Stay ADvised: What's New This Week, July 15
- D-Link Agrees to Update Product Security to Settle FTC Suit
- FTC Approves Settlement with Online Rewards Company Accused of Failing to Protect User Data
- NY AG Settles Case Against Dating App That Exposed Private Photos
- D.C. Circuit Says Plaintiff Has Standing to Sue Under FACTA Over Faulty Receipt
- Samsung In Hot Water Down Under Over Galaxy Underwater Claims
D-Link Agrees to Update Product Security to Settle FTC Suit
Taiwan-based computer networking equipment manufacturer D-Link Systems has agreed to implement a broad software security program to settle a Federal Trade Commission complaint alleging that the company misrepresented the security of its wireless routers and internet cameras.
In January 2017, the FTC filed a complaint in U.S. District Court for the Northern District of California accusing D-Link of failing to take reasonable steps to ensure that its routers and internet cameras were secure, thus compromising private information of unwitting users that included live video and audio taken from the cameras. The complaint charged the company with one count of unfairness and five counts of deception in violation of Section 5 of the FTC Act.
Although D-Link promoted the “advanced network security” of its products, the FTC alleged that it failed to perform basic software security measures that would have protected users from hackers seeking to infiltrate the company’s “smart” products. The complaint outlined a number of flaws with D-Link’s security measures, including the use of “hard coded” login credentials that attackers could easily exploit to gain access to devices. The network software also contained a flaw known as “command injection” which allowed remote attackers to take control of connected devices. Users’ login credentials for the mobile app were also unsecured and in clear readable text, said the FTC. As a result of these security lapses, thousands of customers were exposed to hacks, claimed the FTC.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise,” he added.
The proposed settlement requires D-Link to implement a comprehensive software security program to ensure its internet-connected products are safe from prying eyes, including security planning, threat modeling, and undergoing a third-party assessment of the security system for a period of ten years.
The settlement follows on the heels of a Northern District of California September 2017 ruling that trimmed the FTC’s original complaint, finding that the agency failed to show any injury to support its unfairness claims and to provide specific enough information to support the deception claims. A bench trial was scheduled to begin in January 2018 but was postponed following the government shutdown at that time.
D-Link noted in a statement that the settlement does not assign any liability to the company.
This action is part of the FTC’s continuing efforts to protect online privacy and security for internet enabled devices (commonly referred to as the Internet of Things (IoT)) that risk unauthorized access to consumer’s sensitive personal information. The case against D-Link was brought at the same time as actions against ASOS and TRENDnet, alleging similar lapses in software security for IoT devices, particularly cameras. Companies that offer these products and services to consumers are well advised to ensure that the hardware and software elements of their products are designed to protect user information and to restrain from misrepresenting their data security features.
FTC Approves Settlement with Online Rewards Company Accused of Failing to Protect User Data
In yet another action concerning a company’s failure to protect consumer information, the Federal Trade Commission recently settled charges against the owner of an online rewards company for compromising private consumer information by failing to implement adequate data security measures.
James V. Grago operates ClixSense, an online rewards company that pays users to perform various online tasks such as viewing advertisements and completing online surveys. In the course of its operations, ClixSense collects users’ personal information, including names, dates of birth, and social security numbers.
The Commission’s complaint that accompanied the filing of the settlement alleged that Grago’s data security failures and security misrepresentations violated the FTC Act. Specifically, the FTC alleged that Grago represented that ClixSense’s rewards program “utilizes the latest security and encryption techniques to ensure the security of your account information,” when in fact they did not even implement basic security measures. Instead, ClixSense allegedly stored sensitive private information—including social security numbers—in plain text format without encryption, failed to change default user credentials for third-party network resources, and did not limit access between computers on its network.
The complaint further alleged ClixSense’s failure to secure private data compromised users’ privacy and allowed hackers to take advantage of lax network security to steal the data of 6.6 million consumers, approximately 500,000 of whom were based in the U.S. The hacked data included physical addresses, dates of birth, emails, passwords, and answers to security questions. The hackers then sold the data of approximately 2.7 million users to third parties. According to the FTC’s allegations, Grago had been on notice that the ClixSense network was compromised, as hackers changed employee logins and passwords and redirected email notification for multiple company accounts. The FTC claimed that, despite this knowledge, Grago did nothing to protect the private information.
The settlement bars Grago and any company he controls from misrepresenting privacy protections in the future and requires him to develop a comprehensive information security program “designed to protect the security, confidentiality and integrity” of personal information collected by such companies.
Further, Grago must conduct and obtain third party biennial assessments of such companies’ information security practices and provide annual certifications and compliance reports to the FTC confirming his compliance with the settlement.
The FTC Act requires companies that collect private data to take meaningful measures to protect that information and not mislead consumers about how their data is protected. As this matter illustrates, the FTC will aggressively pursue companies that fail to do so. As with other privacy and data security cases, this settlement does not impose any fees on the defendant, but the stiff compliance requirements suggest the FTC will be watching him closely in the future.
NY AG Settles Case Against Dating App That Exposed Private PhotosThe FTC is not the only government agency pursuing companies that fail to protect private information online. New York State Attorney General Letitia James announced that her office reached a settlement with an online dating application company accused of failing to safeguard users’ online privacy and exposing the private and nude photographs of thousands of users.
Online Buddies operated the online dating app “Jack’d,” catering to the gay, bisexual, and transgender community. At the time of the AG investigation, Jack’d had approximately 7,000 active users in the New York State area. The company has said it has over 6 million users worldwide.
According to the Attorney General, Jack’d let users post photographs of themselves and designate them as either public or private, and promised users complete control over the privacy of pictures posted on the app by stating “[o]nly you can see your private pictures until you unlock them for someone else.” Marketing for the app explicitly touted users’ ability to share intimate information, including nude photos, according to the Attorney General. Thousands of app users allegedly posted nude and intimate photographs of themselves on the app with the understanding that the information would be kept private.
Despite these representations, the AG’s investigation confirmed that Online Buddies failed to secure user data and stored private information—including nude photographs—on an Amazon Web storage service rather than on a secure server. The site’s lack of privacy controls left the private information of its users, including nude photographs, location data and passwords, vulnerable to exposure.
Even after being informed of the vulnerabilities in its system and after repeated inquiries from the press, Online Buddies failed to remedy the situation, implement any stopgap protection, establish mechanisms to detect unauthorized access, warn users, or in any way tighten security measures, noted Attorney General James.
“This app put users’ sensitive information and private photos at risk of exposure and the company didn’t do anything about it for a full year just so that they could continue to make a profit,” said Attorney General James. “This was an invasion of privacy for thousands of New Yorkers. Today, millions of people across the country—of every gender, race, religion, and sexuality—meet and date online every day, and my office will use every tool at our disposal to protect their privacy.”
The settlement requires Online Buddies to pay the state $240,000 and implement a comprehensive security program to protect private information and remedy existing security issues.
Jack’d joins a long list of dating sites alleged to have inadequate privacy protections for its members. Given the sensitive nature of the information and pictures provided by users of these sites, it is imperative that companies in this category develop and maintain strong and meaningful data security protection or else face the wrath of regulators who are proving they are very much on the beat.
D.C. Circuit Says Plaintiff Has Standing to Sue Under FACTA Over Faulty Receipt
What constitutes concrete and sufficient injury to grant a plaintiff standing to sue under the Fair and Accurate Credit Transactions Act (FACTA)? The D.C. Circuit Court recently addressed this issue, ruling in Jeffries v. Volume Services America, Inc. (d/b/a Centerplate), that concessionaire Centerplate violated FACTA by printing plaintiff’s full credit card number on her receipt, an “egregious” violation of the Act sufficient to confer plaintiff with standing. The decision conflicts with several recent circuit court rulings and deepens the divide over the standing standard set forth in the Supreme Court’s landmark decision in Spokeo, Inc. v. Robins.
Enacted in 2003 to combat identity theft, FACTA restricts the number of credit card digits vendors can include in a receipt. In Jeffries, plaintiff Doris Jeffries alleged in September 2017 that Centerplate printed all 16 digits of her credit card number on her receipt in violation of FACTA. In August 2018, the district court dismissed the action for failure to demonstrate injury, noting that she kept the receipt, averting any potential fraudsters from stealing her information and the burden of safeguarding the non-compliant receipt was inadequate to confer standing.
The D.C. Circuit reversed, reasoning that by including all the numbers of plaintiff’s credit card on the receipt, Centerplate’s violation was so egregious as to confer standing simply because of how drastically the company’s actions increased the chances that Jeffries’ private information and identity could be stolen.
In remanding the case back to the district court, the circuit court found that “Jeffries was not able to use her credit card without incurring an increased risk of identity theft and, as a result, suffered a concrete injury in fact.”
The court’s ruling is in line with last year’s Eleventh Circuit decision in Muransky v. Godiva, which held that a faulty receipt issued with 10 digits of the customer’s credit card number constituted “concrete injury” sufficient under FACTA.
However, four other appellate courts have handed out conflicting rulings, including most recently the Third Circuit in Kamal v. J. Crew Group. But, the D.C. Circuit Court in Jeffries distinguished Kamal because in that case, the receipt revealed only six credit card digits, a number widely considered not as risky as the full credit card number printed by Centerplate. The court also noted that “the Third Circuit recognized its analysis would be different if it were presented with the facts Jeffries presents to us,” the panel reasoned.
These conflicting rulings deepen a circuit split on the application of the Supreme Court’s Spokeo standard in FACTA cases. Prior to Spokeo v. Robin, Plaintiffs’ attorneys routinely won multimillion-dollar settlements under FACTA, but Spokeo altered the landscape. Spokeo held that a technical violation of the closely-related Fair Credit Reporting Act was insufficient to confer standing without a concrete “injury-in-fact.”
Spokeo provided a blueprint for lower courts to determine if an injury was sufficient to confer standing, finding that the harm must bear a “close relationship” to an existing common law cause of action in order to elevate a technical violation of FACTA to a concrete “injury-in-fact.” This approach has been applied by many appellate courts.
Applying this reasoning here, the D.C. Circuit found that the harm suffered by Jeffries by the faulty receipt had a “close relationship” to the type of harm that gives rise to a common law “breach of confidence” claim. “FACTA protects against the risk of the very harm the breach of confidence tort makes actionable—an unauthorized disclosure of privileged information to a third party,” the court said.
In concurring with the judgment, Judge Judith W. Rogers said there was no need to reach the decision based on the “close relationship” test¬— the plain language of FACTA was sufficient: “Even if the breach-of-confidence analogy were persuasive, it would be unnecessary; Jeffries has ‘independently’ shown that FACTA protects her concrete interests ‘based on Congress’s judgment’ that printing a full credit card number on a receipt creates a ‘heightened risk of identity theft,’” Rogers noted, quoting from the Muransky decision.”
Centerplate and other conflicting circuit court decisions demonstrate that the question of what constitutes sufficient harm to justify standing under FACTA is far from settled. Considered from a different angle, it might simply be a question of numbers: the more digits of a credit card number are revealed on a receipt, the greater the chance a court will find that the revelation caused the plaintiff sufficient harm.
Samsung In Hot Water Down Under Over Galaxy Underwater Claims
On July 4th, when most of the U.S. was barbequing hot dogs and watching fireworks, the Australian Competition and Consumer Commission (“ACCC”) initiated an action against Samsung Australia alleging that the company misled consumers by promoting its Galaxy phones as water resistant. The ACCC is Australia’s independent statutory authority charged with enforcing consumer protection laws and regulating competition.
The lawsuit, filed in the Federal Court of Australia, alleges that over a period of three years starting around February 2016, Samsung falsely promoted certain Galaxy phones as being water resistant up to 1.5 meters (approximately 5 feet) deep for 30 minutes. According to the ACCC, Samsung sold more than 4 million Galaxy phones at a higher price point than other Samsung phones that did not advertise the water-resistant feature.
“The ACCC alleges Samsung’s advertisements falsely and misleadingly represented Galaxy phones would be suitable for use in, or for exposure to, all types of water, including in ocean water and swimming pools, and would not be affected by such exposure to water for the life of the phone, when this was not the case,” said ACCC Chair Rod Sims in a press release announcing the action. “Samsung itself has acknowledged that water resistance is an important factor influencing Australian consumer decisions when they choose what mobile phone to purchase,” Sims added.
The suit alleges that the company did not have a reasonable basis for its water-resistant claims because it did not test its phones or know of sufficient testing showing how the phones would be affected by water. Similarly, its claims were unreasonable because Samsung held the view that anything other than fresh water would damage the phone, even advising on its site that the Galaxy S10 is “not advised for beach or pool use.” It also denied warranty claims to consumers whose phones were damaged by water.
Besides being unreasonable, Samsung’s representations were also false, misleading and deceptive, according to the ACCC, because the phones are not suitable for use in all types of water—just fresh water. Further, using the phone in any kind of water (including fresh water) adversely affects the life of the phones, noted the ACCC.
The lawsuit seeks monetary damages, consumer redress orders, injunction, costs and other relief. It affects a wide range of Galaxy phones manufactured between 2016 and 2019.
Companies are not just vulnerable to private and governmental action in the United States. If companies sell overseas, they need to be aware of and comply with all laws concerning representations made to consumers.