SkyMed International, Inc.; Analysis To Aid Public Comment, 83961-83963 [2020-28262]

Download as PDF Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices federal law that is backed up with strong tools to both seek redress and penalties. By partnering with a state enforcer, the Commission can dramatically improve its data security actions—ensuring that there is compensation for victims and consequences for wrongdoing.19 Unfortunately, the FTC almost never invites state regulators, particularly state banking regulators with significant expertise, to join our investigations and enforcement actions to obtain additional relief when it comes to data protection. This must change. Conclusion We should all be unconvinced that chasing after dangerous data breaches and resolving them without any redress or penalties is an effective strategy. Making matters worse, holding a ‘‘company’’ accountable that is really just an extension of a financial firm might allow our order to be completely ignored. After this settlement, Ascension could ‘‘fold,’’ and the Rocktop family of companies can reconstitute it, escaping any obligations under the order.20 The FTC is currently considering changes to its rule on safeguarding consumer financial information.21 But we also need to rethink our enforcement strategy. Our go-it-alone strategy is doing nothing for breach victims and little to deter, and our two-track approach to unfairness is penalizing small companies while giving a pass to financial firms like Rocktop. For these reasons, I respectfully dissent. [FR Doc. 2020–28407 Filed 12–22–20; 8:45 am] jbell on DSKJLSW7X2PROD with NOTICES BILLING CODE 6750–01–P 19 In addition to having unfairness jurisdiction, many state enforcers have their own versions of the Safeguards Rule. See, e.g., Industry Guidance Re: Standards for Safeguarding Customer Information and Regulation 173, New York State Dep’t of Fin. Serv., https://www.dfs ny.gov/insurance/ogco2002/ rg204021.htm. 20 For context, public information indicates that there are seven companies with interrelated officers or agents currently active, including ‘‘Reidpin LLC,’’ ‘‘Reidpin, LLC,’’ ‘‘Reidpin Investments, LLC,’’ Reidpin Rocktop 1, LLC,’’ ‘‘Reidpin Rocktop III, LLC,’’ ‘‘Reidpin Rocktop IV, LLC,’’ ‘‘Reidpin Rocktop V, LLC’’ founded in 2011, 2014, 2015, 2016, two in 2017, and one in 2018. There are two other entities with these characteristics which appear to have folded. https://opencorporates.com/ companies?q=REIDPIN%2C+LLC. 21 Fed. Trade Comm’n., Standards on Safeguarding Customer Information, 84 FR 13158 (Apr. 4, 2019), https://wwwfederalregister.gov/ documents/2019/04/04/2019-04981/standards-forsafeguarding-customer-information. VerDate Sep<11>2014 21:21 Dec 22, 2020 Jkt 253001 FEDERAL TRADE COMMISSION [File No. 192 3140] SkyMed International, Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed Consent Agreement; Request for Comment. AGENCY: ACTION: SUMMARY: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before January 22, 2021. ADDRESSES: Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write ‘‘SkyMed International, Inc.; File No. 192 3140’’ on your comment, and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Miles Plant (202–326–2526), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC website at this web address: https:// PO 00000 Frm 00079 Fmt 4703 Sfmt 4703 83961 www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 22, 2021. Write ‘‘SkyMed International, Inc.; File No. 192 3140’’ on your comment. Your comment— including your name and your state— will be placed on the public record of this proceeding, including, to the extent practicable, on the https:// www.regulations.gov website. Because of the public health emergency in response to the COVID–19 pandemic and the agency’s heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write ‘‘SkyMed International, Inc.; File No. 192 3140’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, E:\FR\FM\23DEN1.SGM 23DEN1 83962 Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https:// www.regulations.gov website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at http:// www.ftc.gov to read this Notice and the news release describing the proposed settlement. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 22, 2021. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission (‘‘Commission’’) has accepted, subject to final approval, an agreement containing a consent order from SkyMed International, Inc., also doing business as SkyMed Travel and Car Rental Pro (‘‘SkyMed’’). The proposed consent order (‘‘Proposed Order’’) has been placed on the public record for thirty days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty days, the Commission again will review the agreement and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement’s Proposed Order. SkyMed is a Nevada corporation with its principal place of business in Arizona. SkyMed provides emergency travel membership plans that cover travel and medical evacuation services for members who sustain serious VerDate Sep<11>2014 21:21 Dec 22, 2020 Jkt 253001 illnesses or injuries during travel in certain geographic areas. SkyMed has thousands of members. In applying for a membership, a consumer provides his or her name, date of birth, sex, home address, email address, phone number, emergency contact information, passport number, payment card information, a list of prescribed medications and medical conditions, and a list of all hospitalizations in the previous six months. The Commission’s proposed threecount complaint alleges that SkyMed violated Section 5(a) of the Federal Trade Commission Act by engaging in both unfair and deceptive acts or practices. First, the proposed complaint alleges that SkyMed engaged in a number of unreasonable security practices that led to the exposure of a cloud database containing approximately 130,000 membership records with consumers’ personal information stored in plain text. Specifically, the proposed complaint alleges that SkyMed: • Failed to develop, implement, or maintain written organizational information security standards, policies, procedures, or practices; • failed to provide adequate guidance or training for employees or contractors regarding information security and safeguarding consumers’ personal information; • stored consumers’ personal information on SkyMed’s network and databases in plain text, without reasonable data access controls or authentication protections; • failed to assess the risks to the personal information stored on its network and databases, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network and databases; • failed to have a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on SkyMed’s network that is no longer necessary; and • failed to use data loss prevention tools to regularly monitor for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside of SkyMed’s network boundaries. The proposed complaint alleges SkyMed could have addressed each of these failures by implementing readily available and relatively low-cost security measures. The proposed complaint alleges that SkyMed’s failures caused or are likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not PO 00000 Frm 00080 Fmt 4703 Sfmt 4703 reasonably avoidable by consumers themselves. Such practice constitutes an unfair act or practice under Section 5 of the FTC Act. Second, the proposed complaint alleges that SkyMed engaged in a deceptive act when it notified current and former members about the database exposure. In an email to customers, SkyMed represented that it had investigated the incident and learned that no consumer health information had been exposed in the incident, and that no one had misused the information. In reality, SkyMed did not examine the information stored in the cloud database, identify the consumers placed at risk by the exposure, or look for evidence of unauthorized access to the database. Rather, it merely identified the database and deleted it. Third, the proposed complaint alleges that SkyMed engaged in a deceptive practice by displaying a seal on every page of its website that attested to its purported compliance with the Health Insurance Portability and Accountability Act, a statute that sets forth privacy and information security protections for health data. SkyMed’s display of the seal signaled to consumers that a government agency or other third party had determined that SkyMed’s information practices met HIPAA’s requirements. The truth is that no government agency or other third party reviewed SkyMed’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA. The Proposed Order contains injunctive relief addressing the alleged unfair and deceptive conduct. Part I prohibits SkyMed from making false or deceptive statements regarding: (1) The extent to which it is a member of, complies with, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or third party; (2) the extent of any data security incident involving consumers’ personal information; (3) the extent of any investigation, and the results thereof, relating to a data security incident; (4) the extent to which SkyMed collects, maintains, uses, discloses, deletes, or permits or denies access to consumers’ personal information; and (5) the extent to which SkyMed otherwise protects the privacy, security, availability, confidentiality, or integrity of consumers’ personal information. Part II requires that SkyMed provide notice to all consumers that it previously emailed concerning the database exposure that their personal information, including potentially their health information, may have been E:\FR\FM\23DEN1.SGM 23DEN1 Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices exposed in the incident. Part III requires SkyMed to establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of consumers’ personal information. Part IV requires SkyMed to obtain initial and biennial data security assessments for twenty years. Part V of the Proposed Order requires SkyMed to disclose all material facts to the assessor and prohibits SkyMed from misrepresenting any fact material to the assessments required by Part IV. Part VI requires SkyMed to submit an annual certification from a senior corporate manager (or senior officer responsible for its information security program) that SkyMed has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Part VII requires SkyMed to notify the Commission any time (1) it is required to make a notification to a federal, state, or local government that personal information has been breached or disclosed, or (2) individually identifiable health information from or about a consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization. Parts VIII through XI are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring SkyMed to provide information or documents necessary for the Commission to monitor compliance. Part XII states that the Proposed Order will remain in effect for twenty years, with certain exceptions. The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order’s terms. By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2020–28262 Filed 12–22–20; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES jbell on DSKJLSW7X2PROD with NOTICES Centers for Disease Control and Prevention Solicitation of Nominations for Appointment to the Advisory Committee on Breast Cancer in Young Women (ACBCYW) ACTION: Notice. VerDate Sep<11>2014 21:21 Dec 22, 2020 Jkt 253001 SUMMARY: The Centers for Disease Control and Prevention (CDC) is seeking nominations for membership on the ACBCYW. The ACBCYW consists of 15 experts in fields associated with breast cancer, disease prevention, early detection, diagnosis, public health, social marketing, genetic screening and counseling, treatment, rehabilitation, palliative care, and survivorship in young women, or in related disciplines with a specific focus on young women. DATES: Nominations for membership on the ACBCYW must be received no later than March 12, 2021. Packages received after this time will not be considered for the current membership cycle. ADDRESSES: All nominations should be mailed to Jeremy McCallister, c/o ACBCYW Secretariat, Centers for Disease Control and Prevention, 3719 North Peachtree Road, Building 100 Chamblee, Georgia 30341, or emailed (recommended) to acbcyw@cdc.gov. FOR FURTHER INFORMATION CONTACT: Jeremy McCallister, Designated Federal Officer, National Center for Chronic Disease Prevention and Health Promotion, CDC, 4770 Buford Highway NE, Mailstop F–76, Atlanta, Georgia 30341, Telephone: 404–639–7989; Email: acbcyw@cdc.gov. SUPPLEMENTARY INFORMATION: Nominations are being sought for individuals who have expertise and qualifications necessary to contribute to the accomplishments of the committee’s objectives. Nominees will be selected based on expertise in the fields of breast health, breast cancer, disease prevention and risk reduction, survivorship (including metastatic breast cancer), hereditary breast and ovarian cancer (HBOC), or in related disciplines with a specific focus on young women. Persons with personal experience with early onset breast cancer are also eligible to apply. This includes but may not be limited to breast cancer survivors <45 years of age and caregivers of said persons. Federal employees will not be considered for membership. Members may be invited to serve up to four-year terms. Election of members is based on candidates’ qualifications to contribute to the accomplishment of ACBCYW objectives (https://www.cdc.gov/faca/ committees/acbcyw.html). The U.S. Department of Health and Human Services policy stipulates that committee membership be balanced in terms of points of view represented, and the committee’s function. Appointments shall be made without discrimination on the basis of age, race, ethnicity, gender, sexual orientation, gender identity, HIV status, disability, and cultural, religious, or socioeconomic PO 00000 Frm 00081 Fmt 4703 Sfmt 9990 83963 status. Nominees must be U.S. citizens, and cannot be full-time employees of the U.S. Government. Current participation on federal workgroups or prior experience serving on a federal advisory committee does not disqualify a candidate; however, HHS policy is to avoid excessive individual service on advisory committees and multiple committee memberships. Committee members are Special Government Employees, requiring the filing of financial disclosure reports at the beginning and annually during their terms. CDC reviews potential candidates for ACBCYW membership each year and provides a slate of nominees for consideration to the Secretary of HHS for final selection. HHS notifies selected candidates of their appointment near the start of the term in November 2021, or as soon as the HHS selection process is completed. Note that the need for different expertise varies from year to year and a candidate who is not selected in one year may be reconsidered in a subsequent year. Nominees must be U.S. citizens, and cannot be full-time employees of the U.S. Government. Candidates should submit the following items: D Current curriculum vitae, including complete contact information (telephone numbers, mailing address, email address) D At least one letter of recommendation from person(s) not employed by the U.S. Department of Health and Human Services. (Candidates may submit letter(s) from current HHS employees if they wish, but at least one letter must be submitted by a person not employed by an HHS agency (e.g., CDC, NIH, FDA, etc.). Nominations may be submitted by the candidate him- or herself, or by the person/organization recommending the candidate. The Director, Strategic Business Initiatives Unit, Office of the Chief Operating Officer, Centers for Disease Control and Prevention, has been delegated the authority to sign Federal Register notices pertaining to announcements of meetings and other committee management activities, for both the Centers for Disease Control and Prevention and the Agency for Toxic Substances and Disease Registry. Kalwant Smagh, Director, Strategic Business Initiatives Unit, Office of the Chief Operating Officer, Centers for Disease Control and Prevention. [FR Doc. 2020–28380 Filed 12–22–20; 8:45 am] BILLING CODE 4163–18–P E:\FR\FM\23DEN1.SGM 23DEN1

Agencies

[Federal Register Volume 85, Number 247 (Wednesday, December 23, 2020)]
[Notices]
[Pages 83961-83963]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-28262]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3140]


SkyMed International, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement; Request for Comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES:  Comments must be received on or before January 22, 2021.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``SkyMed 
International, Inc.; File No. 192 3140'' on your comment, and file your 
comment online at https://www.regulations.gov by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Miles Plant (202-326-2526), Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC website at this web address: https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 22, 
2021. Write ``SkyMed International, Inc.; File No. 192 3140'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the https://www.regulations.gov website.
    Because of the public health emergency in response to the COVID-19 
pandemic and the agency's heightened security screening, postal mail 
addressed to the Commission will be subject to delay. We strongly 
encourage you to submit your comments online through the https://www.regulations.gov website.
    If you prefer to file your comment on paper, write ``SkyMed 
International, Inc.; File No. 192 3140'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas,

[[Page 83962]]

patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the https://www.regulations.gov website--as legally 
required by FTC Rule 4.9(b)--we cannot redact or remove your comment 
from that website, unless you submit a confidentiality request that 
meets the requirements for such treatment under FTC Rule 4.9(c), and 
the General Counsel grants that request.
    Visit the FTC website at http://www.ftc.gov to read this Notice and 
the news release describing the proposed settlement. The FTC Act and 
other laws that the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
that it receives on or before January 22, 2021. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from SkyMed 
International, Inc., also doing business as SkyMed Travel and Car 
Rental Pro (``SkyMed''). The proposed consent order (``Proposed 
Order'') has been placed on the public record for thirty days for 
receipt of comments by interested persons. Comments received during 
this period will become part of the public record. After thirty days, 
the Commission again will review the agreement and the comments 
received, and will decide whether it should withdraw from the agreement 
or make final the agreement's Proposed Order.
    SkyMed is a Nevada corporation with its principal place of business 
in Arizona. SkyMed provides emergency travel membership plans that 
cover travel and medical evacuation services for members who sustain 
serious illnesses or injuries during travel in certain geographic 
areas. SkyMed has thousands of members. In applying for a membership, a 
consumer provides his or her name, date of birth, sex, home address, 
email address, phone number, emergency contact information, passport 
number, payment card information, a list of prescribed medications and 
medical conditions, and a list of all hospitalizations in the previous 
six months.
    The Commission's proposed three-count complaint alleges that SkyMed 
violated Section 5(a) of the Federal Trade Commission Act by engaging 
in both unfair and deceptive acts or practices.
    First, the proposed complaint alleges that SkyMed engaged in a 
number of unreasonable security practices that led to the exposure of a 
cloud database containing approximately 130,000 membership records with 
consumers' personal information stored in plain text. Specifically, the 
proposed complaint alleges that SkyMed:
     Failed to develop, implement, or maintain written 
organizational information security standards, policies, procedures, or 
practices;
     failed to provide adequate guidance or training for 
employees or contractors regarding information security and 
safeguarding consumers' personal information;
     stored consumers' personal information on SkyMed's network 
and databases in plain text, without reasonable data access controls or 
authentication protections;
     failed to assess the risks to the personal information 
stored on its network and databases, such as by conducting periodic 
risk assessments or performing vulnerability and penetration testing of 
the network and databases;
     failed to have a policy, procedure, or practice for 
inventorying and deleting consumers' personal information stored on 
SkyMed's network that is no longer necessary; and
     failed to use data loss prevention tools to regularly 
monitor for unauthorized attempts to transfer or exfiltrate consumers' 
personal information outside of SkyMed's network boundaries.
    The proposed complaint alleges SkyMed could have addressed each of 
these failures by implementing readily available and relatively low-
cost security measures. The proposed complaint alleges that SkyMed's 
failures caused or are likely to cause substantial injury to consumers 
that is not outweighed by countervailing benefits to consumers or 
competition and is not reasonably avoidable by consumers themselves. 
Such practice constitutes an unfair act or practice under Section 5 of 
the FTC Act.
    Second, the proposed complaint alleges that SkyMed engaged in a 
deceptive act when it notified current and former members about the 
database exposure. In an email to customers, SkyMed represented that it 
had investigated the incident and learned that no consumer health 
information had been exposed in the incident, and that no one had 
misused the information. In reality, SkyMed did not examine the 
information stored in the cloud database, identify the consumers placed 
at risk by the exposure, or look for evidence of unauthorized access to 
the database. Rather, it merely identified the database and deleted it.
    Third, the proposed complaint alleges that SkyMed engaged in a 
deceptive practice by displaying a seal on every page of its website 
that attested to its purported compliance with the Health Insurance 
Portability and Accountability Act, a statute that sets forth privacy 
and information security protections for health data. SkyMed's display 
of the seal signaled to consumers that a government agency or other 
third party had determined that SkyMed's information practices met 
HIPAA's requirements. The truth is that no government agency or other 
third party reviewed SkyMed's information practices for compliance with 
HIPAA, let alone determined that the practices met the requirements of 
HIPAA.
    The Proposed Order contains injunctive relief addressing the 
alleged unfair and deceptive conduct.
    Part I prohibits SkyMed from making false or deceptive statements 
regarding: (1) The extent to which it is a member of, complies with, is 
endorsed by, or otherwise participates in any privacy or security 
program sponsored by a government or third party; (2) the extent of any 
data security incident involving consumers' personal information; (3) 
the extent of any investigation, and the results thereof, relating to a 
data security incident; (4) the extent to which SkyMed collects, 
maintains, uses, discloses, deletes, or permits or denies access to 
consumers' personal information; and (5) the extent to which SkyMed 
otherwise protects the privacy, security, availability, 
confidentiality, or integrity of consumers' personal information.
    Part II requires that SkyMed provide notice to all consumers that 
it previously emailed concerning the database exposure that their 
personal information, including potentially their health information, 
may have been

[[Page 83963]]

exposed in the incident. Part III requires SkyMed to establish and 
implement, and thereafter maintain, a comprehensive information 
security program that protects the security, confidentiality, and 
integrity of consumers' personal information.
    Part IV requires SkyMed to obtain initial and biennial data 
security assessments for twenty years. Part V of the Proposed Order 
requires SkyMed to disclose all material facts to the assessor and 
prohibits SkyMed from misrepresenting any fact material to the 
assessments required by Part IV.
    Part VI requires SkyMed to submit an annual certification from a 
senior corporate manager (or senior officer responsible for its 
information security program) that SkyMed has implemented the 
requirements of the Order and is not aware of any material 
noncompliance that has not been corrected or disclosed to the 
Commission. Part VII requires SkyMed to notify the Commission any time 
(1) it is required to make a notification to a federal, state, or local 
government that personal information has been breached or disclosed, or 
(2) individually identifiable health information from or about a 
consumer was, or is reasonably believed to have been, accessed, 
acquired, or publicly exposed without authorization.
    Parts VIII through XI are reporting and compliance provisions, 
which include recordkeeping requirements and provisions requiring 
SkyMed to provide information or documents necessary for the Commission 
to monitor compliance. Part XII states that the Proposed Order will 
remain in effect for twenty years, with certain exceptions.
    The purpose of this analysis is to aid public comment on the 
Proposed Order. It is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify in any 
way the Proposed Order's terms.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-28262 Filed 12-22-20; 8:45 am]
BILLING CODE 6750-01-P