The first few months of 2016 confirm the FTC’s promise to closely scrutinize company data privacy and security policies. On February 23, 2016, the FTC announced that it entered into a settlement with ASUSTeK Computer, Inc., (“ASUS”) over allegations that the computer hardware manufacturer did not use “reasonable security” to protect consumer personal information. The settlement serves as a reminder to businesses handling or storing personal information that the FTC has made it a priority to bring enforcement actions for the representations a company makes about the security of its products and services.
The case stems from an alleged hack in February 2014, that exposed the personal information of more than 12,900 consumers’ connected storage devices. While ASUS claimed that its routers could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers,” in reality, there were several design flaws that inadequately secured the software on the routers. The complaint also alleges that after learning of the security vulnerabilities, ASUS did not notify consumers about steps to take to mitigate the risk of breach.
Terms of the Settlement
As is typical of data enforcement actions, the terms of the settlement require ASUS to implement a “comprehensive security program” that 1) addresses security risks related to the development and management of new and existing devices, and 2) protects the privacy, security, confidentiality, and integrity of information transmitted through the routers. (Similar requirements were imposed in the Wyndham settlement).
The settlement levies a variety of other measures, including audits for the next 20 years. ASUS is also required to notify customers whenever ASUS makes available a software update intended to mitigate a security vulnerability. Notification must be provided through 1) the website and any router software user interface, 2) by email, text message, push notification or similar methods, and 3) as part of any customer inquiry about a purchased router.
Implications for Businesses
The ASUS case is at least the fourth privacy-related FTC settlement entered just this year. Together with the recently announced EU-US Privacy Shield, it is clear that the FTC continues to keep privacy and data security cases at the top of its enforcement agenda. The FTC will hold companies accountable for any deficiencies in their data privacy practices and expects that consumers will be notified of any security updates. To reduce the risk of FTC intervention resulting in costly regulatory compliance, businesses, with the help of outside counsel, should craft policies outlining security protocols, including well-documented procedures for responding to security vulnerabilities. Outside counsel can also assist with implementing, auditing, and updating these policies to ensure that they reflect the “business realities.”