* The following article was originally published in Behind the Scenes.
What Made News?
The Federal Trade Commission (FTC) recently charged two companies — Fandango, LLC, and Credit Karma, Inc. — with violating the FTC Act by misrepresenting the security of their mobile apps and failing to securely transmit sensitive personal information over the Internet. In order to settle the charges, the companies have agreed to establish comprehensive security programs designed to address security risks during the development of their apps and to undergo independent security assessments every other year for the next 20 years.
What Do These Companies Do?
Both Fandango and Credit Karma operate mobile apps — Fandango has an app for the iOS operating system that allows consumers to purchase movie tickets and view information such as show times, trailers, and reviews; Credit Karma has an app for iOS and Android that allows consumers to monitor and evaluate their financial status.
What was the Problem?
According to the FTC, both companies misrepresented the security of their mobile apps and failed to secure the transmission of sensitive personal information for millions of their consumers. Specifically, the FTC alleged that the companies failed to take “reasonable steps” to secure their mobile apps, including by disabling a default process known as SSL certificate validation — which would have verified that the apps’ communications were secure. SSL certificate validation is available to all app developers through the iOS and Android mobile operating systems and is considered the industry standard for security. Rather than using the default SSL encryption, Fandango and Credit Karma overrode the default validation process. In so doing, the FTC alleges that the companies exposed consumers’ credit card details, email addresses, and passwords to theft and abuse.
Why is This Significant?
The FTC has shown a clear interest in cracking down on companies that fail to properly secure consumer data or that misrepresent their security practices. In particular, the FTC has shown a renewed willingness to use its “unfairness” authority under Section 5 of the FTC Act against companies that fail to take reasonable precautions to secure consumer data, saying essentially that it is an unfair practice to leave consumer data vulnerable to theft, even if such a theft never takes place. As mobile devices proliferate and companies collect a growing amount of data on consumers, it’s clear that the FTC will be paying close attention.
Are There Best Practices to Consider?
This settlement is a reminder that data security must be an ever-present consideration when interacting with consumer data. For companies that are building or launching mobile apps, working with networked devices such as consumer electronics that connect to the Internet, or just generally expanding their web presence, it is critical to build commercially-reasonable security measures into products from the beginning of the development process.