Tag Archives: FTC

FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.

 

The FTC press release on the Asus settlement can be found here.

Wyndham Hotels Settles Breach Investigation With FTC

The Wyndham Worldwide hotel chain, which has been fighting with the FTC for years after the hotel chain suffered three security breaches in two years exposing credit card data, settled with the FTC this week.

The hotel went as far as to attempt to get the courts to say that the FTC did not have the authority to regulate corporate cyber hygiene.  The court of appeals, in a decision this past summer, disagreed with Wyndham, and said that was within the FTC’s purview.

The FTC had filed suit against Wyndham in the Third Circuit, so to say that this issue was a bit adversarial would be polite.

Apparently Wyndham realized that they were not going to win this battle and settled with the FTC.  They declared victory by saying that they did not have to admit they were guilty or pay a fine.  Note that the FTC usually does not require either of these as a condition to settling.

What Wyndham did agree to is:

  • The FTC will monitor their behavior, cyber security wise, for the next TWENTY years.
  • The company will obtain annual security audits of its information security program that conform with the PCI standards – something that they should have been doing anyway.
  • The audit will certify that Wyndham is treating franchisee networks as untrusted (the fact that they were trusting the franchisee networks apparently facilitated the previous breaches)
  • The audit will also report on whether the hotel chain is compliant with a formal risk assessment process.
  • If the hotel has another breach of more than 10,000 cards, they will obtain an assessment of the breach and hand that assessment over to the FTC.
  • The order says that if Wyndham gets the necessary compliance certifications that they will be in compliance with this agreement.

The order needs to be approved by the judge overseeing this case, which we assume will not be a problem.

It seems to me that this is only a Pyrrhic victory for Wyndham.  While they may declare victory in the press, the FTC got exactly what they wanted and in fact, what they have usually obtained in a much less adversarial manner.  In the meantime, the FTC will be watching over Wyndham’s information security program for the next 20 years and Wyndham probably spent tens of millions on legal costs, which they get to eat.

I do suspect that this may be the last time a company who has been breached attempts to fight the FTC in this manner.

While the FTC recently suffered a setback in their case against LabMD, that case was different because there was no show of harm.  In the Wyndham case, 600,000+ credit cards were compromised at a cost of over $10 million.

 

Information for this post came from the FTC.

Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.

Mitch