FTC Settlement With Mobile Device & App Developer Shows Developers & Businesses Need To Manage Mobile App & Data Security

Businesses using mobile devices or applications and the mobile device or other technology developers and providers need to get serious about security.  With technology and other business providers use of mobile applications in marketing and other business uses proliferating, the Federal Trade Commission (FTC) announcement this week of its first settlement with a mobile device manufacturer,  highlights the advisability for mobile device, software and technology and other U.S. businesses using these tools in their businesses of the need to review recent guidance and tools shared by the FTC and take other appropriate steps to reasonably design and administer their  applications, software, systems and data to safeguard consumer and other sensitive information. 

FTC Charges Against HTC America

This week, the FTC announced that HTC American, Inc.  had agreed to settle FTC charges that the company failed to take reasonable steps to secure the software it developed for its smart phones and tablet computers and introduced security flaws that placed sensitive information about millions of consumers at risk.  

A leading mobile device manufacturer in the United States, HTC America develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. HTC America has customized the software on these devices in order to differentiate itself from competitors and to comply with the requirements of mobile network operators.   

In its first-ever complaint against a mobile device or application developer, the FTC charged HTC America failed to incorporate and administer appropriate safeguards for personal financial and other sensitive data accessed and used in these applications when designing or customizing the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.

To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC America’s devices, including the insecure implementation of two logging applications – Carrier IQ and HTC Loggers – as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.

Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. The FTC alleged that malware placed on consumers’ devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries about doctor’s appointments. In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the user’s geolocation information and the contents of the user’s text messages.

Moreover, the FTC complaint alleged that the user manuals for HTC Android-based devices contained deceptive representations, and that the user interface for the company’s Tell HTC application was also deceptive. In both cases, the security vulnerabilities in HTC Android-based devices undermined consent mechanisms that would have otherwise prevented unauthorized access or transmission of sensitive information.

HTC America Settlement

The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices. Under the settlement agreement, HTC American must:

  • Fix vulnerabilities found in millions of HTC devices;
  • Establish a comprehensive security program designed to address security risks during the development of HTC devices; and
  • Undergo independent security assessments every other year for the next 20 years.

HTC America and its network operator partners are also in the process of deploying the security patches required by the settlement to consumers’ devices. Many consumers have already received the required security updates. The FTC is encouraging consumers using HTC America applications to apply the updates as soon as possible.

The FTC Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 3-0-2, with Chairman Jon Leibowitz not participating and Commissioner Maureen Ohlhausen recused. The FTC will publish a description of the consent agreement package in the Federal Register shortly.

In accordance with FTC procedures, the settlement agreement will be subject to public comment through March 22, after which the Commission will decide whether to make the proposed consent order final. Interested parties can comment using instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

Other Businesses Urged To Act To Manage Mobile Application Device & Security

Following on the heals of the Obama Administration’s announcement of new cyber security initiatives generally and various federal and state enforcement actions against businesses for misrepresenting the adequacy of data security safeguards, failing to appropriately safeguard personal financial or other sensitive data or other related deficiencies in businesses handling of electronic or other sensitive data, the HTC America settlement comes as the FTC is ramping up an ongoing effort to ensure that companies secure the software and devices mobile device and application providers provide consumers. Earlier this month, the FTC introduced Mobile App Developers: Start with Security, a new business guide that encourages app developers to aim for reasonable data security.  On June 4, 2013, the FTC also plans to host a public forum on malware and other mobile security threats in order to examine the security of existing and developing mobile technologies and the roles that various members of the mobile ecosystem can play in protecting consumers.

These and other related activities send a clear message that the FTC expects mobile device and application manufacturers and providers use appropriate processes and safeguards to protect personal financial and other sensitive data.  In response to these developments, mobile device and application developers and businesses using these tools should act promptly to review the adequacy of the design and security safeguards for their devices, software and applications, as well as their disclaimers and associated consumer disclosures and consents.  Businesses making use of devices, software or applications in their business activities also should consider requiring appropriate contractual representations and warranties from developers and providers of these devices and applications.

Because of the diversity of the applications and the rules applicable to the data and industry of their use, there is no comprehensive checklist for securing all apps.  Different types of data have different legal requirements for data use and protection.  Meanwhile, different apps have different security needs.    As a result, device and application developers and the businesses allowing or offering their use must consider the particulars of the devices, the data, and the rules to decide what to permit and how to safeguard data running on mobile devices and applications.

In connection with these risk management and compliance efforts, developers and users efforts to aim for reasonable data security, developers and businesses both should take documented actions to be ready to prove that their devices and applications are designed and administered both to meet any specific data security and privacy rules applicable to the data or device in question as well as generally provide reasonable data security.

As part of this process, developers and businesses considering the use of these devices and applications generally should start by considering th features of the contemplated device and applications,  the data likely to run on or be accessed through the device or application and the potential legal, operational and reputational responsibilities and risks to users’ personal or other sensitive information that could arise from the use or misuse of the technology or its data.  Consideration of these issues will help to understand the security and other functionality that is acceptable and the limits, as well as potential security risks and risk management that the tool must include.

When planning and executing this process, the mobile application or device security management process should include security in the design requirements and make a specific management lead responsible for ensuring that the appropriate security is implemented and maintained.

The evaluation process should take stock of the data to be collected, accessed and retained, who has legal rights or responsibility with regard to this information, the identity and roles of the parties sharing, receiving or transmitting this information, the format of this data, and the contemplated or potential uses, manipulation, and disclosure that is possible both through authorized and unauthorized uses.

Once the requirements for the data are identified, the next step is to understand the proposed mobile platform.   Each mobile operating system uses different application programming interface (APIs), provides different security-related features, and handles permissions its own way.  Picking the best platform to meet the requisite design needs is a critical component to determining what the mobile application risks and opportunities are and what will be necessary to manage the security risks.

While proper tool choice is critical, don’t rely on a platform alone to protect the users and data.  While mobile platforms often provide helpful security features., developers and the businesses deploying or allowing the use of these tools are responsible generally for  understanding  those features (and their limitations), implementing them properly, providing appropriate disclosures to consumers or others, getting requisite authorizations and consents, and taking other measures necessary to protect the users and fulfill legal and risk management requirements.  In addition, while platform-based permissions might be helpful in conveying security information to customers, they’re no substitute for your own effective communication.  Talk to your users in your own words and do so accurately.  As reflected by the FTC consent order with Caremark, Inc. discussed here, misleading reassurances about data security or use carry their own business and legal risks.

Other basic considerations include:

  • Design and create user credentials  (like usernames and passwords) securely
  • Use transit encryption for usernames, passwords, and other important data
  • To protect users, developers often deploy SSL/TLS in the form of HTTPS.  Consider using HTTPS or another industry-standard method
  • Use due diligence on libraries and other third-party code before using someone else’s code to build or augment your application or device
  • Consider protecting data you store on a user’s device particularly where the application uses personal information or other sensitive data
  • Incorporate appropriate protection to protect data against unauthorized access, viruses, malware, or a lost device
  • Protect your servers
  • Don’t store passwords in plaintext and store them securely
  • Stay diligent and aware and communicate with your users even after deployment to guard against new risks
  • Accept, review and respond quickly to user feedback about potential security vulnerabilities or other concerns and respond accordingly
  • If dealing with financial data, health data, kids’ or other personal or confidential data, make sure you understand applicable standards and regulations
  • Understand in advance what are the legal and business consequences of a breach or other security problem and prepare  in advance to respond accordingly

Finally, don’t allow your enthusiasm for the the tool blind you or your orgaanization to potential risks or exposures.  Victims of disclosures of personal or other sensitive information often may view the injuries of an unauthorized use, access, collection or disclosure of data much more darkly that the developer or business that offers the application.  Even where legally defensible, breaches or perceived breaches of trust can have a devastating effect on the businesses involved.  Decide what is legally permitted and operationally and legally defensible, then make clear what  the tool does with what data and how, what is allowed and disallowed for all parties in the process, including how each the data might be collected, used, retained, disclosed, destroyed, or otherwise handled and the risks, the benefits, and other relevant information attendant to these activities.

About The Author

Management attorney and consultant Cynthia Marcotte Stamer  businesses, governments and associations solve problems, develop and implement strategies to manage people, processes, and regulatory exposures to meet their business and operational goals and manage legal, operational and other risks. Board certified in labor and employment law by the Texas Board of Legal Specialization, with more than 25 years human resource, employee benefits and management experience, Ms. Stamer helps businesses manage their people-related risks and the performance of their internal and external workforce though appropriate human resources, employee benefit, worker’s compensation, insurance, outsourcing and risk management strategies domestically and internationally. Recognized in the International Who’s Who of Professionals and bearing the Martindale Hubble AV-Rating, Ms. Stamer also is a highly regarded author and speaker, who regularly conducts management and other training on a wide range of labor and employment, employee benefit, human resources, internal controls and other related risk management matters.  Her writings frequently are published by the American Bar Association (ABA), Aspen Publishers, Bureau of National Affairs, the American Health Lawyers Association, SHRM, World At Work, Government Institutes, Inc., Atlantic Information Services, Employee Benefit News, and many others. For a listing of some of these publications and programs, see here. Her insights on human resources risk management matters also appear in The Wall Street Journal, various publications of The Bureau of National Affairs and Aspen Publishing, the Dallas Morning News, Spencer Publications, Health Leaders, Business Insurance, the Dallas and Houston Business Journals and a host of other publications. Chair of the ABA RPTE Employee Benefit and Other Compensation Committee, a council member of the ABA Joint Committee on Employee Benefits, and the Legislative Chair of the Dallas Human Resources Management Association Government Affairs Committee, she also serves in leadership positions in many human resources, corporate compliance, and other professional and civic organizations. For more details about Ms. Stamer’s experience and other credentials, contact Ms. Stamer, information about workshops and other training, selected publications and other human resources related information, see here or contact Ms. Stamer via telephone at 469.767.8872 or via e-mail here.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published in this electronic Solutions Law publication available for review here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@solutionslawyer.net.

©2013 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other  rights reserved. 

About Cynthia Marcotte Stamer

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.
This entry was posted in CEO, D&O, Data Security, Director Liabiloity, Employee Benefits, Employment, Health Plans, Internal Controls, Officers, Privacy, Reengineering and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s