FTC Agrees to Settles with Hardware and Software Provider over Data Privacy Breaches

A recent settlement by the FTC with the manufacturer of computer routers serves as a reminder to all that in the growing Internet of Things, it is critical for companies to place adequate security measures in place to protect consumer’s private data. The FTC’s latest proposed consent order targets Taiwan based computer hardware maker ASUSTek Computer, Inc.  (“ASUS”).  ASUS manufactured and sold home routers and related software and services for consumer use.  ASUS’s routers included software features that allowed consumers to wirelessly access and share files through their routers.  The FTC complaint contends that the software was prone to multiple vulnerabilities and that critical security flaws with the routers “put the home networks of hundreds of thousands of consumers at risk.”  FTCPress Release: ASUS Settles FTC Charges that Insecure Home Routers and “Cloud”Services Put Consumers’ Privacy at Risk (Feb. 23, 2016).

With no admission of liability, the parties have agreed to a proposed consent order which requires ASUS to adopt a comprehensive security program subject to independent audits for the next twenty years.  Here are the key takeaways:

• Take Reasonable Steps to Secure Software Features from Vulnerabilities.  According to the complaint and proposed consent order, ASUS did not take reasonable steps to secure its routers and their software add-ons.  The FTC showed particular concern that the products at issue were routers which the FTC noted “typically function as a hardware firewall for the local network, and act as the first line of defense in protecting consumer devices on the local network”.  The ASUS routers at issue were preset with the same default username and password and their add on software’s web applications included multiple vulnerabilities which would allow unauthorized access with only the router’s IP address, information the FTC contended was easily discoverable.
   
• Put Processes in Place to Promptly Address Security Vulnerabilities.  According to the complaint and proposed consent order, ASUS did not address security flaws in a timely manner and did not notify consumers of the risks posed.  The FTC alleges that updated firmware was provided initially only to affected routers and the updates were not made available to all registered users until several months later. 
   

The Consent Order should be reviewed by all companies involved in the Internet of Things as a risk management tool.  It requires:

• ASUS to fully and accurately to make disclosures to consumers regarding the extent to which the company or its products or services maintain:
  • The security of any covered device;
  • The security, privacy, confidentiality or integrity of any covered information;
  • The extent to which a consumer can use a covered device to secure a network; and
  • The extent to which a device is using up to date software.
     
• ASUS to develop and maintain a comprehensive written security program (“WISP”) reasonably designed to address security risks related to the development and management of their devices and to protect the privacy, security, confidentiality and integrity of consumer information.  The WISP should, among other things:
  • Identify internal and external risks to privacy, security, confidentiality and integrity of consumer personal information; and the identification of risks should take into consideration all relevant operations, including product design, development and research and secure software design development
  • Identify internal and external risks to security of their devices what could result in unauthorized access and the identification of risks should take into consideration all relevant operations, including product design, development and research and secure software design development;
  • Assess the company’s processes in reviewing, assessing and responding to both third party security vulnerability reports and to attacks, intrusions or system failures;
  • Design and implement safeguards from the outset to identify potential security failures and verify that access to devices and consumer information is restricted consistent with a user’s security settings;
  • Regularly test and monitor the effectiveness of the safeguards’ key controls, systems and procedures;
  • Continue to evaluate and adjust the WISP as needed in light of the results of testing and monitoring.