On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
Tagged: "Privacy By Design" guidelines, developers, device, Federal Trade Commission, FTC, HTC, HTC Corporation, legal risks, manufacturer, Mobile, mobile application, Mobile device, Smartphone, Tablet computer, Vulnerability (computing)
October 19, 2012
On September 25, 2012, the Federal Trade Commission announced a settlement with seven rent-to-own companies that secretly installed software on rented computers, clandestinely collected information, took pictures of consumers in their homes (WTF?!) and tracked these consumers’ locations.
If you haven’t vomited on your computer from the sickening outrage, you can read the FTC press release here.
Software design firm DesignerWare, LLC licensed software to rent-to-own stores ostensibly to help them track and recover rented computers. The software collected the data that enabled rent-to-own stores, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase, to track the location of rented computers without consumers’ knowledge
According to the FTC, the software enabled remote computer disabling if it was stolen, or if the renter failed to make payments. It included an add-on purportedly to help stores locate rented computers and collect late payments. Alarmingly, the software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.
When activated, the nefarious feature logged key strokes, captured screen shots and took photographs using a computer’s webcam, according to the FTC. It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.
“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”
“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.
Tagged: Aaron’s, breach, ColorTyme, Computer, data, data collection, FTC, invasion of privacy, key-logging, leasing, Premier Rental Purchase, Privacy, rent to own, security, software
September 7, 2012
Sept. 5 2012:
From the FTc web site:
The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, “Marketing Your Mobile App: Get It Right from the Start,” notes that there are general guidelines that all app developers should consider. They include:
Tell the Truth About What Your App Can Do. – “Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth,” the publication advises;
Disclose Key Information Clearly and Conspicuously. – “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
Build Privacy Considerations in From the Start. – Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need. “For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
Offer Choices that are Easy to Find and Easy to Use. – “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
Honor Your Privacy Promises. – “Chances are you make assurances to users about the security standards you apply or what you do with their personal information. App developers – like all other marketers – have to live up to those promises.”
Protect Kids’ Privacy. – “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
Collect Sensitive Information Only with Consent. – Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
Keep User Data Secure. – Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.
Tagged: applications, apps, data, FTC, kids, Mobile, policies, Privacy, security
February 1, 2012
For the past year and a half, I have been traveling to various conferences around the country to speak on Legal and Regulatory compliance in social media. In the beginning, case law and regulatory guidance was scarce and little information was available to provide businesses engaged in social media with a roadmap for Social Media Legal and Regulatory compliance. However, a lot has changed over the last year and a clear trend is emerging. Industry regulators are aware of the use – and abuse – of social media by their members. This article examines recent guidance provided by the Federal Trade Commission (FTC), the Food & Drug Administration (FDA), the National Labor Relations Board (NLRB), the Financial Industry Regulatory Authority (FINRA) and the Securities Exchange Commission (SEC).
Social Media in Marketing, Advertising & Commerce.
The settlement, first announced in June 2010, resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. Lapses in the Twitter’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account. Under the terms of the settlement, Twitter has hit ended and ongoing obligations concerning consumers and the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.
In a similar action, the FTC settled and investigation into Facebook,the leading social media platform/service. The social networking service agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.
Read the FTC update here.
As recently as January 10, 2012, the FTC reached a settlement with UPromise, Inc., stemming from charges that the company – a membership reward service – allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. The FTC found that the toolbar was collecting the names of all websites visited by its users as well as information entered into web pages by those users, including user names, passwords, credit card numbers, social security numbers and other financial and/or sensitive data. Furthermore, this data was transmitted in unencrypted, clear text that could be intercepted or viewed by third parties in a WiFi environment. The result? UPromise had to destroy all data it collected under the “Personalized Offers” feature of its “TurboSaver” toolbar in addition to other obligations related to data collection practices and consent to collection of personal information.
Other Industry Guidance.
In October 2009, the Federal Trade Commission released it’s updated “FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising.” The updated Guides contain two notable areas of concern for marketers. First, the Guides removed the safe harbor for advertisements featuring a consumer’s experience with a product or service, the so-called “results not typical” disclosure. Second, the FTC Guides underscored the longstanding principle of disclosing “material connections” between advertisers and the consumers, experts, organizations, and celebrities providing reviews and endorsements of products and services.
For concise guidance on when, how and what to disclose, see my article here.
Social Media in the Healthcare & Pharmaceutical Industries.
Like other consumer-oriented industries, Pharmaceutical and Biotech firms are rapidly expanding their presence online. This growth over the past several years has not gone unnoticed as evidenced by FDA Warning Letters targeting marketing campaigns “broadcast” via websites and social media platforms. The FDA also provides more general guidance for the industry. Policy and guidance development for promotion of FDA-regulated medical products using the Internet and social media tools are available in the FDA’s Consumer-Directed Broadcast Advertisements Questions and Answers. While this document provides clear direction for traditional media broadcasting , it only skims the surface regarding web content.
Social Media in the Workplace.
Probably no other federal agency has been as active as the NLRB in recent months. The NLRB has a mandate to protect employees rights to organize and discuss working conditions without fear of reprisals from employers. On August 8, 2011, the Associate General Counsel for the NLRB released a memo entitled “Report of the Acting General Counsel Concerning Social Media Cases.The report began by analyzing a case of first impression: whether an Employer unlawfully discharged five employees who had posted comments on Facebook relating to allegations of poor job performance previously expressed by one of their coworkers.
On January 25, 2012, the NLRB released a second report describing social media cases handled by the NLRB. The “Operations Management Memo” available here, covers 14 cases, half of which involve questions about employer social media policies. Five of those policies were found to be unlawfully broad, one was lawful, and one was found to be lawful after it was revised.
The remaining cases involved discharges of employees after they posted comments to Facebook. Several discharges were found to be unlawful because they flowed from unlawful policies. But in one case, the discharge was upheld despite an unlawful policy because the employee’s posting was not work-related. The report underscores two main points made in an earlier compilation of cases: 1) policies should not sweep so broadly that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees; and 2) an employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.
Social Media and the Financial Services Industry.
From the Madoff scandal, to the Occupy Wall Street Movement, to Mitt Romney’s tax returns, the financial services sector is accustomed to the scrutiny and ire of the public and government regulators. Therefore it is no surprise that on January 4, 2012, the SEC’s Office of Compliance Inspections and Examinations, in coordination with other SEC staff, including in the Division of Enforcement’s Asset Management Unit and the Division of Investment Management, issued its “Investment Adviser Use of Social Media” paper. The paper begins by observing that although “many firms have policies and procedures within their compliance programs” governing use of social media” there is wide “variation in the form and substance of the policies and procedures.” The staff noted that many firms have multiple overlapping procedures that apply to advertisements, client communications or electronic communications generally, which may or may not specifically include social media use. Such lack of specificity may cause confusion as to what procedures or standards apply to social media use.
The SEC paper suggests that the following factors are relevant to determining the effectiveness of a Social Media compliance program:
- Usage Guidelines
- Content Standards
- Frequency of Monitoring
- Approval of Content
- Firm Resources
- Criteria for Approving Participation
- Functionality of web sites and updates thereto
- Personal/Professional sites
- Information security
- Enterprise-wide web site content cross collateralization
Similarly, the Financial Industry Regulatory Authority (FINRA) has issued guidance for secutires brokerage firms. According to its web site, FINRA “is the largest independent regulator for all securities firms doing business in the United States.” FINRA protects American investors by ensuring fairness and honesty in the securities industry. In January 2010, FINRA issued Regulatory Notice 10-06, providing guidance on the application of FINRA rules governing communications with the public to social media sites and reminding firms of the recordkeeping, suitability, supervision and content requirements for such communications. Since its publication, firms have raised additional questions regarding the application of the rules. Key take aways from FINRA’s guidance include the flowing:
- Brokerages have supervisory and record keeping obligations based on the content of the communications – whether it is business related – and not the media
- Broker-dealers must track and supervise messages that deal with business
- Firms must have systems in place to supervise and retain interactions with customers, if they are made through personal mobile devices
- A broker must get approval from the firm if she mentions her employer on a social media site
- Pre-approval for instant messages, also known as “unscripted interactions’ in legalese, is not necessary as long as supervisors are informed after the fact
Many professionals in regulated industries are eager to leverage social media to market and communicate with existing and prospective clients and to increase their visibility. However, participants must ensure compliance with all of the regulatory requirements and awareness of the risks associated with using various forms of social media. Hopefully, the guidance outlined above can serve as a good starting point for discussions about how best to use of social media as well as suggestions regarding factors that firms may wish to consider is helpful to firms in strengthening their compliance and risk management programs. We invite you to contact us with comments and requests about how we can help you educate your employees, prevent fraud, monitor risk, and promote compliance. We can be reached at lsglegal.com, 866-734-256, @adlerlaw and firstname.lastname@example.org.
Tagged: Advertising, Facebook, FDA, Federal Trade Commission, finance, FINRA, Food & Drug Administration, FTC, labor, Legal, National Labor Relations Board, NLRB, regulation, Regulatory compliance, SEC, securities, Social media, Twitter, UPromise