Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.
The FTC found that SkyMed mislead consumers into thinking that a government agency or other third party had reviewed SkyMed’s services through placement on the SkyMed site of a “HIPAA compliance seal” when in fact no third party had reviewed the company’s practices, much less determine that SkyMed’s practices met the requirements of HIPAA. The FTC also found that the company had engaged in unfair practices by failing to properly secure customer information, which led to the exposure of a cloud database containing 130,000 consumers’ health information. Upon learning of the exposure, SkyMed did notify impacted individuals. According to the FTC, the notice falsely stated that no medical information was impacted and that no information had been accessed by an unauthorized third party, when in fact the company’s investigations did not substantiate either of these claims.
The FTC alleged that the reason for the exposure was because SkyMed had failed to implement reasonable security controls to protect personal information. Of concern for the FTC was the fact that SkyMed had no written information security policies; it stored consumer PII in plain text without adequate access controls; it failed to perform periodic risk assessments; and it did not adequately train employees or third party contractors. While SkyMed did not agree to the allegations in the FTC’s complaint, it did agree as part of the recent settlement to:
- Not further misrepresent its privacy or security program.
- Provide an update notice to affected consumers regarding the unsecured cloud database.
- Implement a comprehensive information security program.
- Obtain an initial and biennial assessments of its information security program for 20 years.
- Annual certification to the FTC regarding its information security program.
- Report any future breach of personal information to FTC within 30 days of discovery.
Putting it Into Practice: This settlement is a caution for companies to take care when putting together breach notification letters as the statements made in those notices will be scrutinized closely. This settlement also serves as a reminder for companies to examine their data security practices and to keep in mind the elements that the FTC views as reasonable, as well as to avoid making statements -or using “seals”- that might be viewed as misleading and deceptive.