SkyMed International, Inc.; Analysis To Aid Public Comment, 83961-83963 [2020-28262]
Download as PDF
<![CDATA[
Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices
federal law that is backed up with
strong tools to both seek redress and
penalties. By partnering with a state
enforcer, the Commission can
dramatically improve its data security
actions—ensuring that there is
compensation for victims and
consequences for wrongdoing.19
Unfortunately, the FTC almost never
invites state regulators, particularly state
banking regulators with significant
expertise, to join our investigations and
enforcement actions to obtain additional
relief when it comes to data protection.
This must change.
Conclusion
We should all be unconvinced that
chasing after dangerous data breaches
and resolving them without any redress
or penalties is an effective strategy.
Making matters worse, holding a
‘‘company’’ accountable that is really
just an extension of a financial firm
might allow our order to be completely
ignored. After this settlement,
Ascension could ‘‘fold,’’ and the
Rocktop family of companies can
reconstitute it, escaping any obligations
under the order.20
The FTC is currently considering
changes to its rule on safeguarding
consumer financial information.21 But
we also need to rethink our enforcement
strategy. Our go-it-alone strategy is
doing nothing for breach victims and
little to deter, and our two-track
approach to unfairness is penalizing
small companies while giving a pass to
financial firms like Rocktop. For these
reasons, I respectfully dissent.
[FR Doc. 2020–28407 Filed 12–22–20; 8:45 am]
jbell on DSKJLSW7X2PROD with NOTICES
BILLING CODE 6750–01–P
19 In addition to having unfairness jurisdiction,
many state enforcers have their own versions of the
Safeguards Rule. See, e.g., Industry Guidance Re:
Standards for Safeguarding Customer Information
and Regulation 173, New York State Dep’t of Fin.
Serv., https://www.dfs ny.gov/insurance/ogco2002/
rg204021.htm.
20 For context, public information indicates that
there are seven companies with interrelated officers
or agents currently active, including ‘‘Reidpin
LLC,’’ ‘‘Reidpin, LLC,’’ ‘‘Reidpin Investments,
LLC,’’ Reidpin Rocktop 1, LLC,’’ ‘‘Reidpin Rocktop
III, LLC,’’ ‘‘Reidpin Rocktop IV, LLC,’’ ‘‘Reidpin
Rocktop V, LLC’’ founded in 2011, 2014, 2015,
2016, two in 2017, and one in 2018. There are two
other entities with these characteristics which
appear to have folded. https://opencorporates.com/
companies?q=REIDPIN%2C+LLC.
21 Fed. Trade Comm’n., Standards on
Safeguarding Customer Information, 84 FR 13158
(Apr. 4, 2019), https://wwwfederalregister.gov/
documents/2019/04/04/2019-04981/standards-forsafeguarding-customer-information.
VerDate Sep<11>2014
21:21 Dec 22, 2020
Jkt 253001
FEDERAL TRADE COMMISSION
[File No. 192 3140]
SkyMed International, Inc.; Analysis To
Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement;
Request for Comment.
AGENCY:
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before January 22, 2021.
ADDRESSES: Interested parties may file
comments online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Please write ‘‘SkyMed
International, Inc.; File No. 192 3140’’
on your comment, and file your
comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Miles Plant (202–326–2526), Bureau of
Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
website at this web address: https://
PO 00000
Frm 00079
Fmt 4703
Sfmt 4703
83961
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before January 22, 2021. Write ‘‘SkyMed
International, Inc.; File No. 192 3140’’
on your comment. Your comment—
including your name and your state—
will be placed on the public record of
this proceeding, including, to the extent
practicable, on the https://
www.regulations.gov website.
Because of the public health
emergency in response to the COVID–19
pandemic and the agency’s heightened
security screening, postal mail
addressed to the Commission will be
subject to delay. We strongly encourage
you to submit your comments online
through the https://www.regulations.gov
website.
If you prefer to file your comment on
paper, write ‘‘SkyMed International,
Inc.; File No. 192 3140’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Suite CC–5610 (Annex D),
Washington, DC 20580; or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include sensitive personal information,
such as your or anyone else’s Social
Security number; date of birth; driver’s
license number or other state
identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
E:\FR\FM\23DEN1.SGM
23DEN1
83962
Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices
jbell on DSKJLSW7X2PROD with NOTICES
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the https://
www.regulations.gov website—as legally
required by FTC Rule 4.9(b)—we cannot
redact or remove your comment from
that website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing the proposed
settlement. The FTC Act and other laws
that the Commission administers permit
the collection of public comments to
consider and use in this proceeding, as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before January 22, 2021. For information
on the Commission’s privacy policy,
including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from SkyMed
International, Inc., also doing business
as SkyMed Travel and Car Rental Pro
(‘‘SkyMed’’). The proposed consent
order (‘‘Proposed Order’’) has been
placed on the public record for thirty
days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty days, the
Commission again will review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement or make
final the agreement’s Proposed Order.
SkyMed is a Nevada corporation with
its principal place of business in
Arizona. SkyMed provides emergency
travel membership plans that cover
travel and medical evacuation services
for members who sustain serious
VerDate Sep<11>2014
21:21 Dec 22, 2020
Jkt 253001
illnesses or injuries during travel in
certain geographic areas. SkyMed has
thousands of members. In applying for
a membership, a consumer provides his
or her name, date of birth, sex, home
address, email address, phone number,
emergency contact information,
passport number, payment card
information, a list of prescribed
medications and medical conditions,
and a list of all hospitalizations in the
previous six months.
The Commission’s proposed threecount complaint alleges that SkyMed
violated Section 5(a) of the Federal
Trade Commission Act by engaging in
both unfair and deceptive acts or
practices.
First, the proposed complaint alleges
that SkyMed engaged in a number of
unreasonable security practices that led
to the exposure of a cloud database
containing approximately 130,000
membership records with consumers’
personal information stored in plain
text. Specifically, the proposed
complaint alleges that SkyMed:
• Failed to develop, implement, or
maintain written organizational
information security standards, policies,
procedures, or practices;
• failed to provide adequate guidance
or training for employees or contractors
regarding information security and
safeguarding consumers’ personal
information;
• stored consumers’ personal
information on SkyMed’s network and
databases in plain text, without
reasonable data access controls or
authentication protections;
• failed to assess the risks to the
personal information stored on its
network and databases, such as by
conducting periodic risk assessments or
performing vulnerability and
penetration testing of the network and
databases;
• failed to have a policy, procedure,
or practice for inventorying and deleting
consumers’ personal information stored
on SkyMed’s network that is no longer
necessary; and
• failed to use data loss prevention
tools to regularly monitor for
unauthorized attempts to transfer or
exfiltrate consumers’ personal
information outside of SkyMed’s
network boundaries.
The proposed complaint alleges
SkyMed could have addressed each of
these failures by implementing readily
available and relatively low-cost
security measures. The proposed
complaint alleges that SkyMed’s failures
caused or are likely to cause substantial
injury to consumers that is not
outweighed by countervailing benefits
to consumers or competition and is not
PO 00000
Frm 00080
Fmt 4703
Sfmt 4703
reasonably avoidable by consumers
themselves. Such practice constitutes an
unfair act or practice under Section 5 of
the FTC Act.
Second, the proposed complaint
alleges that SkyMed engaged in a
deceptive act when it notified current
and former members about the database
exposure. In an email to customers,
SkyMed represented that it had
investigated the incident and learned
that no consumer health information
had been exposed in the incident, and
that no one had misused the
information. In reality, SkyMed did not
examine the information stored in the
cloud database, identify the consumers
placed at risk by the exposure, or look
for evidence of unauthorized access to
the database. Rather, it merely identified
the database and deleted it.
Third, the proposed complaint alleges
that SkyMed engaged in a deceptive
practice by displaying a seal on every
page of its website that attested to its
purported compliance with the Health
Insurance Portability and
Accountability Act, a statute that sets
forth privacy and information security
protections for health data. SkyMed’s
display of the seal signaled to
consumers that a government agency or
other third party had determined that
SkyMed’s information practices met
HIPAA’s requirements. The truth is that
no government agency or other third
party reviewed SkyMed’s information
practices for compliance with HIPAA,
let alone determined that the practices
met the requirements of HIPAA.
The Proposed Order contains
injunctive relief addressing the alleged
unfair and deceptive conduct.
Part I prohibits SkyMed from making
false or deceptive statements regarding:
(1) The extent to which it is a member
of, complies with, is endorsed by, or
otherwise participates in any privacy or
security program sponsored by a
government or third party; (2) the extent
of any data security incident involving
consumers’ personal information; (3) the
extent of any investigation, and the
results thereof, relating to a data
security incident; (4) the extent to
which SkyMed collects, maintains, uses,
discloses, deletes, or permits or denies
access to consumers’ personal
information; and (5) the extent to which
SkyMed otherwise protects the privacy,
security, availability, confidentiality, or
integrity of consumers’ personal
information.
Part II requires that SkyMed provide
notice to all consumers that it
previously emailed concerning the
database exposure that their personal
information, including potentially their
health information, may have been
E:\FR\FM\23DEN1.SGM
23DEN1
Federal Register / Vol. 85, No. 247 / Wednesday, December 23, 2020 / Notices
exposed in the incident. Part III requires
SkyMed to establish and implement,
and thereafter maintain, a
comprehensive information security
program that protects the security,
confidentiality, and integrity of
consumers’ personal information.
Part IV requires SkyMed to obtain
initial and biennial data security
assessments for twenty years. Part V of
the Proposed Order requires SkyMed to
disclose all material facts to the assessor
and prohibits SkyMed from
misrepresenting any fact material to the
assessments required by Part IV.
Part VI requires SkyMed to submit an
annual certification from a senior
corporate manager (or senior officer
responsible for its information security
program) that SkyMed has implemented
the requirements of the Order and is not
aware of any material noncompliance
that has not been corrected or disclosed
to the Commission. Part VII requires
SkyMed to notify the Commission any
time (1) it is required to make a
notification to a federal, state, or local
government that personal information
has been breached or disclosed, or (2)
individually identifiable health
information from or about a consumer
was, or is reasonably believed to have
been, accessed, acquired, or publicly
exposed without authorization.
Parts VIII through XI are reporting and
compliance provisions, which include
recordkeeping requirements and
provisions requiring SkyMed to provide
information or documents necessary for
the Commission to monitor compliance.
Part XII states that the Proposed Order
will remain in effect for twenty years,
with certain exceptions.
The purpose of this analysis is to aid
public comment on the Proposed Order.
It is not intended to constitute an
official interpretation of the complaint
or Proposed Order, or to modify in any
way the Proposed Order’s terms.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020–28262 Filed 12–22–20; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
jbell on DSKJLSW7X2PROD with NOTICES
Centers for Disease Control and
Prevention
Solicitation of Nominations for
Appointment to the Advisory
Committee on Breast Cancer in Young
Women (ACBCYW)
ACTION:
Notice.
VerDate Sep<11>2014
21:21 Dec 22, 2020
Jkt 253001
SUMMARY: The Centers for Disease
Control and Prevention (CDC) is seeking
nominations for membership on the
ACBCYW. The ACBCYW consists of 15
experts in fields associated with breast
cancer, disease prevention, early
detection, diagnosis, public health,
social marketing, genetic screening and
counseling, treatment, rehabilitation,
palliative care, and survivorship in
young women, or in related disciplines
with a specific focus on young women.
DATES: Nominations for membership on
the ACBCYW must be received no later
than March 12, 2021. Packages received
after this time will not be considered for
the current membership cycle.
ADDRESSES: All nominations should be
mailed to Jeremy McCallister, c/o
ACBCYW Secretariat, Centers for
Disease Control and Prevention, 3719
North Peachtree Road, Building 100
Chamblee, Georgia 30341, or emailed
(recommended) to acbcyw@cdc.gov.
FOR FURTHER INFORMATION CONTACT:
Jeremy McCallister, Designated Federal
Officer, National Center for Chronic
Disease Prevention and Health
Promotion, CDC, 4770 Buford Highway
NE, Mailstop F–76, Atlanta, Georgia
30341, Telephone: 404–639–7989;
Email: acbcyw@cdc.gov.
SUPPLEMENTARY INFORMATION:
Nominations are being sought for
individuals who have expertise and
qualifications necessary to contribute to
the accomplishments of the committee’s
objectives. Nominees will be selected
based on expertise in the fields of breast
health, breast cancer, disease prevention
and risk reduction, survivorship
(including metastatic breast cancer),
hereditary breast and ovarian cancer
(HBOC), or in related disciplines with a
specific focus on young women. Persons
with personal experience with early
onset breast cancer are also eligible to
apply. This includes but may not be
limited to breast cancer survivors <45
years of age and caregivers of said
persons. Federal employees will not be
considered for membership. Members
may be invited to serve up to four-year
terms. Election of members is based on
candidates’ qualifications to contribute
to the accomplishment of ACBCYW
objectives (https://www.cdc.gov/faca/
committees/acbcyw.html).
The U.S. Department of Health and
Human Services policy stipulates that
committee membership be balanced in
terms of points of view represented, and
the committee’s function. Appointments
shall be made without discrimination
on the basis of age, race, ethnicity,
gender, sexual orientation, gender
identity, HIV status, disability, and
cultural, religious, or socioeconomic
PO 00000
Frm 00081
Fmt 4703
Sfmt 9990
83963
status. Nominees must be U.S. citizens,
and cannot be full-time employees of
the U.S. Government. Current
participation on federal workgroups or
prior experience serving on a federal
advisory committee does not disqualify
a candidate; however, HHS policy is to
avoid excessive individual service on
advisory committees and multiple
committee memberships. Committee
members are Special Government
Employees, requiring the filing of
financial disclosure reports at the
beginning and annually during their
terms. CDC reviews potential candidates
for ACBCYW membership each year and
provides a slate of nominees for
consideration to the Secretary of HHS
for final selection. HHS notifies selected
candidates of their appointment near
the start of the term in November 2021,
or as soon as the HHS selection process
is completed. Note that the need for
different expertise varies from year to
year and a candidate who is not selected
in one year may be reconsidered in a
subsequent year.
Nominees must be U.S. citizens, and
cannot be full-time employees of the
U.S. Government. Candidates should
submit the following items:
D Current curriculum vitae, including
complete contact information
(telephone numbers, mailing address,
email address)
D At least one letter of
recommendation from person(s) not
employed by the U.S. Department of
Health and Human Services.
(Candidates may submit letter(s) from
current HHS employees if they wish,
but at least one letter must be submitted
by a person not employed by an HHS
agency (e.g., CDC, NIH, FDA, etc.).
Nominations may be submitted by the
candidate him- or herself, or by the
person/organization recommending the
candidate.
The Director, Strategic Business
Initiatives Unit, Office of the Chief
Operating Officer, Centers for Disease
Control and Prevention, has been
delegated the authority to sign Federal
Register notices pertaining to
announcements of meetings and other
committee management activities, for
both the Centers for Disease Control and
Prevention and the Agency for Toxic
Substances and Disease Registry.
Kalwant Smagh,
Director, Strategic Business Initiatives Unit,
Office of the Chief Operating Officer, Centers
for Disease Control and Prevention.
[FR Doc. 2020–28380 Filed 12–22–20; 8:45 am]
BILLING CODE 4163–18–P
E:\FR\FM\23DEN1.SGM
23DEN1
]]>Agencies
[Federal Register Volume 85, Number 247 (Wednesday, December 23, 2020)]
[Notices]
[Pages 83961-83963]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-28262]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3140]
SkyMed International, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement; Request for Comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before January 22, 2021.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``SkyMed
International, Inc.; File No. 192 3140'' on your comment, and file your
comment online at https://www.regulations.gov by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Miles Plant (202-326-2526), Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC website at this web address: https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before January 22,
2021. Write ``SkyMed International, Inc.; File No. 192 3140'' on your
comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the https://www.regulations.gov website.
Because of the public health emergency in response to the COVID-19
pandemic and the agency's heightened security screening, postal mail
addressed to the Commission will be subject to delay. We strongly
encourage you to submit your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``SkyMed
International, Inc.; File No. 192 3140'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible, submit your paper comment to the
Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
[[Page 83962]]
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the https://www.regulations.gov website--as legally
required by FTC Rule 4.9(b)--we cannot redact or remove your comment
from that website, unless you submit a confidentiality request that
meets the requirements for such treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the news release describing the proposed settlement. The FTC Act and
other laws that the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
that it receives on or before January 22, 2021. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from SkyMed
International, Inc., also doing business as SkyMed Travel and Car
Rental Pro (``SkyMed''). The proposed consent order (``Proposed
Order'') has been placed on the public record for thirty days for
receipt of comments by interested persons. Comments received during
this period will become part of the public record. After thirty days,
the Commission again will review the agreement and the comments
received, and will decide whether it should withdraw from the agreement
or make final the agreement's Proposed Order.
SkyMed is a Nevada corporation with its principal place of business
in Arizona. SkyMed provides emergency travel membership plans that
cover travel and medical evacuation services for members who sustain
serious illnesses or injuries during travel in certain geographic
areas. SkyMed has thousands of members. In applying for a membership, a
consumer provides his or her name, date of birth, sex, home address,
email address, phone number, emergency contact information, passport
number, payment card information, a list of prescribed medications and
medical conditions, and a list of all hospitalizations in the previous
six months.
The Commission's proposed three-count complaint alleges that SkyMed
violated Section 5(a) of the Federal Trade Commission Act by engaging
in both unfair and deceptive acts or practices.
First, the proposed complaint alleges that SkyMed engaged in a
number of unreasonable security practices that led to the exposure of a
cloud database containing approximately 130,000 membership records with
consumers' personal information stored in plain text. Specifically, the
proposed complaint alleges that SkyMed:
Failed to develop, implement, or maintain written
organizational information security standards, policies, procedures, or
practices;
failed to provide adequate guidance or training for
employees or contractors regarding information security and
safeguarding consumers' personal information;
stored consumers' personal information on SkyMed's network
and databases in plain text, without reasonable data access controls or
authentication protections;
failed to assess the risks to the personal information
stored on its network and databases, such as by conducting periodic
risk assessments or performing vulnerability and penetration testing of
the network and databases;
failed to have a policy, procedure, or practice for
inventorying and deleting consumers' personal information stored on
SkyMed's network that is no longer necessary; and
failed to use data loss prevention tools to regularly
monitor for unauthorized attempts to transfer or exfiltrate consumers'
personal information outside of SkyMed's network boundaries.
The proposed complaint alleges SkyMed could have addressed each of
these failures by implementing readily available and relatively low-
cost security measures. The proposed complaint alleges that SkyMed's
failures caused or are likely to cause substantial injury to consumers
that is not outweighed by countervailing benefits to consumers or
competition and is not reasonably avoidable by consumers themselves.
Such practice constitutes an unfair act or practice under Section 5 of
the FTC Act.
Second, the proposed complaint alleges that SkyMed engaged in a
deceptive act when it notified current and former members about the
database exposure. In an email to customers, SkyMed represented that it
had investigated the incident and learned that no consumer health
information had been exposed in the incident, and that no one had
misused the information. In reality, SkyMed did not examine the
information stored in the cloud database, identify the consumers placed
at risk by the exposure, or look for evidence of unauthorized access to
the database. Rather, it merely identified the database and deleted it.
Third, the proposed complaint alleges that SkyMed engaged in a
deceptive practice by displaying a seal on every page of its website
that attested to its purported compliance with the Health Insurance
Portability and Accountability Act, a statute that sets forth privacy
and information security protections for health data. SkyMed's display
of the seal signaled to consumers that a government agency or other
third party had determined that SkyMed's information practices met
HIPAA's requirements. The truth is that no government agency or other
third party reviewed SkyMed's information practices for compliance with
HIPAA, let alone determined that the practices met the requirements of
HIPAA.
The Proposed Order contains injunctive relief addressing the
alleged unfair and deceptive conduct.
Part I prohibits SkyMed from making false or deceptive statements
regarding: (1) The extent to which it is a member of, complies with, is
endorsed by, or otherwise participates in any privacy or security
program sponsored by a government or third party; (2) the extent of any
data security incident involving consumers' personal information; (3)
the extent of any investigation, and the results thereof, relating to a
data security incident; (4) the extent to which SkyMed collects,
maintains, uses, discloses, deletes, or permits or denies access to
consumers' personal information; and (5) the extent to which SkyMed
otherwise protects the privacy, security, availability,
confidentiality, or integrity of consumers' personal information.
Part II requires that SkyMed provide notice to all consumers that
it previously emailed concerning the database exposure that their
personal information, including potentially their health information,
may have been
[[Page 83963]]
exposed in the incident. Part III requires SkyMed to establish and
implement, and thereafter maintain, a comprehensive information
security program that protects the security, confidentiality, and
integrity of consumers' personal information.
Part IV requires SkyMed to obtain initial and biennial data
security assessments for twenty years. Part V of the Proposed Order
requires SkyMed to disclose all material facts to the assessor and
prohibits SkyMed from misrepresenting any fact material to the
assessments required by Part IV.
Part VI requires SkyMed to submit an annual certification from a
senior corporate manager (or senior officer responsible for its
information security program) that SkyMed has implemented the
requirements of the Order and is not aware of any material
noncompliance that has not been corrected or disclosed to the
Commission. Part VII requires SkyMed to notify the Commission any time
(1) it is required to make a notification to a federal, state, or local
government that personal information has been breached or disclosed, or
(2) individually identifiable health information from or about a
consumer was, or is reasonably believed to have been, accessed,
acquired, or publicly exposed without authorization.
Parts VIII through XI are reporting and compliance provisions,
which include recordkeeping requirements and provisions requiring
SkyMed to provide information or documents necessary for the Commission
to monitor compliance. Part XII states that the Proposed Order will
remain in effect for twenty years, with certain exceptions.
The purpose of this analysis is to aid public comment on the
Proposed Order. It is not intended to constitute an official
interpretation of the complaint or Proposed Order, or to modify in any
way the Proposed Order's terms.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-28262 Filed 12-22-20; 8:45 am]
BILLING CODE 6750-01-P
