FTC Enters "Internet of Things" Arena With TRENDnet Proposed Settlement

With predictions that by 2020 more than 30 billion devices will be wirelessly connected to the “Internet of Things” the issues for data security and privacy in an "all-connected, all-the-time" world are massive.  And as the FTC continues to forge ahead in efforts to address mobile and other burgeoning security matters it recently entered the realm of the Internet of Things with a proposed settlement with TRENDnet, Inc., a retailer of networking and networked equipment, including its “SecurView” IP-connected cameras which spurred the FTC’s 7-page complaint (In the Matter of TRENDNET, INC., FTC File No. 1223090). According to the FTC’s complaint, TRENDnet’s practices “taken together” failed to provide reasonable security “to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras” because its software and services: (i) transmitted camera login credentials in clear text over the Internet; (ii) stored user login credentials in clear text on user’s mobile devices; (iii) “failed to employ reasonable and appropriate security in the design and testing of the software that it provided consumers for its IP cameras”; and (iv) failed to implement processes to “actively monitor security vulnerability reports from third-party researchers, academics, or other members of the public, despite the existence of free tools to conduct such monitoring, thereby delaying the opportunity to correct discovered vulnerabilities.”

Read those allegations again, and take a moment to consider that the FTC is reaching into design, testing and development vulnerability monitoring processes. Then ask yourself if your specific data and development projects, vendors and contracts adequately meet and address such parameters and requirements.

Due to TRENDnet's listed failings, the FTC states live feeds from twenty models of its IP cameras were available to anyone, regardless of the security and login choices users selected, and that “[h]ackers could and did exploit the vulnerability… to compromise hundreds of respondents’ IP cameras” with eventually live feeds of nearly 700 cameras posted by hackers.

The subsequent FTC’s proposed “Agreement Containing Consent Order” hews to standard formulations for such Consent Orders we’ve come to expect in data security enforcement actions, including that TRENDnet:

  • Cease misrepresenting “in any manner, expressly or by implication” various security parameters and control of its “Covered Devices.”
  • Establish a “comprehensive security program” that “must be fully documented in writing, shall contain administrative technical, and physical safeguards appropriate to respondent’s size and complexity, [and] the nature and scope of respondent’s activities.”
  • Conduct an initial, and thereafter biennial, assessments and reports – for, yes, twenty years – performed by a third-party CSSLP or CISSP or “a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission….”
  • Maintain for five years from each assessment all materials relied upon in preparing the assessment and “all advertisements, promotional materials, installation and user guides, and packaging containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation; and 2. Any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.”

The range, scope, cost and compliance burdens of such consent orders is a large part of why we continuously recommend tackling data security and all consumer-facing software development efforts with a holistic approach that incorporates a “privacy by design” strategy to address the entire life cycle of data collection, use, access, storage and ultimately secure data deletion.

As to TRENDnet, its saga is far from over.  The Consent Order will be open to a 30-day public comment period, beginning October 4, 2013, after which the FTC will “decide whether to make the proposed consent order final.” To review, examine or discuss your data security policies, procedures and programs, as well as any consumer facing or internal development efforts that will or may access PII, PHI or “sensitive” data, feel free to contact me or any of the attorneys at the InfoLawGroup.