Information Intersection > Troutman Sanders LLP

State Attorneys General Reach $18.5M Agreement with Target Over 2013 Data Breach

BY SIRAN S. FAULDERSC. READE JACOB, JR. AND ASHLEY L. TAYLOR, JR.

On May 23, state attorneys general from 47 states and the District of Columbia announced a settlement agreement with Target Corporation to resolve the states’ investigation into the company’s 2013 data breach.  Under the terms of the Assurance of Voluntary Compliance (“AVC”), Target will pay $18.5 million to the states – the largest multistate data breach deal ever reached, according to a press release from Illinois Attorney General Lisa Madigan.

The AVC did not provide factual allegations regarding the breach.  However, press releases from various state attorneys general asserted that Target’s 2013 data breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.  The press releases further alleged that cyber attackers had accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor.  The stolen credentials were then used to exploit weaknesses in Target’s system, allowing the attackers to access a customer service database, install malware on the system, and capture customer data.  The stolen data included customers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification (CVV1) codes, and encrypted debit PINs, according to the attorneys general press releases.

Under the terms of the agreement, Target will pay $18.5 million to the state attorneys general.  In addition, Target will be required to adopt the cybersecurity standards that include the following:

  • Develop, implement, and maintain a comprehensive information security program;
  • Employ an executive or officer who is responsible for executing the plan;
  • Hire an independent qualified third party to conduct a comprehensive security assessment:
  • Maintain and support software on its network for data security purposes;
  • Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
  • Segment its cardholder data environment from the rest of its computer network; and
  • Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication.

As we previously reported here, state attorneys general have been active in investigating data breaches and in promoting effective cyber security standards.  This settlement is noteworthy since the amount appears to be twice as much as the next largest state A.G. data breach settlement.  In 2009, T.J. Maxx entered into a settlement agreement with 41 state attorneys general for $9.75 million over an alleged breach involving more than 94 million credit and debit cards.  More recently, in 2015, online retailer Zappos reached a settlement with nine state attorneys general over a 2012 data breach that compromised personal and financial information of nearly 24 million of the company’s customers.  Under the settlement, Zappos agreed to pay more than $100,000 to the states and to implement enhanced privacy policies and security standards.  The recent settlement with Target demonstrates the states’ continued interest in investigating data breaches.

Madigan and Connecticut Attorney General George Jepsen, long considered leaders in the cybersecurity and privacy space, led the investigation.  Other states that signed the agreement were Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia, and the District of Columbia.  California, long considered a leader in the cybersecurity and privacy space, is negotiating an independent settlement that incorporates the substantive terms of the AVC, and the $18.5 million dollar payment includes payment to California.

May 26, 2017   No Comments

Class Action Filed Against Chipotle for Data Security Breach Involving Payment Processing System

BY RONALD I. RAETHER, JR., KATHERINE LOVE AND C. READE JACOB, JR.

On May 4, Bellwether Community Credit Union filed a class action suit on behalf of a proposed class of financial institutions in Colorado federal court against Chipotle Mexican Grill, Inc., claiming that the chain’s recently announced data breach caused significant financial harm to the credit union.  Bellwether’s complaint alleges that Chipotle’s purportedly lax security standards violated Section 5 of the Federal Trade Commission Act.  Bellwether claims that it and other similarly situated financial institutions incurred substantial costs related to canceling and reissuing compromised cards as well as investigating and refunding fraudulent charges as a result of Chipotle’s alleged negligence.

As we previously wrote here, Chipotle announced on April 26 that the restaurant detected a security breach in its electronic processing and transmission of confidential customer and employee information.  Chipotle has not disclosed the scope of the security breach.  However, the chain stated in its quarterly report to the U.S. Securities and Exchange Commission that 70% of its 2016 sales were attributable to debit and credit card transactions.

Less than two weeks after Chipotle’s disclosure, Bellwether filed its complaint against Chipotle, alleging that Chipotle failed to mitigate potential data damage and failed to comply with industry best practices.  Bellwether alleges that Chipotle “failed to ensure that it maintained adequate data security measures, failed to implement best practices, failed to upgrade security systems and failed to comply with industry standards by allowing its computer and point-of-sale systems to be hacked, causing financial institutions’ payment card and customer information to be stolen.”

Bellwether alleges that Chipotle failed to mitigate potential risk by not implementing EMV technology, a global standard for debt and credit cards equipped with computer chips and technology used to authenticate chip card transactions.  The complaint further alleges that Chipotle failed to upgrade its payment terminals despite the payment card industry’s minimum EMV chip card and terminal requirements implemented in October 2015 because the upgrades would “slow down customer lines.”  According to the payment card industry’s Card Operating Regulations, businesses accepting payment cards that failed to meet the October 1, 2015 deadline agreed to be liable for damages from resulting data breaches.

In its complaint, Bellwether also states that Chipotle’s security practices violated industry best practices by failing to comply with a payment card industry data security standard.  The Payment Card Industry Security Standards Council, a group established by American Express, Discover, JCB International, MasterCard and Visa Inc. in 2006, promulgated a standard of 12 requirements for all organizations involved in storing, processing, or transmitting cardholder data to follow in constructing and sustaining safe and secure networks.

Interestingly, Bellwether’s complaint does not allege the extent of damages claimed to have been incurred by the credit union and other class action members.  The proposed class, as defined in the complaint, is all U.S. financial institutions that issue payment cards or support card-issuing services.

Chipotle’s data breach is the latest in a series of large breaches targeting customer payment card data at restaurants and retailers nationwide.  Bellwether’s complaint highlighted the recent data breaches at Target, Neiman Marcus, Michaels, Kmart, and several other retailers.  According to the complaint, given the foreseeability of a data breach based on industry warnings from Visa and the U.S. Computer Emergency Readiness Team, as well as several well-documented and highly publicized data breaches, Chipotle was on notice of the security risks in its system and thereby negligently failed to use reasonable measures to protect customer and employee data.

Chipotle has stated that it will share more information with affected customers as it becomes available.

May 19, 2017   No Comments

Join Us for the ISSA Summit in LA on May 18-19

We are pleased to announce that Troutman Sanders partner Ronald Raether will be a featured speaker at the Ninth Annual Information Security Summit hosted by the Los Angeles Chapter of the Information Systems Security Association (ISSA) at the Universal City Hilton.  During a lunch panel discussion on May 19, Ron will address emerging topics in privacy and security.

The Ninth Annual Information Security Summit offers comprehensive, cutting-edge educational sessions presented by a world-class lineup of keynote and featured presenters.

For additional information or to register, click here. Enter this code for a 50% discount on registration: ISSA@Summit9.

May 15, 2017   No Comments

Chipotle Discloses Data Security Breach Related to Network Supporting Payment Processing for Restaurant

BY KEITH J. BARNETTASHLEY L. TAYLOR, JR. AND C. READE JACOB, JR.

In its Form 10-Q dated April 25, 2017 for the quarterly period that ended on March 31, 2017, Chipotle Mexican Grill, Inc. announced that it had detected a data security breach in its electronic processing and transmission of confidential customer and employee information.  Specifically, Chipotle’s information security team detected unauthorized activity on the network that supports payment processing for its restaurants in April 2017.  Chipotle reported that it immediately began an investigation with the help of leading computer security firms, and self-reported the issue to payment card processors and law enforcement agencies.  Chipotle stated that its investigation, which is ongoing, is focused on card transactions at its restaurants that occurred from March 24 through April 18, 2017.

Chipotle stated that 70% of its sales in 2016 were attributable to credit and debit card transactions – meaning that the extent of the breach could be quite large. Chipotle also stated that it plans to provide notification to affected customers once it obtains more details about “the specific timeframes and restaurant locations that may have been affected.”

Chipotle disclosed that as a result of the breach, the company could be “subject to lawsuits or other proceedings in the future relating to this incident or any future incidents in which payment card data may have been compromised.  Proceedings related to theft of credit or debit card information may be brought by payment card providers, banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit), or federal and state regulators.”  Chipotle added that “any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses.”

In response to the breach, Chipotle noted that it has implemented additional security enhancements and “will continue to work vigilantly to pursue this matter to resolution.”

Chipotle has set up a web page to provide updates on the breach, and it has recommended that consumers monitor their payment card statements and notify the bank that issued the card if they see unauthorized charges.  Chipotle wrote on its web page that payment card network rules state that cardholders are not responsible for unauthorized charges.

May 4, 2017   No Comments

FTC and NHTSA to Hold Workshop on Connected Vehicles

BY MEGAN C. NICHOLLSRONALD I. RAETHER, JR. AND MARK C. MAO

The Federal Trade Commission and the National Highway Traffic Safety Administration are teaming up to hold a workshop on June 28, 2017 related to privacy and security issues posed by connected vehicles.  The FTC has requested that comments related to this issue be submitted online or by mail by May 1.

“Connected vehicles” include most modern vehicles that are equipped with some form of wireless technology.  In some cases, this wireless technology may enable a vehicle to communicate with another vehicle, known as vehicle-to-vehicle (“V2V”) communication, or with the roadway infrastructure.  As we reported in our annual edition of Data Privacy: The Current Legal Landscape, the NHTSA is currently considering mandating V2V communications for new light consumer vehicles.

“Autonomous vehicles” are a subset of connected vehicles and include those vehicles in which a critical safety control or function is performed without human intervention.  Automating these controls and functions can reduce or eliminate the traditional human-error component of driving a vehicle, but can also present other problems.  For example, the sheer amount of personal and sensitive data, like geographic location and driver communication data, could be targeted by hackers.  Therefore, securing this data from vulnerabilities will be a key component of emerging connected vehicle technology.  It is these issues and more that the FTC and NHTSA would like to explore more during their workshop.

Specifically, the FTC and NHTSA would like to address – and have requested information on – the following:

  • What data is collected, stored, transmitted and shared by connected vehicles;
  • How data collection can be a benefit;
  • What challenges may be encountered with the technology;
  • Self-regulatory standards that may be employed; and
  • How privacy and security will be addressed by various key sector participants, including vehicle manufacturers, technology companies, and government agencies.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders monitors developments related to connected devices and vehicles, and routinely advises clients on best practices, developing security standards, and addressing new and emerging threats.

April 24, 2017   No Comments

NY AG Announces Settlement with Health App Developers Over Marketing and Privacy Practices

BY STEPHEN C. PIEPGRASS AND C. READE JACOB, JR.

On March 23, New York Attorney General Eric Schneiderman announced settlements with three health-related applications sold in Apple’s App Store and Google’s Play Store.  The settlements arose from allegations of misleading claims and irresponsible privacy practices.  Under the terms of the settlements, the developers agreed to provide additional information about how the apps were tested, to change their ads to eliminate allegedly misleading content, and to pay $30,000 in combined penalties to the Office of the Attorney General.

According to the A.G.’s press release, two of the app developers, Cardiio and Runtastic, claimed that their apps accurately measured heart rate after exercise using only a smartphone camera and sensors.  A third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor that could be used to play an unborn baby’s heart rate, even though the app was not a fetal heart monitor approved by the Food and Drug Administration.  The A.G. alleged that the three developers marketed these apps without sufficient information to back up their marketing claims.

In addition to the settlement payment, the app developers must post clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA.  The developers also were required to make changes to protect consumers’ privacy.  According to the A.G., the developers are  now required to obtain affirmative consent from consumers to the developers’ privacy policies, and the developers must disclose that they collect and share information that may be personally identifying.  This includes users’ GPS location, unique device identifier, and “de-identified” data that third parties may be able to use to re-identify specific users.

As we have discussed previously, Schneiderman’s office has been active in privacy enforcement matters in the past year.  For example, the New York A.G. recently reached a settlement with Acer for $115,000 over a data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents.  Last year, the A.G. settled a case against then-presidential nominee Donald Trump’s hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months.  The A.G. also settled a case against EZcontactsUSA, alleging that the online contact lens retailer misrepresented the security of its website, failed to secure customers’ payment information, and neglected to report a data breach once discovered.

Most recently, on February 9, the A.G. announced settlements with two mobile app developers for their failure to disclose their data collection practices in a privacy policy.  According to the A.G.’s Office, the two developers, AB Mobile Apps LLC and Bizness Apps LLC, lacked a privacy policy or any statement as to how AB Mobile collects, uses, or discloses a user’s personal information.  Interestingly, unlike in many cases that prompt regulatory action, the A.G. did not find that these developers had misused their customers’ personal information or disclosed it to third parties.  Instead, the A.G. indicated that the mere failure to disclose how a company collects, uses, and discloses customers’ personal information in a privacy policy is a deceptive trade practice under New York Executive Law § 63(12) and New York General Business Law § 349.

March 28, 2017   No Comments

HIPAA Breach Notification Deadline Fast Approaching

This is a friendly reminder to all covered entities that, by March 1, 2017, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2016 and involved fewer than 500 individuals. [Read more →]

February 9, 2017   No Comments

FTC and NJ AG Announce Settlement with Vizio over Collecting Consumer Viewing Habits

BY C. READE JACOB, JR.RONALD I. RAETHER, JR. AND MARK C. MAO

On February 6, the FTC and the New Jersey Office of the Attorney General announced a $2.2 million settlement with Vizio, Inc. over allegations the TV manufacturer installed software on its TVs to collect viewing data on 11 million consumers without their knowledge or consent.

According to the complaint, Vizio manufactured smart TVs that allowed the company to capture second-by-second information about video displayed on the device, including data from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. The complaint indicated that since 2014 Vizio captured up to 100 billion data points each day from more than 10 million Vizio televisions.  Vizio also periodically collected other information such as IP addresses, wired and wireless MAC addresses, WiFi access points, and other data, according to the complaint.

Vizio then provided consumers’ IP addresses to data aggregators, who matched the address with an individual consumer or household.  Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name but allowed identification using a host of other personal details, including consumers’ gender, age, income, marital status, household size, education, and home ownership.  Furthermore, Vizio permitted these companies to track and target its consumers across multiple devices.

Vizio sold consumers’ television viewing history to third parties through licensing agreements, on a television-by-television basis.  The data allegedly allowed other companies to determine customer viewing habits and advertising effectiveness, and to target advertisements to particular consumers on their digital devices based on their television viewing habits.

According to the FTC and the Attorney General, Vizio’s collection and sharing of sensitive data without consumers’ consent constituted an unfair act or practice, in violation of the FTC Act.  Notably, the FTC and the Attorney General classified household or individual television activity as sensitive information and that sharing such viewing habits without consent causes or is likely to cause “substantial injury” under the FTC Act.  The case marks the first (although likely limited) move by the FTC to broaden the definition of sensitive information beyond Social Security numbers, financial information, health data, and geolocation information.

Further, the FTC and AG asserted that Vizio’s failure to adequately disclose to customers how they were tracking and selling information constituted a deceptive practice in violation of the FTC Act.  According to the complaint, Vizio televisions sold after August 2014 provided no onscreen notice to consumers of the collection of viewing data.  Consumers who used Vizio televisions sold before 2014 that were updated to install tracking technology after purchase received an initial pop-up notice on the screen that indicated that “The Vizio Privacy Policy has changed.”

The FTC vote approving the complaint and proposed order was 3-0, with Acting Chairperson Maureen K. Ohlhausen issuing a concurring statement.  Ohlhausen supported the FTC’s allegations that Vizio deceptively omitted information about its data collection and sharing program.  However, she wrote separately to criticize the FTC and the AG’s allegation that individualized television viewing activity falls within the definition of sensitive information or that the practice was unfair.

“There may be good policy reasons to consider such information sensitive,” Ohlhausen wrote, “but, under our statute, we cannot find a practice unfair based primarily on public policy.  Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.”  Ohlhausen concluded, “This case demonstrates the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers.  In the coming weeks I will launch an effort to examine this important issue further.”

Ohlhausen’s promise to examine what constitutes “substantial injury” hints that the use of the unfairness prong of the FTC Act could require a stronger demonstration of harm under her leadership over the coming years.

The FTC’s settlement with Vizio builds on the FTC’s settlement with InMobi in June 2016.  There, the FTC accused InMobi of misrepresenting that its advertising software would only track consumers’ locations when they opted in and only in a manner consistent with their device’s privacy settings.  However, the FTC alleged that InMobi actually tracked consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.  According to the FTC, InMobi used the locations of consumers to serve them geo-targeted advertising.

Going forward, the Vizio and InMobi settlements demonstrate that clear disclosure and consent remain the most powerful defenses for businesses leveraging data collection and analytics.  Even with the new administration, the FTC will likely continue to carefully assess the adequacy of disclosures and will likely continue to be more skeptical of the generalized disclosures that have historically dominated the market.  When possible, businesses should try to be as specific as possible regarding their data practices.

Furthermore, businesses that leverage data collection and analytics need to take into consideration how disclosures and consent work throughout the user ecosystem and not just where the user interfaces with their product.  Ultimately, a well-crafted user interface that tactfully obtains consent throughout the process should help businesses create a better record of individualized experiences and how different sets of data were actually collected and used.

We will continue to monitor the FTC’s approach to consumer privacy and other developments in this rapidly evolving area.

February 8, 2017   No Comments

NHTSA and DOT Propose Rule Mandating Vehicle-to-Vehicle Communication on Light Vehicles

BY MEGAN C. NICHOLLSMARK C. MAO AND RONALD I. RAETHER, JR.

The National Highway Traffic Safety Administration and the Department of Transportation have issued a Notice of Proposed Rulemaking for autonomous and connected cars.  The NPRM “proposes to establish a new Federal Motor Vehicle Safety Standard” under 40 CFR 571 to mandate vehicle-to-vehicle (V2V) communications for new light vehicles and to standardize the message and format of V2V transmissions.  The V2V communications focus heavily on the use of “short-range radio communications (DSRC)” devices to transmit “Basic Safety Messages (BSM)” about a vehicle’s speed, heading, brake status, and other vehicle information to surrounding vehicles, and receiving the same information from them.”  The NHTSA claims that without such a protocol, the auto industry itself will be unable to move forward together meaningfully.

The NPRM is critical for the cybersecurity industry and all those who intend to enter into connected cars as it describes a proposal for a new paradigm of data communications that will have important and persistent privacy implications.  First, the proposal is for vehicles to deploy “omnidirectional radio signals that provide 360 degree coverage along with the ability to ‘see’ around corners and ‘see’ through other vehicles,” supplemented by information from other nearby vehicles.  Vehicles would communicate parameters such as speed, heading, trajectory, and other information, under the BSM protocol proposed – all of which is relatively weather-proof due to the nature of DSRC.  Second, using DSRC allows the industry to leverage off of existing technologies, thus allowing for earlier and more widespread deployment than other proposals.  The NHTSA and DOT hope that the use of more readily-adaptable technologies such as DSRC will allow for wider and quicker industry support and adoption of their proposal, in turn helping to save lives and ensure public safety.

There are a number of critical proposals of which privacy professionals need to take note:

  • The NHTSA “proposes to exclude from V2V transmitting information that directly identifies a specific vehicle or individual regularly associated with a vehicle, such as owner’s or driver’s name, address, or vehicle identifying numbers, as well as data ‘reasonably linkable’ to an individual,” citing to the Federal Trade Commission.
  • The “NHTSA proposes [that] V2V devices sign and verify their basic safety messages using a Public Key Infrastructure digital signature algorithm … for BSM transmission and the signing of BSMs.”
  • The “NHTSA proposes to mandate requirements that would establish procedures for communicating with a Security Credential Management System to report misbehavior; and learn of misbehavior by other participants.”
  • The “NHTSA proposes that V2V equipment be ‘hardened’ against intrusion (FIPS-140 Level 3) by entities attempting to steal its security credentials.”
  • “V2V systems would be required to be designed from the outset to minimize risks to consumer privacy.”  The publication also imposes a number of other requirements on manufacturers.

In addition to the peer-to-peer BSM communications, the NHTSA is requesting comments for two innovative proposals for V2V device credentialing, both of which would complement the use of PKI.  The first approach is the Federated Security Credential Management model, which envisions a system “established, funded, and governed primarily by one or more private entities – possibly a consortium of automobiles and V2V device manufacturers.”  It would include the following functions in the issuance, management, and revocation of short-term certificates for vehicle transmissions: (1) SCMS managers; (2) registration authorities (RAs); (3) root certificate authorities (Root CAs); (4) intermediate certificate authorities (Intermediate CAs); (5) pseudonym certificate authorities (PCAs); (6) linkage authorities (LAs); (7) misbehavior authorities (MAs); (8) location obscurer proxies (LOPs); and (9) request coordination.  Each of these functions are envisioned to be part of a system wherein certificate management entities (CMEs) would manage short-term certificates for participating vehicles, with both centralized CMEs and federated CMEs.

Diagram 1

As the NHTSA’s figure above shows, few CMEs should handle central functions, whereas many CMEs can compete and handle non-central functions.  The CMEs with central functions would likely need to work with the NHTSA and be subject to future rulemaking.  Notably, by dividing identifying information among different CMEs – centralized and federated – the hope is that safety is achieved with little compromise of security and personally identifiable information.  The NHTSA compares its proposed paradigm to that of the multi-stakeholder Internet Corporation for Assigned Names and Numbers (“ICANN”).[1]

As an alternative to SCMS, which has single security certification roots, the NHTSA is also considering a Vehicle Based Security System (“VBSS”).  The major difference is in the “generation of short-term certificates.”  The NPRM states, “The SCMS approach relies on individual vehicles to periodically request pseudonym certificates from infrastructure-based entities (most notably a Pseudonym Certificate Authority, or PCA) which in turn generates and signs short-term certificates.  Vehicles then download batches of certificates which are used to digitally sign BSM messages.  In contrast, the VBSS concept calls for delegating this authority to individual vehicles, and as a result the communications with the infrastructure are reduced.”

diagram 2

A number of functions required under SCMS are thereby eliminated, and the whole process is simplified.  Instead, “VBBS establishes a Group Manager/Group Managers (GM) to provide credentials that make it possible for each vehicle to act as a [subordinate] certificate authority – an entity that can generate short-term certificates.  …  All member signing keys for a particular group are associated with a single group certificate.”  The NHTSA indicated that the VBBS is further behind SCMS currently because “while Group-based signature schemes are an active area of research they are evolving and much less mature than other cryptography systems.”

[1] 49 CFR 571, p. 232-237.

January 31, 2017   No Comments

FTC’s Latest Message to IoT Industry Comes as Complaint Against D-Link Alleging UDAP Violation Related to Security Vulnerabilities

BY MARK C. MAORONALD I. RAETHER, JR. AND MEGAN C. NICHOLLS

On January 5, the Federal Trade Commission filed a complaint against D-Link Corporation, a Taiwanese corporation, and D-Link Systems, Inc., a California corporation and a subsidiary of D-Link Corporation.  D-Link sells Internet of Things (“IoT”) devices and software to support such devices.  Specifically, D-Link sells routers which transfer data packets along a network and which typically provide a first line of defense against intrusion to other consumer IoT devices such as computers, smartphones, and Internet-connected appliances.  D-Link also sells Internet protocol cameras that allow consumers to remotely monitor their property.  The FTC complaint serves as yet another warning to IoT device companies that the Commission is watching and taking note of their security practices.

The six-count complaint alleges D-Link violated the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices, by failing to adequately secure software for D-Link routers and IP cameras, and misrepresenting through their security event response policy, router and IP camera promotional material, and router graphical user interface that the software was secure.  Section 5 of the FTC Act defines unfair acts or practices as those which cause or are likely to cause substantial injury to consumers that are reasonably unavoidable and which are not outweighed by countervailing benefits to consumers or competition.  The Act defines deceptive acts or practices as those where a material representation, omission, or practice misleads, or is likely to mislead, a consumer whose interpretation of the representation, omission, or practice is reasonable.

The crux of the FTC’s complaint relates to D-Link’s misrepresentations regarding the security of its routers, Internet-protocol cameras, and related software and services, leading to consumers’ deception.  Specifically, D-Link published a Security Event Response Policy on their website which claimed to prohibit “intentional product features or behaviors which allow unauthorized access to the device or network” from being included in D-Link products.  It also made inaccurate promotional claims regarding its products in user manuals and marketing materials, including the “latest wireless security features to help prevent unauthorized access,” offering the ability to “quickly establish a secure connection,” “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking,” and “Push Button Security” at consumers’ fingertips.  The FTC alleges that these statements are deceptive acts or practices since they are not true reflections of the actual security features in D-Link’s products and services.

According to the FTC, D-Link failed to take reasonable measures to protect the security of consumers’ personal information against certain well-known vulnerabilities.  The FTC cited the Open Web Application Security Project as identifying these vulnerabilities as early as 2007.  Specifically, it alleges that D-Link did not take reasonable steps to:  (1) test its software or remediate security flaws in its routers and IP cameras (user credentials were hard-coded into the software); (2) maintain the confidentiality of D-Link’s digital signature (D-Link’s digital signature was posted on its website for six months); and (3) secure user credentials (credentials were available in readable text on a user’s mobile phone).  These security failures, according to the FTC, put thousands of consumers’ personal information and networks at risk for unauthorized access – an unfair act or practice.

This complaint comes less than a year after the FTC settled with another IoT company, ASUSTek Computer, Inc., in February 2016.  Read our blog post here.  The FTC similarly alleged that ASUS had engaged in unfair and deceptive acts or practices by marketing their routers and cloud services as “secure” while knowing about and failing to fix serious vulnerabilities.

The FTC’s complaints against D-Link and ASUS serve as reminders that inconsistencies between manufacturers’ practices and promises made to consumers in agreements or marketing collateral presents the easiest target for the FTC in a deception claim.  All companies that make promotional statements, including in user manuals and marketing materials, that their services are secure from vulnerabilities need to carefully consider the language used.  Just as importantly, it is critical for attorneys and compliance personnel reviewing these materials to understand the technology and persistent information security risks.  Companies should take steps to ensure that security and privacy statements made in marketing materials and privacy policies accurately reflect their actual business practices and recognize any risks consumers may face by engaging in a relationship with that company.

The FTC’s complaints should also serve as a reminder that security practices extend well beyond a company’s policies and procedures – companies must take reasonable steps to prevent security vulnerabilities during the design phase of their connected products (by employing “security by design”) and follow through with fixing emerging security vulnerabilities after consumers have purchased connected products.  The FTC suggested in the ASUS complaint that the vulnerabilities in ASUS products and software could have been prevented during the design phase with input validation, anti-cross-site forgery tokens (preventing malicious takeover of the router’s security settings), session time-outs, and prohibiting weak default login credentials.  Later, once ASUS had received reports regarding potential security flaws, ASUS should have analyzed the information and taken steps to help consumers address the flaws.

Notably, with the issuance of these two complaints in combination with other guidance the FTC has provided on the security of IoT devices, it is clear that certain information security standards are emerging.  The FTC released a Staff Report in February 2015 on the Internet of Things:  Privacy & Security in a Connected World, which sets forth the staff’s views on data security, data minimization, and the importance of giving consumers notice and choice.  Aside from the fundamentals in product design and fixing vulnerabilities as discussed above, the FTC suggests that IoT companies should make security part of the corporate  culture and allocate resources according to a risk-based approach.

The D-Link complaint also comes just one day after the FTC announced its challenge to American consumers to develop a tool to combat security flaws in IoT devices caused by out-of-date software.  Contestants must submit proposals by May 22, 2017, and the grand prize winner may win $25,000.

D-Link has stated that it will “vigorously defend itself against the unwarranted and baseless charges” asserted by the FTC, noting that the complaint does not allege an actual breach.  D-Link contends that it “maintains a robust range of procedures to address potential security issues.”  Stopping short of alleging actual substantial injuries, D-Link offers that the FTC is only speculating that consumers were put at risk by its products.  In fact, the non-profit Cause of Action Institute has filed a motion to dismiss on D-Link’s behalf, challenging the FTC’s risk-based approach and arguing that Article 5 of the FTC Act requires a harm-based analysis.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders is well-positioned to help companies develop procedures for effectively handling security issues.  Because of our team’s technical background, we are uniquely positioned to understand companies’ IoT technology concerns and to address any risks from a legal perspective.  We routinely advise businesses on security and privacy best practices with respect to connected devices, which help to avoid acts or practices that may be considered unfair or deceptive.

January 31, 2017   No Comments