Efforts to Fix Data Security Flaws Carry Weight With FTC
MVA Privacy & Data Security team members Karin McGinnis and Leslie Pedernales were recently published in the National Law Journal. Their article, "Efforts to Fix Data Security Flaws Carry Weight with FTC" was featured as a follow up to the article "Trade Commission Takes Hard Line on Data Security" from November 24, 2014.
The article can be seen below in its entirety. Reprinted with permission from National Law Journal. Copyright 2015 ALM Media Properties LLC. Further duplication without permission is prohibited. All rights reserved.
The Federal Trade Commission’s pursuit of companies under Section 5 of the FTC Act for inadequate security of consumer information was outlined in a November article for the NLJ (Karin M. McGinnis and Todd C. Taylor, “ Trade Commission Takes Hard Line on Data Security”).
In the meantime, the FTC has thrown companies a bone, closing a Section 5 investigation against Verizon Communications Inc. following a determination that Verizon had attempted to correct the data-security problems at issue.
The takeaway for companies trying to figure out how to avoid or minimize liability is simple: If you have a data breach or discover a data security problem, fix it—even if the FTC is already on your doorstep.
The FTC’s investigation of Verizon centered on the company’s practice of shipping WiFi routers that defaulted to an outdated encryption protocol. The FTC asserted that this defect may have exposed customers’ data to hackers,
These routers used an outdated encryption standard that had been deprecated by the Institute of Electrical and Electronics Engineers in 2004. According to the FTC, Verizon continued to ship the outdated routers into 2014. On Nov. 12, 2014, however, the FTC issued a letter to Verizon closing the investigation.
The factors cited by the FTC in its closing letter included the fact that Verizon took the following steps to mitigate the harm to customers: pulling all WEP-defaulted routers from its distribution centers and setting them to the updated WPA2 standard; ensuring that all routers distributed going forward would be set to WPA2 by default; implementing an outreach campaign targeting customers who use WEP or no encryption and asking them to update their security settings to WPA2; and offering customers with older routers incompatible with WPA2 the opportunity to upgrade to WPA2-compatible units.
The FTC emphasized that data security is an ongoing process. The security measures considered reasonable today may be unreasonable tomorrow. The FTC will look for companies that fail to actively identify, monitor and address vulnerabilities in the security of consumer data. (See earlier article.) It is also important to have a plan to fix security problems when they arise and to minimize the harm to consumers. And although it is best to take action with reasonable promptness, for now the axiom “better late than never” appears to apply.