[Federal Register Volume 85, Number 247 (Wednesday, December 23, 2020)]
[Notices]
[Pages 83961-83963]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-28262]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3140]


SkyMed International, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement; Request for Comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES:  Comments must be received on or before January 22, 2021.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``SkyMed 
International, Inc.; File No. 192 3140'' on your comment, and file your 
comment online at https://www.regulations.gov by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Miles Plant (202-326-2526), Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC website at this web address: https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 22, 
2021. Write ``SkyMed International, Inc.; File No. 192 3140'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the https://www.regulations.gov website.
    Because of the public health emergency in response to the COVID-19 
pandemic and the agency's heightened security screening, postal mail 
addressed to the Commission will be subject to delay. We strongly 
encourage you to submit your comments online through the https://www.regulations.gov website.
    If you prefer to file your comment on paper, write ``SkyMed 
International, Inc.; File No. 192 3140'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas,

[[Page 83962]]

patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the https://www.regulations.gov website--as legally 
required by FTC Rule 4.9(b)--we cannot redact or remove your comment 
from that website, unless you submit a confidentiality request that 
meets the requirements for such treatment under FTC Rule 4.9(c), and 
the General Counsel grants that request.
    Visit the FTC website at http://www.ftc.gov to read this Notice and 
the news release describing the proposed settlement. The FTC Act and 
other laws that the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
that it receives on or before January 22, 2021. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from SkyMed 
International, Inc., also doing business as SkyMed Travel and Car 
Rental Pro (``SkyMed''). The proposed consent order (``Proposed 
Order'') has been placed on the public record for thirty days for 
receipt of comments by interested persons. Comments received during 
this period will become part of the public record. After thirty days, 
the Commission again will review the agreement and the comments 
received, and will decide whether it should withdraw from the agreement 
or make final the agreement's Proposed Order.
    SkyMed is a Nevada corporation with its principal place of business 
in Arizona. SkyMed provides emergency travel membership plans that 
cover travel and medical evacuation services for members who sustain 
serious illnesses or injuries during travel in certain geographic 
areas. SkyMed has thousands of members. In applying for a membership, a 
consumer provides his or her name, date of birth, sex, home address, 
email address, phone number, emergency contact information, passport 
number, payment card information, a list of prescribed medications and 
medical conditions, and a list of all hospitalizations in the previous 
six months.
    The Commission's proposed three-count complaint alleges that SkyMed 
violated Section 5(a) of the Federal Trade Commission Act by engaging 
in both unfair and deceptive acts or practices.
    First, the proposed complaint alleges that SkyMed engaged in a 
number of unreasonable security practices that led to the exposure of a 
cloud database containing approximately 130,000 membership records with 
consumers' personal information stored in plain text. Specifically, the 
proposed complaint alleges that SkyMed:
     Failed to develop, implement, or maintain written 
organizational information security standards, policies, procedures, or 
practices;
     failed to provide adequate guidance or training for 
employees or contractors regarding information security and 
safeguarding consumers' personal information;
     stored consumers' personal information on SkyMed's network 
and databases in plain text, without reasonable data access controls or 
authentication protections;
     failed to assess the risks to the personal information 
stored on its network and databases, such as by conducting periodic 
risk assessments or performing vulnerability and penetration testing of 
the network and databases;
     failed to have a policy, procedure, or practice for 
inventorying and deleting consumers' personal information stored on 
SkyMed's network that is no longer necessary; and
     failed to use data loss prevention tools to regularly 
monitor for unauthorized attempts to transfer or exfiltrate consumers' 
personal information outside of SkyMed's network boundaries.
    The proposed complaint alleges SkyMed could have addressed each of 
these failures by implementing readily available and relatively low-
cost security measures. The proposed complaint alleges that SkyMed's 
failures caused or are likely to cause substantial injury to consumers 
that is not outweighed by countervailing benefits to consumers or 
competition and is not reasonably avoidable by consumers themselves. 
Such practice constitutes an unfair act or practice under Section 5 of 
the FTC Act.
    Second, the proposed complaint alleges that SkyMed engaged in a 
deceptive act when it notified current and former members about the 
database exposure. In an email to customers, SkyMed represented that it 
had investigated the incident and learned that no consumer health 
information had been exposed in the incident, and that no one had 
misused the information. In reality, SkyMed did not examine the 
information stored in the cloud database, identify the consumers placed 
at risk by the exposure, or look for evidence of unauthorized access to 
the database. Rather, it merely identified the database and deleted it.
    Third, the proposed complaint alleges that SkyMed engaged in a 
deceptive practice by displaying a seal on every page of its website 
that attested to its purported compliance with the Health Insurance 
Portability and Accountability Act, a statute that sets forth privacy 
and information security protections for health data. SkyMed's display 
of the seal signaled to consumers that a government agency or other 
third party had determined that SkyMed's information practices met 
HIPAA's requirements. The truth is that no government agency or other 
third party reviewed SkyMed's information practices for compliance with 
HIPAA, let alone determined that the practices met the requirements of 
HIPAA.
    The Proposed Order contains injunctive relief addressing the 
alleged unfair and deceptive conduct.
    Part I prohibits SkyMed from making false or deceptive statements 
regarding: (1) The extent to which it is a member of, complies with, is 
endorsed by, or otherwise participates in any privacy or security 
program sponsored by a government or third party; (2) the extent of any 
data security incident involving consumers' personal information; (3) 
the extent of any investigation, and the results thereof, relating to a 
data security incident; (4) the extent to which SkyMed collects, 
maintains, uses, discloses, deletes, or permits or denies access to 
consumers' personal information; and (5) the extent to which SkyMed 
otherwise protects the privacy, security, availability, 
confidentiality, or integrity of consumers' personal information.
    Part II requires that SkyMed provide notice to all consumers that 
it previously emailed concerning the database exposure that their 
personal information, including potentially their health information, 
may have been

[[Page 83963]]

exposed in the incident. Part III requires SkyMed to establish and 
implement, and thereafter maintain, a comprehensive information 
security program that protects the security, confidentiality, and 
integrity of consumers' personal information.
    Part IV requires SkyMed to obtain initial and biennial data 
security assessments for twenty years. Part V of the Proposed Order 
requires SkyMed to disclose all material facts to the assessor and 
prohibits SkyMed from misrepresenting any fact material to the 
assessments required by Part IV.
    Part VI requires SkyMed to submit an annual certification from a 
senior corporate manager (or senior officer responsible for its 
information security program) that SkyMed has implemented the 
requirements of the Order and is not aware of any material 
noncompliance that has not been corrected or disclosed to the 
Commission. Part VII requires SkyMed to notify the Commission any time 
(1) it is required to make a notification to a federal, state, or local 
government that personal information has been breached or disclosed, or 
(2) individually identifiable health information from or about a 
consumer was, or is reasonably believed to have been, accessed, 
acquired, or publicly exposed without authorization.
    Parts VIII through XI are reporting and compliance provisions, 
which include recordkeeping requirements and provisions requiring 
SkyMed to provide information or documents necessary for the Commission 
to monitor compliance. Part XII states that the Proposed Order will 
remain in effect for twenty years, with certain exceptions.
    The purpose of this analysis is to aid public comment on the 
Proposed Order. It is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify in any 
way the Proposed Order's terms.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-28262 Filed 12-22-20; 8:45 am]
BILLING CODE 6750-01-P