AGENCY:

Federal Trade Commission.

ACTION:

Proposed Consent Agreement; Request for Comment.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before January 22, 2021.

ADDRESSES:

Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write “SkyMed International, Inc.; File No. 192 3140” on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT:

Miles Plant (202-326-2526), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC website at this web address: https://www.ftc.gov/​news-events/​commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 22, 2021. Write “SkyMed International, Inc.; File No. 192 3140” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Because of the public health emergency in response to the COVID-19 pandemic and the agency's heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website.

If you prefer to file your comment on paper, write “SkyMed International, Inc.; File No. 192 3140” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov,, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, Start Printed Page 83962patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.

Visit the FTC website at http://www.ftc.gov to read this Notice and the news release describing the proposed settlement. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 22, 2021. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (“Commission”) has accepted, subject to final approval, an agreement containing a consent order from SkyMed International, Inc., also doing business as SkyMed Travel and Car Rental Pro (“SkyMed”). The proposed consent order (“Proposed Order”) has been placed on the public record for thirty days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty days, the Commission again will review the agreement and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement's Proposed Order.

SkyMed is a Nevada corporation with its principal place of business in Arizona. SkyMed provides emergency travel membership plans that cover travel and medical evacuation services for members who sustain serious illnesses or injuries during travel in certain geographic areas. SkyMed has thousands of members. In applying for a membership, a consumer provides his or her name, date of birth, sex, home address, email address, phone number, emergency contact information, passport number, payment card information, a list of prescribed medications and medical conditions, and a list of all hospitalizations in the previous six months.

The Commission's proposed three-count complaint alleges that SkyMed violated Section 5(a) of the Federal Trade Commission Act by engaging in both unfair and deceptive acts or practices.

First, the proposed complaint alleges that SkyMed engaged in a number of unreasonable security practices that led to the exposure of a cloud database containing approximately 130,000 membership records with consumers' personal information stored in plain text. Specifically, the proposed complaint alleges that SkyMed:

• Failed to develop, implement, or maintain written organizational information security standards, policies, procedures, or practices;
• failed to provide adequate guidance or training for employees or contractors regarding information security and safeguarding consumers' personal information;
• stored consumers' personal information on SkyMed's network and databases in plain text, without reasonable data access controls or authentication protections;
• failed to assess the risks to the personal information stored on its network and databases, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network and databases;
• failed to have a policy, procedure, or practice for inventorying and deleting consumers' personal information stored on SkyMed's network that is no longer necessary; and
• failed to use data loss prevention tools to regularly monitor for unauthorized attempts to transfer or exfiltrate consumers' personal information outside of SkyMed's network boundaries.

The proposed complaint alleges SkyMed could have addressed each of these failures by implementing readily available and relatively low-cost security measures. The proposed complaint alleges that SkyMed's failures caused or are likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Such practice constitutes an unfair act or practice under Section 5 of the FTC Act.

Second, the proposed complaint alleges that SkyMed engaged in a deceptive act when it notified current and former members about the database exposure. In an email to customers, SkyMed represented that it had investigated the incident and learned that no consumer health information had been exposed in the incident, and that no one had misused the information. In reality, SkyMed did not examine the information stored in the cloud database, identify the consumers placed at risk by the exposure, or look for evidence of unauthorized access to the database. Rather, it merely identified the database and deleted it.

Third, the proposed complaint alleges that SkyMed engaged in a deceptive practice by displaying a seal on every page of its website that attested to its purported compliance with the Health Insurance Portability and Accountability Act, a statute that sets forth privacy and information security protections for health data. SkyMed's display of the seal signaled to consumers that a government agency or other third party had determined that SkyMed's information practices met HIPAA's requirements. The truth is that no government agency or other third party reviewed SkyMed's information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.

The Proposed Order contains injunctive relief addressing the alleged unfair and deceptive conduct.

Part I prohibits SkyMed from making false or deceptive statements regarding: (1) The extent to which it is a member of, complies with, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or third party; (2) the extent of any data security incident involving consumers' personal information; (3) the extent of any investigation, and the results thereof, relating to a data security incident; (4) the extent to which SkyMed collects, maintains, uses, discloses, deletes, or permits or denies access to consumers' personal information; and (5) the extent to which SkyMed otherwise protects the privacy, security, availability, confidentiality, or integrity of consumers' personal information.

Part II requires that SkyMed provide notice to all consumers that it previously emailed concerning the database exposure that their personal information, including potentially their health information, may have been Start Printed Page 83963exposed in the incident. Part III requires SkyMed to establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of consumers' personal information.

Part IV requires SkyMed to obtain initial and biennial data security assessments for twenty years. Part V of the Proposed Order requires SkyMed to disclose all material facts to the assessor and prohibits SkyMed from misrepresenting any fact material to the assessments required by Part IV.

Part VI requires SkyMed to submit an annual certification from a senior corporate manager (or senior officer responsible for its information security program) that SkyMed has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Part VII requires SkyMed to notify the Commission any time (1) it is required to make a notification to a federal, state, or local government that personal information has been breached or disclosed, or (2) individually identifiable health information from or about a consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.

Parts VIII through XI are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring SkyMed to provide information or documents necessary for the Commission to monitor compliance. Part XII states that the Proposed Order will remain in effect for twenty years, with certain exceptions.

The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order's terms.