In a report issued last week, the Federal Trade Commission (“FTC” or the “Commission”) highlighted the need for mobile device manufacturers to improve the security update process for their devices.

  1. The FTC’s Concern

    Despite a long-standing consensus regarding the importance of building security into products’ design and maintaining that security through patch updates, the Commission found that many mobile devices’ operating systems (i.e., the software that powers the devices’ basic functions) are not receiving the security patches needed to protect them from critical vulnerabilities. Based on its review of eight device manufacturers’ practices, the FTC attributed the device vulnerabilities to (i) the lack of any update at all; (ii) the lengthiness of the process for approving and deploying a patch; and (iii) users’ failure to install available updates.

    The result is that many mobile devices are vulnerable to malware (malicious software) attacks such as phishing and ransomware. In turn, such malware may result in identity theft scams, fraudulent charges or device compromises harming consumers.

  2. Recommendations

The FTC recommended a number of initiatives to improve the security update process:

  • Streamline Security Updates.According to the FTC, companies should consider the benefits of immediate security-only updates to patch vulnerabilities, rather than focusing on the convenience that a deferred, bundled update addressing both security and functionality can offer.Similarly, in testing updates, industry should ensure processes are compatible with the commitment to timely security updates.
  • Start with Security. The report reaffirms the Commission’s recommendation that business “start with security” by ensuring that all mobile devices receive operating system security updates for a period of time that is consistent with consumers’ reasonable expectations.
  • Inform Consumers about Support.The FTC urged device manufactures to better inform consumers about security update support.In particular, manufacturers should consider adopting and sharing minimum guaranteed security support periods (and update frequency) for their devices.Additionally, when security support is about to or has ended, companies should ideally give device owners prompt notice, so that consumers can make informed decisions about replacing their device or continuing post-support use.
  • Collaborate to Educate Consumers. Government, industry and advocacy groups should, according to the FTC, work together to educate consumers about their role in the operating system update process and the significance of security update support.
  • Recordkeeping.Finally, the Commission called on companies involved in the security update process to maintain and consult records about support length, update frequency, customized patch development time, testing time and uptake rate.To further best practices across the industry, the FTC asked organizations to consider sharing their findings with partners.