UNITED STATES OF AMERICA
`BEFORE THE FEDERAL TRADE COMMISSION
`
`
`
`FILE NO. 1923140
`
`AGREEMENT CONTAINING
`CONSENT ORDER
`
`
`
`
`In the Matter of
`
`SKYMED INTERNATIONAL, INC.,
` also doing business as SkyMed Travel
` and Car Rental Pro,
` a Nevada corporation.
`
`
`
`
`
`
`The Federal Trade Commission (“Commission”) has conducted an investigation of
`certain acts and practices of SkyMed International, Inc. (“Proposed Respondent”). The
`Commission’s Bureau of Consumer Protection (“BCP”) has prepared a draft of an administrative
`Complaint (“draft Complaint”). BCP and Proposed Respondent enter into this Agreement
`Containing Consent Order (“Consent Agreement”) to resolve the allegations in the attached draft
`Complaint through a proposed Decision and Order to present to the Commission, which is also
`attached and made a part of this Consent Agreement.
`
`
`IT IS HEREBY AGREED by and between Proposed Respondent and BCP, that:
`
`
`
`The Proposed Respondent is SkyMed International, Inc., also doing business as
`1.
`SkyMed Travel and as Car Rental Pro, is a corporation with its principal office or place of
`business at 9089 E. Bahia Drive, Suite 100, Scottsdale, AZ 85260.
`
`
`Proposed Respondent neither admits nor denies any of the allegations in the draft
`2.
`Complaint, except as specifically stated in the Decision and Order. Only for purposes of this
`action, Proposed Respondent admits the facts necessary to establish jurisdiction.
`
`
`3.
`
`Proposed Respondent waives:
`
`
`
`Any further procedural steps;
`
`The requirement that the Commission’s Decision contain a statement of
`findings of fact and conclusions of law; and
`
`a.
`
`b.
`
`
`c.
`
`All rights to seek judicial review or otherwise to challenge or contest the
`validity of the Decision and Order issued pursuant to this Consent
`Agreement.
`
`
`This Consent Agreement will not become part of the public record of the
`4.
`proceeding unless and until it is accepted by the Commission. If the Commission accepts this
`Consent Agreement, it, together with the draft Complaint, will be placed on the public record for
`
`Page 1 of 3
`
`

`

`thirty (30) days and information about them publicly released. Acceptance does not constitute
`final approval, but it serves as the basis for further actions leading to final disposition of the
`matter. Thereafter, the Commission may either withdraw its acceptance of this Consent
`Agreement and so notify Proposed Respondent, in which event the Commission will take such
`action as it may consider appropriate, or issue and serve its Complaint (in such form as the
`circumstances may require) and decision in disposition of the proceeding, which may include an
`Order. See Section 2.34 of the Commission’s Rules, 16 C.F.R. § 2.34 (“Rule 2.34”).
`
`
`If this agreement is accepted by the Commission, and if such acceptance is not
`5.
`subsequently withdrawn by the Commission pursuant to Rule 2.34, the Commission may,
`without further notice to Proposed Respondent: (1) issue its Complaint corresponding in form
`and substance with the attached draft Complaint and its Decision and Order; and (2) make
`information about them public. Proposed Respondent agrees that service of the Order may be
`effected by its publication on the Commission’s website (ftc.gov), at which time the Order will
`become final. See Rule 2.32(d). Proposed Respondent waives any rights it may have to any
`other manner of service. See Rule 4.4.
`
`When final, the Decision and Order will have the same force and effect and may
`6.
`be altered, modified, or set aside in the same manner and within the same time provided by
`statute for other Commission orders.
`
`The Complaint may be used in construing the terms of the Decision and Order.
`7.
`No agreement, understanding, representation, or interpretation not contained in the Decision and
`Order or in this Consent Agreement may be used to vary or contradict the terms of the Decision
`and Order.
`
`Proposed Respondent agrees to comply with the terms of the proposed Decision
`8.
`and Order from the date that Proposed Respondent signs this Consent Agreement. Proposed
`Respondent understands that it may be liable for civil penalties and other relief for each violation
`of the Decision and Order after it becomes final.
`
`Page 2 of 3
`
`

`

`SKYMED INTERNATIONAL, INC.
`
`FEDERAL TRADE COMMISSION
`
`BTW
`
`Eleanore Klein
`President & Chief Executive Officer
`
`SkyMed International, Inc.
`
`By: MW—
`
`Brian C. Berggren
`Miles Plant
`
`Attorneys, Bureau of Consumer
`Protection
`
`D
`
`ate:
`
`”0
`(‘
`
`APPROVED:
`
`MANEESHA
`33m? 5i9n6d by MANEESHA
`6&LLW bay-‘WC-evd MED“3 13:03:24
`
`Russell D. Duncan
`Clark Hill PLLC
`
`Maneesha Mithal
`Associate Director
`
`Attorney for SkyMed International, Inc.
`
`Division of Privacy and Identity Protection
`
`Date:
`
`00(3>/(;O 0L0
`
`Andrew Smith
`Director
`Bureau of Consumer Protection
`
`Date:
`
`Page 3 of 3
`
`

`

`
`
`
`COMMISSIONERS:
`
`UNITED STATES OF AMERICA
`BEFORE THE FEDERAL TRADE COMMISSION
`
`Joseph J. Simons, Chairman
`Noah Joshua Phillips
`Rohit Chopra
`Rebecca Kelly Slaughter
`Christine S. Wilson
`
`1923140
`
`
`
`In the Matter of
`
`SKYMED INTERNATIONAL, INC.,
` also doing business as SkyMed Travel
` and Car Rental Pro,
` a Nevada corporation.
`
`
`
`
`DECISION AND ORDER
`
`DOCKET NO.
`
`
`
`
`
`DECISION
`
`
`The Federal Trade Commission (“Commission”) initiated an investigation of certain acts
`
`and practices of the Respondent named in the caption. The Commission’s Bureau of Consumer
`Protection (“BCP”) prepared and furnished to Respondent a draft Complaint. BCP proposed to
`present the draft Complaint to the Commission for its consideration. If issued by the
`Commission, the draft Complaint would charge the Respondent with violations of the Federal
`Trade Commission Act, 15 U.S.C. § 45(a)(1).
`
`
`Respondent and BCP thereafter executed an Agreement Containing Consent Order
`(“Consent Agreement”). The Consent Agreement includes: (1) statements by Respondent that it
`neither admits nor denies any of the allegations in the draft Complaint, except as specifically
`stated in this Decision and Order, and that only for purposes of this action, it admits the facts
`necessary to establish jurisdiction; and (2) waivers and other provisions as required by the
`Commission’s Rules.
`
`The Commission considered the matter and determined that it had reason to believe that
`Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue
`stating its charges in that respect. The Commission accepted the executed Consent Agreement
`and placed it on the public record for a period of thirty (30) days for the receipt and consideration
`of public comments. The Commission duly considered any comments received from interested
`persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with
`the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the
`following Findings, and issues the following Order:
`
`
`Page 1 of 12
`
`

`

`Findings
`
`1. The Respondent is SkyMed International, Inc., also doing business as SkyMed Travel
`and as Car Rental Pro, a corporation with its principal office or place of business at 9089
`E. Bahia Drive, Suite 100, Scottsdale, AZ 85260.
`
`2. The Commission has jurisdiction over the subject matter of this proceeding and over
`Respondent, and the proceeding is in the public interest.
`
`ORDER
`
`Definitions
`
`
`For purposes of this Order, the following definitions apply:
`
`
`
`
`
`
`
`
`
`
`
`
`
`1. “Affected Consumers” means all consumers that received an email from Respondent on
`or around May 2, 2019 with the subject line, “IMPORTANT MESSAGE relative to
`SkyMed data exposure.”
`
`
`2. “Covered Incident” means any instance in which (a) any United States federal, state, or
`local law or regulation requires Respondent to notify any U.S. federal, state, or local
`government entity that information collected or received, directly or indirectly, by
`Respondent from or about an individual consumer was, or is reasonably believed to have
`been, accessed or acquired without authorization; or (b) individually identifiable Health
`Information from or about an individual consumer was, or is reasonably believed to have
`been, accessed, acquired, or publicly exposed without authorization.
`
`3. “Health Information” means information relating to the health of an individual consumer,
`including but not limited to medical history information, prescription information,
`hospitalization information, clinical laboratory testing information, health insurance
`information, or physician exam notes.
`
`4. “Personal Information” means individually identifiable information from or about an
`individual consumer, including: (a) a first and last name; (b) a home or physical address,
`including street name and name of city or town; (c) an email address or other online
`contact information; (d) a mobile or other telephone number; (e) a date of birth; (f) a
`government-issued identification number, such as a driver’s license, military
`identification, passport, or Social Security number, or other personal identification
`number; (g) credit card or other financial account information; (h) Health Information; or
`(i) user account credentials, such as a login name and password.
`
`5. “Respondent” means SkyMed International, Inc., its successors and assigns, and Global
`Emergency Travel Services, and its successors and assigns.
`
`Page 2 of 12
`
`

`

`Provisions
`
`Prohibition Against Misrepresentations
`
`I.
`
`
`IT IS ORDERED that Respondent; Respondent’s officers, agents, employees, and
`
`attorneys; and all other persons in active concert or participation with any of them, who receive
`actual notice of this Order, whether acting directly or indirectly, in connection with any product
`or service, must not misrepresent in any manner, expressly or by implication:
`
`
`A. The extent to which Respondent is a member of, adheres to, complies with, is certified
`by, is endorsed by, or otherwise participates in any privacy or security program
`sponsored by a government or any third party, including any self-regulatory or standard-
`setting organization;
`
`B. The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft,
`alteration, destruction, or other compromise of Personal Information;
`
`C. The extent of any investigation and the results thereof, whether conducted by
`Respondent, a governmental agency, or a third party, into any Covered Incident or
`unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise
`of Personal Information;
`
`D. The extent to which Respondent collects, maintains, uses, discloses, deletes, or permits or
`denies access to any Personal Information; and
`
`E. The extent to which Respondent otherwise protects the privacy, security, availability,
`confidentiality, or integrity of any Personal Information.
`
`Required Notice to Consumers About Respondent’s Security Incident Response
`
`
`II.
`
`
`IT IS FURTHER ORDERED that, within fourteen (14) days after the effective date of
`
`this Order, Respondent must directly notify all Affected Consumers by sending an email,
`consisting solely of an exact copy of the notice attached hereto as Exhibit A (“Notice”), with the
`subject line “Update: May 2019 Data Exposure.” Respondent shall not include with the Notice
`any other information, documents, or attachments.
`
`
`III. Mandated Information Security Program
`
`
`IT IS FURTHER ORDERED that Respondent, in connection with the collection,
`
`maintenance, use, disclosure, or provision of access to Personal Information, must, within thirty
`(30) days of issuance of this Order, establish and implement, and thereafter maintain, a
`comprehensive Information Security Program (“Information Security Program”) that protects the
`security, confidentiality, and integrity of Personal Information. To satisfy this requirement,
`Respondent must, at a minimum:
`
`
`
`
`Page 3 of 12
`
`

`

`
`
`
`
`
`
`
`
`A. Document in writing the content, implementation, and maintenance of the Information
`Security Program;
`
`B. Provide the written program and any evaluations thereof or updates thereto to
`Respondent’s board of directors or governing body or, if no such board or equivalent
`governing body exists, to a senior officer of Respondent responsible for Respondent’s
`Information Security Program at least once every twelve (12) months and promptly (not
`to exceed thirty (30) days) after a Covered Incident;
`
`C. Designate a qualified employee or employees to coordinate and be responsible for the
`Information Security Program;
`
`D. Assess and document, at least once every twelve (12) months and promptly (not to
`exceed thirty (30) days) following a Covered Incident, internal and external risks to the
`security, confidentiality, or integrity of Personal Information that could result in the (1)
`unauthorized collection, maintenance, use, disclosure of, or provision of access to,
`Personal Information; or the (2) misuse, loss, theft, alteration, destruction, or other
`compromise of such information;
`
`E. Design, implement, maintain, and document safeguards that control for the internal and
`external risks Respondent identifies to the security, confidentiality, or integrity of
`Personal Information identified in response to sub-Provision III.D. Each safeguard must
`be based on the volume and sensitivity of the Personal Information that is at risk, and the
`likelihood that the risk could be realized and result in the (1) unauthorized collection,
`maintenance, use, disclosure of, or provision of access to, Personal Information; or the
`(2) misuse, loss, theft, alteration, destruction, or other compromise of such information.
`Such safeguards must also include:
`
`1. Policies, procedures, and technical measures to systematically inventory Personal
`Information in Respondent’s control and delete Personal Information that is no longer
`necessary;
`
`2. Policies, procedures, and technical measures to log and monitor access to repositories
`of Personal Information in Respondent’s control;
`
`
`3. Encryption of, at a minimum, all passport numbers, financial account information,
`and Health Information in Respondent’s control.
`
`4. Training of all of Respondent’s employees, at least once every twelve (12) months,
`on how to safeguard Personal Information;
`
`5. Technical measures to monitor all of Respondent’s networks, including all systems
`and assets within those networks, to identify data security events, including
`unauthorized attempts to exfiltrate Personal Information from those networks; and
`
`
`
`
`Page 4 of 12
`
`

`

`6. Data access controls for all repositories of Personal Information in Respondent’s
`control, such as (a) restricting inbound connections to approved IP addresses, (b)
`requiring authentication to access them, and (c) limiting employee access to what is
`needed to perform that employee’s job function.
`
`F. Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30)
`days) following a Covered Incident, the sufficiency of any safeguards in place to address
`the risks to the security, confidentiality, or integrity of Personal Information, and modify
`the Information Security Program based on the results;
`
`G. Test and monitor the effectiveness of the safeguards in place at least once every twelve
`(12) months and promptly (not to exceed thirty (30) days) following a Covered Incident,
`and modify the Information Security Program based on the results. Such testing and
`monitoring must include: (1) vulnerability testing of Respondent’s network once every
`four (4) months and promptly (not to exceed thirty (30) days) after a Covered Incident,
`and (2) periodic penetration testing of Respondent’s network and promptly (not to exceed
`thirty (30) days) after a Covered Incident;
`
`H. Select and retain service providers capable of safeguarding Personal Information they
`access through or receive from Respondent, and contractually require service providers to
`implement and maintain safeguards for Personal Information; and
`
`I. Evaluate and adjust the Information Security Program in light of any changes to
`Respondent’s operations or business arrangements, a Covered Incident, or any other
`circumstances that Respondent knows or has reason to know may have an impact on the
`effectiveness of the Information Security Program. At a minimum, Respondent must
`evaluate the Information Security Program at least once every twelve (12) months and
`modify the Information Security Program based on the results.
`
`
`
`
`
`
`
`
`
`IV.
`
`Information Security Assessments by a Third Party
`
`
`IT IS FURTHER ORDERED that, in connection with compliance with Provision III of
`this Order, titled Mandated Information Security Program, Respondent must obtain initial and
`biennial assessments (“Assessments”):
`
`A. The Assessments must be obtained from a qualified, objective, independent third-party
`professional (“Assessor”), who: (1) uses procedures and standards generally accepted in
`the profession; (2) conducts an independent review of the Information Security Program;
`and (3) retains all documents relevant to each Assessment for five (5) years after
`completion of such Assessment and will provide such documents to the Commission
`within ten (10) days of receipt of a written request from a representative of the
`Commission. No documents may be withheld on the basis of a claim of confidentiality,
`proprietary or trade secrets, work product protection, attorney client privilege, statutory
`exemption, or any similar claim.
`
`
`Page 5 of 12
`
`

`

`
`
`
`
`B. For each Assessment, Respondent must provide the Associate Director for Enforcement
`for the Bureau of Consumer Protection at the Federal Trade Commission with the name,
`affiliation, and qualifications of the proposed Assessor, who the Associate Director shall
`have the authority to approve in his sole discretion.
`
`C. The reporting period for the Assessments must cover: (1) the first 180 days after the
`issuance date of the Order for the initial Assessment; and (2) each two-year period
`thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.
`
`D. Each Assessment must, for the entire assessment period:
`
`1. determine whether Respondent has implemented and maintained the Information
`Security Program required by Provision III;
`
`2. assess the effectiveness of Respondent’s implementation and maintenance of sub-
`Provisions III.A-I;
`
`
`3. identify any gaps or weaknesses in, or instances of material noncompliance with, the
`Information Security Program;
`
`
`4. address the status of gaps or weaknesses in, or instances of material non-compliance
`with, the Information Security Program that were identified in any prior Assessment
`required by this Order; and
`
`
`5. identify specific evidence (including, but not limited to, documents reviewed,
`sampling and testing performed, and interviews conducted) examined to make such
`determinations, assessments, and identifications, and explain why the evidence that
`the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s
`size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings.
`No finding of any Assessment shall rely solely on assertions or attestations by
`Respondent’s management. The Assessment must be signed by the Assessor, state
`that the Assessor conducted an independent review of the Information Security
`Program and did not rely solely on assertions or attestations by Respondent’s
`management, and state the number of hours that each member of the assessment team
`worked on the Assessment. To the extent Respondent revises, updates, or adds one or
`more safeguards required under Provision III in the middle of an Assessment period,
`the Assessment must assess the effectiveness of the revised, updated, or added
`safeguard(s) for the time period in which it was in effect, and provide a separate
`statement detailing the basis for each revised, updated, or additional safeguard.
`
`E. Each Assessment must be completed within sixty (60) days after the end of the reporting
`period to which the Assessment applies. Unless otherwise directed by a Commission
`representative in writing, Respondent must submit the initial Assessment to the
`Commission within ten (10) days after the Assessment has been completed via email to
`DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate
`Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission,
`
`Page 6 of 12
`
`

`

`IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in
`connection with any Assessment required by Provision IV must:
`
`A. Provide or otherwise make available to the Assessor all information and material in its
`possession, custody, or control that is relevant to the Assessment for which there is no
`reasonable claim of privilege;
`
`B. Provide or otherwise make available to the Assessor information about Respondent’s
`networks and all of Respondent’s IT assets so that the Assessor can determine the scope
`of the Assessment, and visibility to those portions of the networks and IT assets deemed
`in scope; and
`
`C. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly
`or by implication, any fact material to the Assessor’s: (1) determination of whether
`Respondent has implemented and maintained the Information Security Program required
`by Provision III; (2) assessment of the effectiveness of the implementation and
`maintenance of sub-Provisions III.A-I; or (3) identification of any gaps or weaknesses in,
`or instances of material noncompliance with, the Information Security Program.
`
`
`
`
`
`
`
`600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin,
`“In re SkyMed International, FTC File No. 1923140.” All subsequent biennial
`Assessments must be retained by Respondent until the Order is terminated and provided
`to the Associate Director for Enforcement within ten (10) days of request.
`
`
`V.
`
`Cooperation with Third-Party Information Security Assessor
`
`
`IT IS FURTHER ORDERED that Respondent must:
`
`VI. Annual Certification
`
`A. One year after the issuance date of this Order, and each year thereafter, provide the
`Commission with a certification from a senior corporate manager, or, if no such senior
`corporate manager exists, a senior officer of Respondent responsible for Respondent’s
`Information Security Program that: (1) Respondent has established, implemented, and
`maintained the requirements of this Order; (2) Respondent is not aware of any material
`noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and
`(3) includes a brief description of all Covered Incidents that Respondent verified or
`confirmed during the certified period. The certification must be based on the personal
`knowledge of the senior corporate manager, senior officer, or subject matter experts upon
`whom the senior corporate manager or senior officer reasonably relies in making the
`certification.
`
`B. Unless otherwise directed by a Commission representative in writing, submit all annual
`certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or
`by overnight courier (not the U.S. Postal Service) to: Associate Director for
`Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600
`
`Page 7 of 12
`
`

`

`Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re
`SkyMed International, FTC File No. 1923140.”
`
`VII. Covered Incident Reports
`
`
`
`
`
`IT IS FURTHER ORDERED that Respondent, within thirty (30) days after
`Respondent’s discovery of a Covered Incident, must submit a report to the Commission. The
`report must include, to the extent possible:
`
`A. The date, estimated date, or estimated date range when the Covered Incident occurred;
`
`B. A description of the facts relating to the Covered Incident, including the causes and scope
`of the Covered Incident, if known;
`
`
`C. A description of each type of information that was affected or triggered any notification
`obligation to the U.S. federal, state, or local government entity;
`
`
`D. The number of consumers whose information triggered any notification obligation to the
`U.S. federal, state, or local government entity;
`
`
`
`E. The acts that Respondent has taken to date to remediate the Covered Incident and protect
`Personal Information from further exposure or access, and protect affected individuals
`from identity theft or other harm that may result from the Covered Incident; and
`
`F. A representative copy of each materially different notice sent by Respondent to
`consumers or to any U.S. federal, state, or local government entity.
`
`Unless otherwise directed by a Commission representative in writing, all Covered Incident
`reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by
`overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau
`of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
`Washington, DC 20580. The subject line must begin, “In re SkyMed International, FTC File
`No. 1923140.”
`
`
`VIII. Acknowledgments of the Order
`
`
`IT IS FURTHER ORDERED that Respondent obtain acknowledgments of receipt of
`this Order:
`
`A. Respondent, within ten (10) days after the effective date of this Order, must submit to the
`Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
`
`
`
`
`
`B. For twenty (20) years after the issuance date of this Order, Respondent must deliver a
`copy of this Order to: (1) all principals, officers, directors, and LLC managers and
`members; (2) all employees having managerial responsibilities for conduct related to the
`subject matter of the Order, and all agents, and representatives who participate in conduct
`
`Page 8 of 12
`
`

`

`related to the subject matter of the Order; and (3) any business entity resulting from any
`change in structure as set forth in Provision IX. Delivery must occur within ten (10) days
`after the effective date of this Order for current personnel. For all others, delivery must
`occur before they assume their responsibilities.
`
`C. From each individual or entity to which Respondent delivered a copy of this Order,
`Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of
`receipt of this Order.
`
`
`IX. Compliance Report and Notices
`
`
`
`
`
`
`
`
`IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:
`
`A. One year after the issuance date of this Order, Respondent must submit a compliance
`report, sworn under penalty of perjury, in which Respondent must: (1) identify the
`primary physical, postal, and email address and telephone number, as designated points
`of contact, which representatives of the Commission, may use to communicate with
`Respondent; (2) identify all of Respondent’s businesses by all of their names, telephone
`numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of
`each business, including the goods and services offered, what Personal Information is
`collected, and the means of advertising, marketing, and sales; (4) describe in detail
`whether and how Respondent is in compliance with each Provision of this Order,
`including a discussion of all of the changes that Respondent made to comply with the
`Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to
`this Order, unless previously submitted to the Commission.
`
`B. Respondent must submit a compliance notice, sworn under penalty of perjury, within
`fourteen (14) days of any change in the following: (1) any designated point of contact; or
`(2) the structure of Respondent or any entity that Respondent has any ownership interest
`in or controls directly or indirectly that may affect compliance obligations arising under
`this Order, including: creation, merger, sale, or dissolution of the entity or any
`subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
`
`C. Respondent must submit notice of the filing of any bankruptcy petition, insolvency
`proceeding, or similar proceeding by or against Respondent within fourteen (14) days of
`its filing.
`
`D. Any submission to the Commission required by this Order to be sworn under penalty of
`perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by
`concluding: “I declare under penalty of perjury under the laws of the United States of
`America that the foregoing is true and correct. Executed on: _____” and supplying the
`date, signatory’s full name, title (if applicable), and signature.
`
`E. Unless otherwise directed by a Commission representative in writing, all submissions to
`the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by
`
`Page 9 of 12
`
`

`

`overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement,
`Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
`NW, Washington, DC 20580. The subject line must begin, “In re SkyMed International,
`FTC File No. 1923140.”
`
`X.
`
`Recordkeeping
`
`
`
`
`
`
`
`
`IT IS FURTHER ORDERED that Respondent must create certain records for twenty
`
`(20) years after the issuance date of the Order, and retain each such record for five (5) years,
`unless otherwise specified below. Specifically, Respondent must create and retain the following
`records:
`
`A. Accounting records showing the revenues from all goods or services sold, the costs
`incurred in generating those revenues, and resulting net profit or loss;
`
`
`B. Personnel records showing, for each person providing services in relation to any aspect of
`the Order, whether as an employee or otherwise, that person’s: name, addresses,
`telephone numbers, job title or position, dates of service, and (if applicable) the reason
`for termination;
`
`
`C. Copies or records of all consumer complaints and refund requests, whether received
`directly or indirectly, such as through a third party, and any response;
`
`D. A copy of each unique advertisement or other marketing material making a representation
`subject to this Order;
`
`E. A copy of each widely disseminated representation by Respondent that describes the
`extent to which Respondent maintains or protects the privacy, security, availability,
`confidentiality, or integrity of any Personal Information, including any representation
`concerning a change in any website or other service controlled by Respondent that relates
`to privacy, security, availability, confidentiality, or integrity of Personal Information;
`
`F. For five (5) years after the date of preparation of each Assessment required by this Order,
`all materials and evidence that the Assessor considered, reviewed, relied upon or
`examined to prepare the Assessment, whether prepared by or on behalf of Respondent,
`including all plans, reports, studies, reviews, audits, audit trails, policies, training
`materials, and assessments, and any other materials concerning Respondent’s compliance
`with related Provisions of this Order, for the compliance period covered by such
`Assessment;
`
`G. For five (5) years from the date received, copies of all subpoenas and other
`communications with law enforcement, if such communications relate to Respondent’s
`compliance with this Order;
`
`
`Page 10 of 12
`
`

`

`XI. Compliance Monitoring
`
`IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s
`compliance with this Order:
`
`A. Within ten (10) days of receipt of a written request from a representative of the
`Commission, Respondent must: submit additional compliance reports or other requested
`information, which must be sworn under penalty of perjury, and produce records for
`inspection and copying.
`
`H. For five (5) years from the date created or received, all records, whether prepared by or
`on behalf of Respondent, that tend to show any lack of compliance by Respondent with
`this Order; and
`
`I. All records necessary to demonstrate full compliance with each Provision of this Order,
`including all submissions to the Commission.
`
`B. For matters concerning this Order, representatives of the Commission are authorized to
`communicate directly with Respondent. Respondent must permit representatives of the
`Commission to interview anyone affiliated with Respondent who has agreed to such an
`interview. The interviewee may have counsel present.
`
`C. The Commission may use all other