Information Intersection > Troutman Sanders LLP

Category — The Internet & Social Media

NY AG Settles with IoT Company over Security Practices

BY C. READE JACOB, JR.RONALD I. RAETHER, JR. AND ASHLEY L. TAYLOR, JR.

On May 22, 2017, New York Attorney General Eric Schneiderman announced a settlement with Safetech Products LLC (“Safetech”) over allegations that the Internet of Things (IoT) company sold insecure wireless door and padlocks.  According to the Attorney General, the settlement marks the first time a state Attorneys General has taken legal action against a wireless security company for failing to protect their consumer’s personal and private information.

Safetech offers customers Bluetooth-enabled locks.  According to the Attorney General, Safetech represented to consumers that its products would allow users to protect personal belongings inside their homes by turning doors and closets into secure areas.  However, in 2016, independent researchers found that Safetech’s Bluetooth-enabled locks transmitted passwords between the locks and the user’s smartphone in plain text without encryption, allowing potential perpetrators to intercept the passwords and open the locks.  The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

As part of the settlement agreement, Safetech agreed to establish and implement a written comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information, including:

  1. The designation of an employee or employees to coordinate and be accountable for the security program;
  2. The identification of material internal and external risks to (a) the security of the devices that could result in unauthorized access to or unauthorized modification of the device, and (b) the privacy, security, confidentiality, and integrity of security information;
  3. The risk assessments considering each area of relevant operation, including, but not limited to: (a) employee training and management, including secure engineering and defensive programming; (b) product design, development, and research; (c) secure software design, development, and testing; (d) review, assessment, and response to third party security vulnerability reports, and (e) prevention, detection, and response to attacks, intrusions, or systems failures;
  4. The design and implementation of reasonable safeguards to control the risks identified through risk assessment;
  5. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  6. The development and use of reasonable steps to select and retain service providers (if any are hired) capable of maintaining security practices consistent with the agreement, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with the agreement; and
  7. The evaluation and adjustment of Safetech’s security program in light of the results of the testing and monitoring required by the agreement.

The New York Attorney General’s action is notable in that it marks the first time that a State Attorney General has taken action against an IoT company over security representations.  In recent years, the FTC has established itself as a lead regulator in the space. As we noted here, the FTC recently brought an action against D-Link alleging UDAP violations related to the company’s security vulnerabilities.  There, the FTC alleged that D-Link failed to adequately secure software for D-Link routers and IP cameras, and misrepresenting through their security event response policy, router and IP camera promotional material, and router graphical user interface that the software was secure.  Similarly, last year, the FTC settled with another IoT company, ASUSTek Computer, Inc. Read our blog post here.  There, the FTC alleged that ASUS had engaged in unfair and deceptive acts or practices by marketing their routers and cloud services as “secure” while knowing about and failing to fix serious vulnerabilities.

Going forward, IoT companies should expect continued scrutiny not only from the FTC, but also state Attorneys General.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders is well-positioned to help companies develop procedures for effectively handling security issues.  Because of our team’s technical background, we are uniquely positioned to understand companies’ IoT technology concerns and to address any risks from a legal perspective.  We routinely advise businesses on security and privacy best practices with respect to connected devices, which help to avoid acts or practices that may be considered unfair or deceptive.

May 30, 2017   No Comments

NY AG Announces Settlement with Health App Developers Over Marketing and Privacy Practices

BY STEPHEN C. PIEPGRASS AND C. READE JACOB, JR.

On March 23, New York Attorney General Eric Schneiderman announced settlements with three health-related applications sold in Apple’s App Store and Google’s Play Store.  The settlements arose from allegations of misleading claims and irresponsible privacy practices.  Under the terms of the settlements, the developers agreed to provide additional information about how the apps were tested, to change their ads to eliminate allegedly misleading content, and to pay $30,000 in combined penalties to the Office of the Attorney General.

According to the A.G.’s press release, two of the app developers, Cardiio and Runtastic, claimed that their apps accurately measured heart rate after exercise using only a smartphone camera and sensors.  A third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor that could be used to play an unborn baby’s heart rate, even though the app was not a fetal heart monitor approved by the Food and Drug Administration.  The A.G. alleged that the three developers marketed these apps without sufficient information to back up their marketing claims.

In addition to the settlement payment, the app developers must post clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA.  The developers also were required to make changes to protect consumers’ privacy.  According to the A.G., the developers are  now required to obtain affirmative consent from consumers to the developers’ privacy policies, and the developers must disclose that they collect and share information that may be personally identifying.  This includes users’ GPS location, unique device identifier, and “de-identified” data that third parties may be able to use to re-identify specific users.

As we have discussed previously, Schneiderman’s office has been active in privacy enforcement matters in the past year.  For example, the New York A.G. recently reached a settlement with Acer for $115,000 over a data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents.  Last year, the A.G. settled a case against then-presidential nominee Donald Trump’s hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months.  The A.G. also settled a case against EZcontactsUSA, alleging that the online contact lens retailer misrepresented the security of its website, failed to secure customers’ payment information, and neglected to report a data breach once discovered.

Most recently, on February 9, the A.G. announced settlements with two mobile app developers for their failure to disclose their data collection practices in a privacy policy.  According to the A.G.’s Office, the two developers, AB Mobile Apps LLC and Bizness Apps LLC, lacked a privacy policy or any statement as to how AB Mobile collects, uses, or discloses a user’s personal information.  Interestingly, unlike in many cases that prompt regulatory action, the A.G. did not find that these developers had misused their customers’ personal information or disclosed it to third parties.  Instead, the A.G. indicated that the mere failure to disclose how a company collects, uses, and discloses customers’ personal information in a privacy policy is a deceptive trade practice under New York Executive Law § 63(12) and New York General Business Law § 349.

March 28, 2017   No Comments

FTC Takes on Video Game “Influencers”

videogame

 

When the FTC revised its Endorsement Guides in 2009, it signaled that it would focus more of its efforts on deceptive advertising conveyed through social media and evolving methods of online advertising. The FTC warned advertisers that they risk enforcement action when material connections between an endorser and an advertiser are not disclosed, regardless of where the endorsement appears.

Since then, the FTC has kept that promise, and last week announced that it settled a case against Machinima involving its deployment of “influencers” who were paid to “build an early buzz” surrounding the launch of Microsoft’s Xbox One console in late 2013.

[Read more →]

September 9, 2015   No Comments

OMG! FDA Cracks Down on Kim Kardashian Social Media Drug Endorsement

Forbes / Kim Kardashian / Instagram

Forbes / Kim Kardashian / Instagram

 

Tens of millions of people around the world follow Kim Kardashian’s every move on social media. So apparently does the FDA’s Office of Prescription Drug Promotion. Last week, the FDA issued a Warning Letter to Canadian drug manufacturer Duchesnay concerning Kardashian’s social media posts promoting the morning sickness drug Diclegis. The FDA warned that the posts unlawfully misbranded Diclegis under the Federal Food, Drug, and Cosmetic Act. [Read more →]

August 13, 2015   No Comments

Are the Reviews In? Using Online Review Evidence for Advertising Claim Support

one-935157-sIt is a fact of modern commerce that consumers consider online reviews when deciding how to spend their dollars on everything from music, to local restaurants, to electronics.  But what happens when a business wants to use those reviews to formulate advertising claims? [Read more →]

August 25, 2014   No Comments

Labor Unions Want Your Email System Too!

If you have a union in your workplace, or if unions have tried to organize workers in your workplace, you know that unions need ways to communicate with your employees.  Before the current digital age, unions relied primarily on communicating through informational picketing and leafleting, posters and mailings, and individual and group meeting to encourage unionization or to communicate with members and represented employees.  Today, with the modern workplace and internet-connected workers, communications can be conducted far more quickly, efficiently, cheaply and often more effectively through electronic means, such as email.  But historically, unions have not been permitted access to company email systems.  The current rule is that “employees have no statutory right to use the[ir] Employer’s e-mail system” for non-work-related purposes. If unions and the current Presidential administration get their way, that all might change.

1369148_80189927

 

 

[Read more →]

July 22, 2014   No Comments

Update: A Potential Roadblock for Cloud-Based Media Avoided

Twice previously this year, we posted about the potential consequences to cloud-based media from the legal dispute between streaming video service Aereo and the television broadcast industry. Last week, the Supreme Court, in a 6-3 opinion, resolved much of the uncertainty detailed in those earlier posts. While the Court ruled against Aereo – holding that its transmission of the broadcasters’ content amounted to a public performance and thus violated the networks’ copyright – the majority’s decision took pains to limit its decision to the facts at issue. Justice Breyer, delivering the opinion of the Court, noted that “we have not considered whether the public performance right is infringed when the user of a service pays primarily for something other than the transmission of copyrighted works, such as the remote storage of content.”

[Read more →]

June 30, 2014   No Comments

The Risky Business of Background Checks, Online and Otherwise

Over the past few years, both the Equal Employment Opportunity Commission and the Federal Trade Commission have been closely scrutinizing the time-honored practice of employee background checks.  We’ve posted about background checks before – particularly the risky business of relying on online information brokers instead of, or in addition to, a bona fide credit reporting agency.  But the EEOC and FTC recently took the very unusual step of jointly issuing two guides on employment background checks, so we thought it might be helpful to give our readers a refresher.

check [Read more →]

May 1, 2014   No Comments

Are You Ready for a World in Which More People Own a Mobile Device than a Toothbrush? You Better Be – It’s Already Here

In January 2014, we published a post on Why Social Media Matters.  If you didn’t read that post, you should. Regardless, at the end of that article, we included a link to a YouTube video produced by a guy named Erik Qualman.  He leads an increasingly influential organization, which started as a blog, called “Socialnomics.”  Qualman founded Socialnomics to provide “social & mobile statistics, studies & surprises.”  His passion and analysis regarding social media has led to a top-selling book and high-paying gigs as a keynote speaker.  But Qualman’s thoughts on social media have been most widely distributed through social media itself — the popular YouTube video linked at the end of our post.  Its various versions have been viewed millions and millions of times.  It’s full of mind-boggling statistics.  It’s entertaining.  But, most of all, it’s thoroughly thought provoking.

This week, Qualman published the latest version –  #Socialnomics 2014.  If this video doesn’t give you and your business something to think about, we don’t know what will.

And, yes, the claim that More People Own a Mobile Device Than a Toothbrush is apparently true.  So, the question really isn’t whether you are ready for such a world, because it’s already here.  The question is — if you’re not ready, when are you going to start?

April 18, 2014   No Comments

Discovering Cloud Data in Litigation

Cloud

Your litigation in 2014 will involve requests for production of electronically stored information (“ESI”), and there is a good chance that some of that information is stored somewhere in “the cloud.”  ESI stored in the cloud has unique challenges and opportunities.  Determining what relevant, discoverable ESI resides in the cloud; assessing whether it is, or should be, within the scope of your discovery plan; and executing a process for preserving, collecting, and producing it all require an understanding of the legal and practical issues impacting cloud storage.  Here are a few key considerations to help you navigate the process.

[Read more →]

April 17, 2014   No Comments