Recent FTC Settlement Illustrates Heightened Data Security Compliance Enforcement
The Federal Trade Commission (FTC) recently announced that smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle allegations by FTC compliance attorneys over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.
The settlement ends FTC litigation against D-Link stemming from a 2017 complaint in which the agency alleged that, despite claims touting device security, vulnerabilities in the company’s routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said FTC compliance attorney Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
Despite promoting the security of its products by claiming it offered “advanced network security,” D-Link allegedly failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, according to the FTC’s complaint. These flaws allegedly included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, “guest,” and storing mobile app login credentials in clear, readable text on a user’s mobile device.
As part of the proposed settlement, D-Link is required to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.
In addition, D-Link is required for 10 years to obtain biennial, independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings—and not rely solely on the assertions of D-Link’s management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses.
Under this settlement, D-Link has the option to have the assessor certify its compliance with the secure product development standard set by the International Electrotechnical Commission, an international standard setting organization. If the company successfully obtains the necessary compliance certifications required of the standard, D-Link will be deemed in compliance with the order’s comprehensive security program requirement. This provision, however, does not apply if D-Link provides any misleading or false information during its biennial audit or assessment process.
The 2017 FTC Stick with Security series published by FTC attorneys and the Bureau of Consumer Protection provides insights into security principles, based on the lessons of recent law enforcement actions, closed investigations and experiences companies have shared about starting with security at their business.
For businesses, the key to safeguarding sensitive information is to start with security.
There are practical tips to take from the FTC’s 60+ data security cases. From sensible information collection policies and product design through training, transmission, storage, monitoring and disposition. The FTC breaks data security down to ten actionable principles suited for companies of any size and in any sector.
Start with security – and stick with it. Control access to data sensibly. Require secure passwords and authentication. Store sensitive personal information securely and protect it during transmission. Segment your network and monitor who is trying to get in and out. FTC compliance lawyers also recommend securing remote access to your network. Apply sound security practices when developing new products. Make sure your service providers implement reasonable security measures and put procedures in place to keep your security current and address vulnerabilities that may arise. Secure paper, physical media, and devices.
Richard B. Newman is an FTC compliance and defense attorney at Hinch Newman LLP. Follow him on LinkedIn at FTC CID attorneys.
Information conveyed herein is for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information contained herein without seeking the advice of an attorney.