FTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive health information. According to the complaint, the company collected personal information from customers who signed up for membership plans and allegedly stored the unencrypted personal information on an unsecured cloud database, which could be accessed by anyone on the internet. The company also allegedly failed to perform vulnerability and penetration testing or conduct periodic risk assessments, and failed to monitor for unauthorized access to its network. In addition, the FTC claims that the company, once it was informed that its data was unsecure, represented that it immediately conducted an investigation and determined “[t]here was no medical or payment-related information visible and no indication that the information has been misused.” However, the FTC alleges that the company failed to, among other things, “examine the actual information stored in the cloud database, identify the consumers placed at risk by the exposure, or look for evidence of other unauthorized access to the database.” Instead, after confirming that the data was online and publicly accessible, the company deleted the database, the FTC claims.
The proposed settlement requires the company to, among other things, maintain safeguards to protect personal information, implement a comprehensive data security program, and undergo biennial assessments conducted by third party on the effectiveness of its program. The company is also prohibited from misrepresenting how it collects, maintains, secures, discloses, or deletes personal data, as well as whether it has been endorsed by or participates in any government- or third-party sponsored privacy or security program. The company will also be required to send a notice to affected consumers about its response to the security incident.