Monday, December 28, 2020
Alleging unfair and misleading practices in violation of the FTC regulation, the FTC not too long ago reached a settlement settlement with SkyMed Worldwide, Inc. The corporate sells emergency journey plans to individuals who expertise medical emergencies or sicknesses. accidents whereas touring overseas, and signed an settlement beneath the FTC – 1000’s of customers. Through the registration course of, individuals supplied the corporate with delicate well being data.
The FTC discovered that SkyMed had misled customers into believing that a authorities company or different third social gathering had reviewed SkyMed's companies by putting a "HIPAA compliance seal" on the SkyMed web site when actually none third events had solely reviewed the corporate's practices, not to mention figuring out SkyMed's practices met HIPAA necessities. The FTC additionally discovered that the corporate had engaged in unfair practices by failing to correctly safe buyer data, which led to the publicity of a cloud database containing 130,000 data on the well being of consumers. customers. After studying of the publicity, SkyMed notified these affected. In keeping with the FTC, the discover incorrectly acknowledged that no medical data had been affected and that no data had been considered by an unauthorized third social gathering, when the corporate's investigations had been actually not substantiated by certainly one of these statements.
The FTC alleged that the explanation for the publicity was as a result of SkyMed did not implement affordable security controls to guard private data. The FTC was involved that SkyMed didn’t have a written data security coverage; it saved customers' private data in plain textual content with out ample entry controls; it has not carried out periodic danger assessments; and it didn’t adequately practice staff or third social gathering contractors. Though SkyMed didn’t settle for the allegations of the FTC grievance, it did agree as a part of the current settlement of:
Don’t additional distort its confidentiality or security program.
Present an replace discover to affected customers relating to the unsecured cloud database.
Implement a complete data security program.
Receive an preliminary and biennial analysis of its 20-year data security program.
Annual certification to the FTC relating to its data security program.
Report any future private data breaches to the FTC inside 30 days of discovery.
Put into Apply: This regulation is a warning to companies to train warning when drafting violation notification letters, as statements made in these notices will likely be scrutinized. This regulation additionally serves as a reminder for corporations to overview their information security practices and remember what the FTC considers affordable, in addition to to keep away from making statements. – or to make use of "seals" – which could possibly be thought of misleading and misleading.
Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.Nationwide Legislation Evaluation, Quantity X, Quantity 363