The Federal Trade Commission (FTC) is stepping up efforts to address mobile device security. Several months ago, the FTC entered into a settlement with HTC regarding mobile device security, and in April, the American Civil Liberties Union (ACLU) filed a complaint with the FTC against four wireless carriers for alleged inadequacies in security updates to mobile operating systems and Internet browsers.
The HTC Settlement
In a February 2013 settlement with HTC, the FTC required the mobile device manufacturer to develop and release software patches to address alleged vulnerabilities. See www.ftc.gov/opa/2013/02/htc.shtm. HTC also agreed to establish a “comprehensive security program” to address risks and, at its own expense, to undergo an independent security “assessment” every other year for 20 years. Additional settlement conditions included:
- Designating employees accountable for the information security program.
- Responding to “material risks” concerning information sent or received by an HTC device. HTC apparently will be responsible for the security of third-party mobile apps when a risk arises due to HTC’s “integration, modification or customization” of that app on an HTC device.
- Adopting appropriate safeguards with respect to employee training, product research and development and software design.
- Regular internal testing and monitoring of security safeguards.
FTC Input Request
In April, the FTC announced that it is seeking “input on privacy and security implications of the Internet of Things,” which appears to cover a wide swath of tools and technology. See www.ftc.gov/op a/2013/04/internetthings.shtm. Specifically, the FTC seeks information about the “consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances and medical devices.” The FTC asks parties to discuss the technologies that enable these connected devices, the potential privacy and security risks and the potential societal benefits. Comments received could shape the agency’s oversight of various industries, or guide its approach to enforcement or consumer education activities. Comments are due by June 1, 2013. The FTC also intends to conduct a workshop on the subject of mobile device security that will be held in Washington, DC on November 21.
Implications for Business
The FTC continues to play a leading role in information security policy. Often using no more than its historical authority to enforce against “unfair” or “deceptive” trade practices, the FTC continues to build an informal body of security “regulations.” Such “regulations” appear in settlement agreements like that entered into by HTC. All commercial actors subject to the FTC’s jurisdiction—and especially those doing business in the mobile Internet space—should be familiar with the FTC’s security-related settlements and adopt compliance policies and procedures accordingly.