What We Know

FTC Agrees to Settle with Hardware and Software Provider over Data Privacy Breaches

May 12, 2016 | by Caren D. Enloe

A recent settlement by the FTC with the manufacturer of computer routers serves as a reminder to all that in the growing Internet of Things, it is critical for companies to have effective security measures in place to protect consumer’s private data. The FTC’s latest proposed consent order targets Taiwan-based computer hardware maker ASUSTek Computer, Inc. (“ASUS”). ASUS manufactures and sells home routers and related software and services for consumer use. ASUS’s routers include software features that allow consumers to access and share files via a wireless connection through their routers. The FTC complaint contends that ASUS routers are prone to multiple vulnerabilities and that critical security flaws within the router’s software “put the home networks of hundreds of thousands of consumers at risk.” FTC Press Release: ASUS Settles FTC Charges that Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy at Risk (Feb. 23, 2016).

With no admission of liability, the parties have agreed to a consent order which requires ASUS to adopt a comprehensive security program subject to independent audits for the next twenty years. Here are the key takeaways:

  • Take Reasonable Steps to Secure Software Features from Vulnerabilities. According to the complaint and proposed consent order, ASUS did not take reasonable steps to secure its routers and software add-ons. The FTC showed particular concern that the products at issue were routers which the FTC noted: “typically function as a hardware firewall for the local network, and act as the first line of defense in protecting consumer devices on the local network.” The ASUS routers at issue were setup with the same default username and password, and their add-on software’s web applications included multiple vulnerabilities that could allow unauthorized access via the router’s IP address – information the FTC contends is easily discoverable.
  • Put Processes in Place to Promptly Address Security Vulnerabilities. According to the complaint and proposed consent order, ASUS did not address security flaws in a timely manner and did not notify consumers of the risks. The FTC alleges that updated firmware was provided initially only to affected routers and was not made available to all registered users until several months later.

The Consent Order should be reviewed by all companies involved in the Internet of Things as a risk management tool.

It requires:

ASUS to fully and accurately make disclosures to consumers regarding the extent to which the company or its products or services maintain:

  • The security of any covered device;
  • The security, privacy, confidentiality or integrity of any covered information;
  • The extent to which a consumer can use a covered device to secure a network; and
  • The extent to which a device is using up-to-date software.

ASUS to develop and maintain a comprehensive written security program (“WISP”) reasonably designed to address security risks related to the development and management of their devices and to protect the privacy, security, confidentiality and integrity of consumer information. The WISP should, among other things:

  • Identify internal and external risks to privacy, security, confidentiality and integrity of consumer personal information; and the identification of risks should take into consideration all relevant operations, including product design, development, research, and secure software design development.
  • Identify internal and external risks to security of their devices what could result in unauthorized access and the identification of risks should take into consideration all relevant operations, including product design, development, research and secure software design development;
  • Assess the company’s processes in reviewing, assessing and responding to both third-party security vulnerability reports and to attacks, intrusions or system failures;
  • Design and implement safeguards from the outset to identify potential security failures and verify that access to devices and consumer information is restricted consistent with a user’s security settings;
  • Regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Continue to evaluate and adjust the WISP as needed in light of the results of testing and monitoring.

Caren Enloe is a partner who concentrates her practice in consumer financial services litigation and compliance, bankruptcy, and commercial litigation with an emphasis on creditor’s rights. She has a deep understanding of the complex compliance environment surrounding the financial services industry and regularly advises financial service companies on licensing and compliance issues involving state and federal consumer protection and finance statutes. Caren is the author of a daily blog titled: Consumer Financial Services Litigation and Compliance where she posts timely and informative updates regarding the CFPB, FTC, and a host of topical litigation issues involving consumer protection law....LEARN MORE

919.250.2000 mail@smithdebnamlaw.com @smithdebnamlaw