Sealing the Deal on Another Privacy Settlement
FTC Announces Settlement with Travel Services Company Over Unsecured Cloud Database and Misleading Online Privacy Messaging
Remember traveling for business or pleasure? The ongoing pandemic has caused many of us to forego business and vacation travel. This does not mean that travel is out of the news. On February 5, 2021, the Federal Trade Commission (FTC) finalized a settlement with SkyMed International, Inc. (SkyMed), a Nevada-based company that provides medical emergency travel evacuation services under various membership programs, over allegations that SkyMed failed to take reasonable measures to secure consumer information, including health records, and used misleading privacy-related images on its webpages.
On the No-Fly List
- Unsecured Cloud Data Storage
Storing data in the cloud has many benefits, but it also comes with risks. In the complaint announced on December 16, 2020, the FTC alleged that SkyMed failed to employ reasonable measures to secure the personal information it had collected from 130,000 SkyMed members and stored in an unsecured cloud database. The unsecured database, which was exposed by a security researcher, was accessible by anyone on the Internet and contained records with personal information stored in plain text, such as member names, dates of birth, home addresses, health information, and membership account numbers. The FTC also alleged that SkyMed failed to assess the risks to this personal information by performing penetration testing and other measures and failed to monitor its network for unauthorized access.
After being informed of the unsecured data, SkyMed allegedly notified current and former membership plan holders that it had investigated the breach and determined that “there was no medical or payment-related information visible and no indication that the information has been misused.” The FTC alleged, however, that SkyMed failed to examine the actual information stored in the cloud database, identify affected consumers, and investigate whether any other unauthorized users had accessed the database. Instead, after confirming that the data was online and publicly accessible, SkyMed deleted the database.
- Using Faux Seals and Logos
The FTC is not usually known for their comedy, but their discussion in 2015 on the use of environmental seals in marketing materials is an admirable effort at comedy:
You don’t need to go to a water park to see performing seals. You can spot them on websites where they perform the function of conveying information about the purported … benefits of products.
If you travel a lot, your suitcase may be covered with checked luggage decals that advertise to the world all of the airports you have flown into and out of over the years. Covering marketing materials with seals, particularly self-created seals, may deceptively misrepresent, directly or by implication, that the product or service you are advertising has been endorsed or certified by an independent third-party organization.
The FTC alleged that SkyMed deceived consumers by displaying a self-made “HIPAA Compliance” seal on every page of its website for over five years. The FTC alleged that this seal gave the false impression that SkyMed’s privacy policies had been reviewed and met the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). However, no government agency or other third party had reviewed SkyMed’s information practices for compliance with HIPAA.
On the To-Do List
Under the terms of the settlement, SkyMed must send a notice to all affected consumers detailing the information that was exposed in the breach of the cloud database. The settlement does not require SkyMed to provide compensation to any of these consumers. The company must also implement a comprehensive information security program. As part of this program, the company must do the following: (1) identify and document potential internal and external risks, (2) implement, and maintain safeguards to protect the personal information it collects from those potential risks, and (3) obtain biennial assessments of its information security program from a third party.
The settlement prohibits SkyMed from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program. To ensure a strong tone at the top, the settlement also requires a senior SkyMed executive to annually certify that the company is complying with the requirements of the settlement.
There are three key takeaways from this recent settlement. First, this settlement is a good reminder that any personal information your company stores in the cloud must be secured. Your data may be flying through the clouds, but it still needs to wear a security seatbelt while parked at the gate and in flight. This is the second FTC enforcement action in the past few months focusing on the risks of unsecured cloud-based data storage systems. See our prior blog posting on the FTC’s proposed consent agreement in December 2020 with Ascension Data & Analytics, LLC involving, in part, the exposure of personal information in a cloud-based server used by a vendor. This may have happened by chance and chance alone or it may signal a heightened focus by the FTC on the security of personal information in cloud-based data storage solutions. If your company uses cloud-based solutions or uses vendors that store your data in the cloud, it may be prudent to assume the latter is true.
The issue of data security in the cloud has also been in the global news of late. Several high-profile clients of Accellion, Inc. (Accellion), a Palo Alto, California-based third-party provider of hosted file transfer services, have recently announced data breaches tied to a hacker who exploited a vulnerability in Accellion’s FTA product, which was developed in the early 2000s. Accellion advertised that “FTA helps worldwide enterprises … transfer large and sensitive files securely using a 100% private cloud, on-premises or hosted.” In December 2020 and January 2021, a hacker gained access to files transferred in Accellion’s FTA product. Although Accellion has developed newer file transfer products, many FTA applications remain in use by companies and government organizations around the world.
The Office of the Washington State Auditor recently reported that files containing the personal information of Washington state residents who filed unemployment insurance claims in 2020 were breached in this incident. Kroger, a retail grocery store chain, and several global law firms have also announced data breaches tied to their use of the FTA services. Files marked as confidential and that appear to be from one large law firm were recently posted on a dark web site. At least one breach-related lawsuit has already been filed against Accellion and the company has announced that its FTA product will be permanently discontinued as of April 30, 2021.
Second, this settlement is a good reminder that your company’s privacy messaging does not exist in a vacuum. Creativity is generally a good thing in marketing messaging, but that creativity has some limits. All statements, representations, and graphics, such as seals, should be reviewed to ensure they are not deceptive or misleading to consumers. Your webpages and marketing materials need to stick to an established flight plan, so you don’t have to make an unscheduled landing to evacuate things like deceptive “HIPAA Compliance” seals from all of those locations.
Third, the SkyMed settlement is a good reminder that more aggressive privacy-related enforcement actions are likely under the new Biden administration. In her prepared remarks from the Future of Privacy Forum on February 10, 2021, the FTC’s Acting Chairwoman, Rebecca Kelly Slaughter, noted as follows:
I want to think creatively about how to make our current enforcement efforts even more effective. The FTC has worked hard to curb abuses in this space without the benefit of federal privacy law, and, for most of the statutes, we enforce, without civil penalty authority. But the questions I care most about as we move forward are:
(1) Are we doing everything we can to deter future violations, both by the particular company at issue and by others in the market?
(2) Are we doing everything we can to help wronged consumers?
(3) Are we using all the tools in the FTC’s toolbox to fully charge offenses and pursue misconduct?
I’ve supported many of the Commission’s privacy and security cases, like Equifax and TikTok, but for those of you who have followed the FTC’s privacy and security work closely, you’ll know that I dissented in cases like Facebook, YouTube, and Zoom. When I dissented, in most instances it was because I believed that the Commission should have obtained stronger relief for consumers, including by pursuing litigation if we were unable to negotiate sufficient relief in a settlement.
Two types of relief I want us to seek and believe we can achieve are meaningful disgorgement and effective consumer notice.
If your company is not adequately protecting the confidentiality and security of the personal information it collects and maintains about consumers, the FTC may step in and correct your company’s flight plan. The FTC may even require your company to give up any profits it has earned as a result of illegal or wrongful conduct and return those funds to the victims. There is no emergency membership service that will immediately evacuate your company from an investigation by the FTC. Further, the issue of data security in cloud-based services is grabbing headlines in the United States and globally so it may be a good time for your company to check in on your cloud-based systems to ensure you do not encounter turbulence.