The Federal Trade Commission, continuing its quest to be the enforcer of consumer privacy rights, has come down hard this month on ASUSTeK and LabMD for their failure to have adequate data security standards. Because the FTC has taken the position that its complaints and orders set the standard for adequate data security (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), companies subject to FTC jurisdiction should take heed.
LabMD cannot seem to catch a break. Although an ALJ dismissed the FTC’s claim against LabMD finding that the consumers whose personal information was exposed did not suffer any harm (see article referenced above), the FTC announced today its order reversing the ALJ’s decision and requiring LabMD to institute a data security program and provide notice to consumers, despite the fact that the company is essentially out of business. The order focuses on LabMD’s failure to employ “even basic precautions to protect the sensitive consumer information maintained on its computer system.” These failures included:
- Failing to use an intrusion detection system or file integrity monitoring;
- Neglecting to monitor traffic coming across its firewalls;
- Inadequate data security training to its employees;
- Not deleting consumer data; and
- Installing file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users, and leaving it there for 11 months.
These failures, the FTC says, are unreasonable and violate Section 5 of the FTC Act which prohibits unfair or deceptive acts or practices in or affecting commerce. Notably, the FTC rejected the notion that some monetary or other tangible harm to consumers was required to sustain a Section 5 claim. Instead, the Commission espoused an amorphous standard, finding that the potential exposure of consumer information was sufficient. Specifically, the FTC’s position is that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n)” and that LabMD’s lack of adequate security measures were “likely to cause substantial injury” because of the high likelihood of exposure of sensitive consumer information on through the P2P network.
ASUSTeK fares no better before the FTC. Earlier this year, the FTC filed a complaint against the Taiwanese manufacturer alleging that it violated Section 5 of the FTC Act by failing to have adequate security measures in connection with software on its routers marketed to consumers and by advertising its routers as having security features that could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” ASUSTeK agreed to settle the FTC’s claims, and the FTC recently approved the final consent order. The consent order requires ASUSTeK to establish and maintain a data security program that will be subject to independent audits for the next 20 years.
In ASUSTeK, the FTC claimed that hackers could exploit security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumers’ knowledge and that other design flaws made these flaws worse, including setting and allowing consumers to retain the same easy to guess default login credentials on every router (username “admin” and password “admin”). In addition, ASUSTeK promoted AiCloud and AiDisk services on the routers as ways for consumers to create their own “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” but the services had flaws that allowed hackers to gain access to the consumers’ storage device connected to the router without credentials by accessing a specific URL from a web browsers. Other faults included ASUSTeK’s failure to encrypt consumer files in transit and failing to address security flaws in a timely matter and notify consumers of the risks and available security updates.
The consent order requires ASUSTeK to do the following:
- Establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing certain defined covered devices, and (2) protect the privacy, security, confidentiality, and integrity of Covered Information (as defined in the order). The program must be in writing and must contain “administrative, technical, and physical safeguards” appropriate to ASUSTeK’s size and complexity, the nature and scope of its activities, and the sensitivity of the function of the routers and “Covered Devices” or the Covered Information. The safeguards must include:
- The designation of an employee or employees to coordinate and be accountable for the security program;
- The identification of material internal and external risks to the security of Covered Devices that could result in unauthorized access to or unauthorized modification of a Covered Device, and assessment of the sufficiency of any safeguards in place to control these risks;
- The identification of material internal and external risks to the privacy, security, confidentiality, and integrity of Covered Information that could result in the unintentional exposure of such information by consumers or the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
- The design and implementation of reasonable safeguards to control the risks identified through risk assessment, including through reasonable and appropriate software security testing techniques, such as (1) vulnerability and penetration testing; (2) security architecture reviews; (3) code reviews; and (4) other reasonable and appropriate assessments, audits, reviews, or other tests to identify potential security failures and verify that access to Covered Devices and Covered Information is restricted consistent with a user’s security settings;
- Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
- The development and use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with this order, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with this order; and
- The evaluation and adjustment of [ASUSTek’s] security program in light of …. any … circumstances that [ASUSTek] knows or has reason to know may have a material impact on the effectiveness of the security program.
- Obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such Assessments must be: a person qualified as a Certified Secure Software Lifecycle Professional (CSSLP) with experience programming secure Internet-accessible consumer-grade devices; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and in programming secure Internet-accessible consumer-grade devices; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection….
- Notify consumers when a software update is available, or when ASUSTeK is aware of reasonable steps that a consumer could take to mitigate certain defined security flaws. Notice must be provided through at least each of the following means:
- Posting of a Clear and Conspicuous notice on at least the primary, consumer-facing website of respondent and, to the extent feasible, on the user interface of any Covered Device that is affected;
- Directly informing consumers who register, or who have registered, a Covered Device with respondent, by email, text message, push notification, or another similar method of providing notifications directly to consumers; and
- Informing consumers who contact respondent to complain or inquire about any aspect of the Covered Device they have purchased.
- Provide consumers with an opportunity to register an email address, phone number, device, or other information during the initial setup or configuration of a Covered Device, in order to receive the security notifications required by this Part. The consumer’s registration of such information must not be dependent upon or defaulted to an agreement to receive non-security related notifications or any other communications, such as advertising. Notwithstanding this requirement, respondent may provide an option for consumers to opt-out of receiving such security-related notifications.
(In the Matter of ASUSTeK Computer, Inc., File No. 142 3156 (2016)).