September 24, 2021

Volume XI, Number 267

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis

September 21, 2021

Subscribe to Latest Legal News and Analysis

FTC Settles with Travel Services Provider Over Security Issues

Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.

The FTC found that SkyMed mislead consumers into thinking that a government agency or other third party had reviewed SkyMed’s services through placement on the SkyMed site of a “HIPAA compliance seal” when in fact no third party had reviewed the company’s practices, much less determine that SkyMed’s practices met the requirements of HIPAA. The FTC also found that the company had engaged in unfair practices by failing to properly secure customer information, which led to the exposure of a cloud database containing 130,000 consumers’ health information. Upon learning of the exposure, SkyMed did notify impacted individuals. According to the FTC, the notice falsely stated that no medical information was impacted and that no information had been accessed by an unauthorized third party, when in fact the company’s investigations did not substantiate either of these claims.

The FTC alleged that the reason for the exposure was because SkyMed had failed to implement reasonable security controls to protect personal information. Of concern for the FTC was the fact that SkyMed had no written information security policies; it stored consumer PII in plain text without adequate access controls; it failed to perform periodic risk assessments; and it did not adequately train employees or third party contractors. While SkyMed did not agree to the allegations in the FTC’s complaint, it did agree as part of the recent settlement to:

  • Not further misrepresent its privacy or security program.

  • Provide an update notice to affected consumers regarding the unsecured cloud database.

  • Implement a comprehensive information security program.

  • Obtain an initial and biennial assessments of its information security program for 20 years.

  • Annual certification to the FTC regarding its information security program.

  • Report any future breach of personal information to FTC within 30 days of discovery.

Putting it Into Practice: This settlement is a caution for companies to take care when putting together breach notification letters as the statements made in those notices will be scrutinized closely. This settlement also serves as a reminder for companies to examine their data security practices and to keep in mind the elements that the FTC views as reasonable, as well as to avoid making statements -or using “seals”- that might be viewed as misleading and deceptive.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 363
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196
Advertisement
Advertisement
Advertisement