In the first state Attorney General action against a wireless security company for failing to implement adequate security in its Internet of Things (IoT) devices, the New York Attorney General recently settled with wireless lock company Safetech. According to the settlement, there were alleged security shortcomings despite the fact that the company promised “Privacy When You Want It, Security When You Need It” and represented that its locks protected belongings by securing areas. The Attorney General alleged that the security deficiencies and representations that Safetech made ran contrary to New York state laws that prohibit deceptive acts or practices and false advertising, and that give the Attorney General power to enjoin repeated fraudulent or illegal acts.
The settlement mirrors similar enforcement actions taken by the Federal Trade Commission in the IoT space, such as the D-Link case, ASUS case, and TRENDnet case. These increasingly frequent regulator enforcement actions indicate that IoT device manufacturers should carefully think about security when designing devices.
The Safetech enforcement action started after independent researchers reported in August 2016 that Safetech did not encrypt its users’ passwords when transmitted from a smartphone to the locks. Moreover, the researchers revealed that Safetech did not force users to reset default passwords, which could be discovered easily by brute force attacks. The Attorney General subsequently investigated the company and its practices, ultimately alleging that the security deficiencies discovered by the independent researchers could leave consumers susceptible to hacking and physical theft. According to the settlement, Safetech must now implement a comprehensive security program. The outline of that program sheds light on what the New York Attorney General may consider “reasonable security” for IoT devices.
The settlement agreement requires Safetech to encrypt all passwords and other security credentials; and prompt users to change the default password during the initial setup process. Safetech also agreed to establish a written comprehensive security program reasonably designed to accomplish the following objectives: (1) address security risks of devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information. The program must include:
- Accountable employee designation;
- Identification of material risks that could lead to unauthorized access to the locks and affect privacy, security, confidentiality, and integrity of security information;
- Performance of risk assessments on operations including employee training, product design, secure software design, response to third party security vulnerability reports, as well as prevention, detection and response to attacks and other security failures;
- Implementation of reasonable safeguards against risks identified during the risk assessment;
- Regular testing of the effectiveness of the safeguards;
- Reasonable vendor management, including contracts that address security; and
- Adjustment of the security program in light of testing.
The bottom line is that the FTC is not the only cop on the beat. Attorneys General are becoming increasingly active in the IoT space. Companies should carefully consider the security they implement and take into account recommendations issued by regulators.