FTC Expanding Its Role in 'Internet of Things' Security

“The product hacked was called 'SecurView,'” Jacobson says. “If you are a consumer on their website, would you expect that product is secure? Yes, you probably would.”

She says the crux of the case was whether TRENDnet lived up to the expectation of keeping information safe, using reasonable standards. “All FTC privacy regulations are built on the fact that you must tell consumers what you are doing with their data,” Jacobson advises. “These problems didn't exist three or four years ago, when wireless wasn't everywhere. If you were a general counsel calling me for advice, I'd say look at what you are doing, and see if it matches what you promised.”

The Case Against TREDnet

Specifically, the FTC alleged that, “from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras' password requirement.”

The agency said the company conducted unfair and deceptive trade practices by issuing false and misleading information about the security of its devices.

The FTC said that TRENDnet earned about $7.4 million in revenue from the sale of its Internet-connected cameras in 2012.

The company reached an 11-page consent agreement with the FTC, neither admitting nor denying wrongdoing. (The Consent Order is available at http://1.usa.gov/152nyrQ.)

The consent order, which remains in effect for 20 years, requires the company to take a number of steps that include implementing a comprehensive security program, hiring an independent third party to periodically assess its compliance, and notifying customers of flaws and providing them with free technical support.

TRENDnet's attorney, John Sun of Tutsin, CA, called the settlement fair. “It offers remedial action to all customers,” which TRENDnet wanted, he said. Asked if he was concerned about the FTC stepping into this area of law, Sun responded: “The FTC action was for the public's protection, and we agree with that.”

Yet Jacobson says the breadth of TRENDnet's consent order has rekindled questions about the FTC's role in cybersecurity cases. The action comes while a suit filed last year by the hotel group Wyndham Worldwide Corporation is pending in U.S. District Court in Arizona, challenging the agency's jurisdiction in data breaches. See, “FTC Sues Parsippany-based Wyndham Hotel Chain over Data Breaches,” NJ.com.

FTC Taking Control'of Cybersecurity

So far, Congress has designated no agency to oversee cybersecurity. But the FTC has taken the lead, usually in cases involving deceptive claims of security.

But the Wyndham suit says the agency went too far when it sued the company last year after hackers stole a massive amount of customer credit card information and caused more than $10 million in fraudulent charges.

It says the FTC has set no standards for cybersecurity and has no authority to punish companies that have been the victims of data breaches.

In friend of the court briefs, the U.S. Chamber of Commerce and other business organizations agreed with Wyndham (see, http://bit.ly/1b5pDUX; and “Wyndham Lawsuit Tests FTC's Data Security Enforcement Authority,” Computerworld).

They accused the FTC of routinely punishing businesses for failing to have reasonable security standards without ever specifying what standards it considers reasonable.

The Chamber also questioned the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act.

The FTC itself wants to talk about its role in cybersecurity issues with corporations and Internet-related groups. It has scheduled a November 19 workshop to “address a wide variety of issues related to the ability of everyday devices to communicate with each other and with people.” See, “FTC Announces New Date for Internet of Things Workshop,” FTC. Jacobson says the workshop might not come up with any good answers, “but at least we'll be able to figure out what the FTC is thinking. That is important to people in the industry.”

Sue Reisinger is a Senior Reporter for Corporate Counsel magazine, an ALM affiliate of e-Commerce Law & Strategy .

The Federal Trade Commission continued to expand its reach into cybersecurity last month when it took legal action against TRENDnet, which markets Web-connected home security cameras that allowed hundreds of live video feeds to be hacked and posted online. See, “Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers' Privacy,” FTC. (A PDF of the Complaint against TRENDnet is available at http:// 1.usa.gov/17HEySw.)

The FTC said this was its first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices ' commonly referred to as the “Internet of Things.” See, “The Internet of Things,” Insights & Publications , McKinsey & Company.

The case involved a form of deceptive advertising, explains Julia Jacobson, a Boston-based partner in the data privacy and security practice at McDermott Will & Emery.

“The product hacked was called 'SecurView,'” Jacobson says. “If you are a consumer on their website, would you expect that product is secure? Yes, you probably would.”

She says the crux of the case was whether TRENDnet lived up to the expectation of keeping information safe, using reasonable standards. “All FTC privacy regulations are built on the fact that you must tell consumers what you are doing with their data,” Jacobson advises. “These problems didn't exist three or four years ago, when wireless wasn't everywhere. If you were a general counsel calling me for advice, I'd say look at what you are doing, and see if it matches what you promised.”

The Case Against TREDnet

Specifically, the FTC alleged that, “from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras' password requirement.”

The agency said the company conducted unfair and deceptive trade practices by issuing false and misleading information about the security of its devices.

The FTC said that TRENDnet earned about $7.4 million in revenue from the sale of its Internet-connected cameras in 2012.

The company reached an 11-page consent agreement with the FTC, neither admitting nor denying wrongdoing. (The Consent Order is available at http://1.usa.gov/152nyrQ.)

The consent order, which remains in effect for 20 years, requires the company to take a number of steps that include implementing a comprehensive security program, hiring an independent third party to periodically assess its compliance, and notifying customers of flaws and providing them with free technical support.

TRENDnet's attorney, John Sun of Tutsin, CA, called the settlement fair. “It offers remedial action to all customers,” which TRENDnet wanted, he said. Asked if he was concerned about the FTC stepping into this area of law, Sun responded: “The FTC action was for the public's protection, and we agree with that.”

Yet Jacobson says the breadth of TRENDnet's consent order has rekindled questions about the FTC's role in cybersecurity cases. The action comes while a suit filed last year by the hotel group Wyndham Worldwide Corporation is pending in U.S. District Court in Arizona, challenging the agency's jurisdiction in data breaches. See, “FTC Sues Parsippany-based Wyndham Hotel Chain over Data Breaches,” NJ.com.

FTC Taking Control'of Cybersecurity

So far, Congress has designated no agency to oversee cybersecurity. But the FTC has taken the lead, usually in cases involving deceptive claims of security.

But the Wyndham suit says the agency went too far when it sued the company last year after hackers stole a massive amount of customer credit card information and caused more than $10 million in fraudulent charges.

It says the FTC has set no standards for cybersecurity and has no authority to punish companies that have been the victims of data breaches.

In friend of the court briefs, the U.S. Chamber of Commerce and other business organizations agreed with Wyndham (see, http://bit.ly/1b5pDUX; and “Wyndham Lawsuit Tests FTC's Data Security Enforcement Authority,” Computerworld).

They accused the FTC of routinely punishing businesses for failing to have reasonable security standards without ever specifying what standards it considers reasonable.

The Chamber also questioned the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act.

The FTC itself wants to talk about its role in cybersecurity issues with corporations and Internet-related groups. It has scheduled a November 19 workshop to “address a wide variety of issues related to the ability of everyday devices to communicate with each other and with people.” See, “FTC Announces New Date for Internet of Things Workshop,” FTC. Jacobson says the workshop might not come up with any good answers, “but at least we'll be able to figure out what the FTC is thinking. That is important to people in the industry.”

Sue Reisinger is a Senior Reporter for Corporate Counsel magazine, an ALM affiliate of e-Commerce Law & Strategy .