement
- initial public offerings (IPOs)
- Injury
- Insurance
- Insurance Loss
- Insurance Provider
- Intellectual Property
- Intellectual Property Licenses in Bankruptcy Act
- Interest Rate
- International
- International Trade Commission
- International Trade Commission (ITC)
- INVISALIGN
- Iowa
- IP
- Ireland
- IT
- ITC
- iTERO
- Katherine Miller
- Kurt A. Powell
- Kurt G. Larkin
- Labeling Rules
- Labor
- Labor Code Private Attorneys General Act of 2004 (PAGA)
- Labor Organizing
- Labor Unions
- Land Use
- Landlord
- Latin America
- Lautenberg Act
- Lawsuit Reform Alliance of New York (LRANY)
- Lead
- Lease
- Legislation
- Leveraged Loans
- Liability Insurance Policy
- Liberty Insurance Corporation
- Liberty Mutual Fire Insurance Company
- LIBOR Discontinuation
- liquidity
- Litigation
- Live Chat
- Louisiana
- M&A
- Made in the USA
- Made in USA
- MagicSleeve
- Magnuson-Moss Warranty Act
- Magnuson-Moss Warranty Act (MMWA)
- Maine
- Malcolm C. Weiss
- Manufacturing
- Marketing Claims
- Maryland
- Massachusetts
- Matthew T. McLellan
- Maya M. Eckstein
- MD&A
- Medtail
- Membership cancellation
- Metaverse
- MeToo Movement
- Mexico
- Michael J. Mueller
- Michael S. Levine
- Minimum Wage
- Minnesota
- Minnesota Pollution Control Agency (MPCA)
- Misclassification
- Mislabeling
- Mission Product Holdings
- Missouri
- Mobile
- Mobile App
- Multi-Level Marketing Program (MLM)
- NAA
- NAD
- NASA
- National Advertising Division
- National Advertising Division (NAD)
- National Advertising Review Board
- National Products Inc.
- National Retail Federation
- Natural Disaster
- Nebraska
- Neil K. Gilman
- Network Outage
- Nevada
- New Jersey
- New York
- NHTSA
- NIL rights
- Ninth Circuit
- NLRA
- NLRB
- no-action request
- non-fungible token (NFT)
- North Carolina
- Obama Administration
- Occupational Safety and Health Administration (OSHA)
- Occurrence
- Office of Labor Standards Enforcement
- Ohio
- Oklahoma
- Online Retailer
- online reviews
- Opioids
- Oregon
- Overboarding
- Overtime
- Overtime Exemptions
- Ownership
- Packaging
- PAGA
- Pandemic
- Patent
- Patent Infringement
- Patents
- Paul T. Moura
- Pay Ratio
- pay-to-play rankings
- Penalty
- Pennsylvania
- Personal and Advertising Injury
- Personal Data
- Personal Information
- Personally Identifiable Information
- Pesticides
- PFAS
- Physical Loss or Damage
- Policy
- price gouging
- Privacy
- Privacy Guidelines
- Privacy Policy
- Privacy Protections
- Prohibition on Sale
- Property Insurance
- Property Rights
- Proposition 65
- Proxy Access
- proxy materials
- Proxy Statements
- Public Companies
- Purdue Pharma
- Randall S. Parks
- Ransomware
- real estate
- Recall
- Recalls
- Regulation
- Regulation S-K
- Restaurants
- Restrictive Covenants
- Retail
- Retail Development
- Retail Industry Leaders Association
- Retail Litigation Center
- Rounding
- Rulemaking
- Ryan A. Glasgow
- Sales Tax
- Scott H. Kimpel
- SD8 coins
- SEC
- SEC Disclosure
- Second Circuit
- Section 337
- Section 365
- Secure and Fair Enforcement Banking Act of 2019 (“SAFE Banking Act”)
- Securities
- Securities and Exchange Commission
- Securities and Exchange Commission (SEC)
- security checks
- Senate
- Senate Data Handling Report
- Sergio F. Oehninger
- Service Contract Act (SCA)
- Service Provider
- SHARE
- Shareholder
- Shareholder Proposals
- Slogan
- Smart Contracts
- Social Media
- Social Media Influencers
- Software
- South Carolina
- South Dakota
- Special purpose acquisition companies (SPACs)
- State Attorneys General
- Store Closures
- Subscription Services
- Substantiation
- Substantiation Notice
- Supplier
- Supply Chain
- Supply contracts
- Supreme Court
- Sustainability
- Syed S. Ahmad
- Synovia
- Targeted Advertising
- Tax
- TCCWNA
- TCPA
- Technology
- Telemarketing
- Telephone Consumer Protection Act
- Telephone Consumer Protection Act (TCPA)
- Tempnology LLC
- Tenant
- Tennessee
- Terms and Conditions
- Texas
- the Fair Credit Reporting Act (FCRA)
- Thomas R. Waskom
- Title VII
- tokenization
- tokens
- Toxic Chemicals
- Toxic Substances Control Act
- Toxic Substances Control Act (TSCA)
- Trade Dress
- Trademark
- Trademark Infringement
- Trademark Trial and Appeal Board (TTAB)
- TransUnion
- Travel
- Trump Administration
- TSCA
- TSCA Title VI
- U.S. Department of Justice
- U.S. Department of Labor
- U.S. Food and Drug Administration
- U.S. House of Representatives
- U.S. Patent and Trademark Office
- Umbrella Liability
- Union
- Union Organizing
- United Specialty Insurance Company
- Unmanned Aircraft
- Unruh Civil Rights Act
- UPSTO
- US Chamber of Commerce
- US Customs and Border Protection (CBP)
- US Environmental Protection Agency (EPA)
- US International Trade Commission (ITC)
- US Origin Claims
- US Patent and Trademark Office
- US Patent and Trademark Office (USPTO)
- US Supreme Court
- USDA
- USPTO
- Utah
- Varidesk
- Vermont
- Virginia
- volatile organic compound (VOC) emissions
- W. Jeffery Edwards
- Wage and Hour
- Walter J. Andrews
- Warranties
- Warranty
- Washington
- Washington DC
- Web Accessibility
- Weight Loss
- Wiretapping
- World Health Organization (WHO)
- Wyoming
- Year In Review
- Zoning Regulations
Authors
- Gary A. Abelev
- Alexander Abramenko
- Yaniel Abreu
- Syed S. Ahmad
- Nancy B. Beck, PhD, DABT
- Brandon Bell
- Fawaz A. Bham
- Michael J. “Jack” Bisceglia
- Jeremy S. Boczko
- Brian J. Bosworth
- Shannon S. Broome
- A. Todd Brown, Sr.
- Samuel L. Brown
- Tyler P. Brown
- Melinda Brunger
- Jimmy Bui
- M. Brett Burns
- Olivia G. Bushman
- Matthew J. Calvert
- Grant H. Cokeley
- Abigail Contreras
- Alexandra B. Cunningham
- Merideth Snow Daly
- Javier De Luna
- Timothy G. Decker
- Andrea DeField
- John J. Delionado
- Stephen P. Demm
- Mayme Donohue
- Nicholas Drews
- Christopher J. Dufek
- Robert T. Dumbacher
- M. Kaylan Dunn
- Frederick R. Eames
- Maya M. Eckstein
- Tara L. Elgie
- Clare Ellis
- Latosha M. Ellis
- Juan C. Enjamio
- Kelly L. Faglioni
- Ozzie A. Farres
- Geoffrey B. Fehling
- Hannah Flint
- Erin F. Fonté
- Kevin E. Gaunt
- Andrew G. Geyer
- Armin Ghiam
- Neil K. Gilman
- Ryan A. Glasgow
- Tonya M. Gray
- Aidan Gross
- Elisabeth R. Gunther
- Steven M. Haas
- Kevin Hahm
- Jason W. Harbour
- Jeffrey L. Harvey
- Christopher W. Hasbrouck
- Eileen Henderson
- Gregory G. Hesse
- Kirk A. Hornbeck
- Rachel E. Hudgins
- Sarah Ingles
- Jamie Zysk Isani
- Nicole R. Johnson
- Roland M. Juarez
- Suzan Kern
- Jason J. Kim
- Scott H. Kimpel
- Andrew S. Koelz
- Leslie W. Kostyshak
- Perie Reiko Koyama
- Torsten M. Kracht
- Brad Kuntz
- Kurt G. Larkin
- Tyler S. Laughinghouse
- Matthew Z. Leopold
- Michael S. Levine
- Ashley Lewis
- Abigail M. Lyle
- Maeve Malik
- Phyllis H. Marcus
- Eric R. Markus
- Brandon Marvisi
- John Gary Maynard, III
- Gray Moeller
- Reilly C. Moore
- Michael D. Morfey
- Ann Marie Mortimer
- Michael J. Mueller
- J. Drei Munar
- Marcus E. Nelson
- Matthew Nigriny
- Justin F. Paget
- Christopher M. Pardo
- Randall S. Parks
- Katherine C. Pickens
- Gregory L. Porter
- Kurt A. Powell
- Robert T. Quackenboss
- D. Andrew Quigley
- Michael Reed
- Shawn Patrick Regan
- Jonathan D. Reichman
- Kelli Regan Rice
- Patrick L. Robson
- Amber M. Rogers
- Natalia San Juan
- Katherine P. Sandberg
- Arthur E. Schmalz
- Daniel G. Shanley
- Madison W. Sherrill
- Kevin V. Small
- J.R. Smith
- Bennett Sooy
- Daniel Stefany
- Katherine Tanzola
- Javaneh S. Tarter
- Jessica N. Vara
- Emily Burkhardt Vicente
- Mark R. Vowell
- Gregory R. Wall
- Thomas R. Waskom
- Malcolm C. Weiss
- Holly H. Williamson
- Samuel Wolff
- Steven L. Wood
- Jingyi “Alice” Yao
- Jessica G. Yeshman