Federal Trade Commission

We often get the question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?” From the perspective of the staff of the Federal Trade Commission, NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s, the 60+ law enforcement actions the FTC has brought to date, and the agency’s educational messages to companies, including its recent Start with Security guidance.

The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

What happens when you rent a connected car? When you use the car’s infotainment system, it may store personal information. It may keep locations you entered in GPS or visited when travelling in the rental car – like where you work or live. If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages. Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers.

If you decide to rent a connected car, here are some steps you can take to protect your personal information:

• Avoid connecting your mobile phones or devices to the infotainment system just for charging.
• Check your permissions.
• Delete your data from the infotainment system before returning the car.

The Federal Trade Commission is seeking public comment on Standards for Safeguarding Customer Information (the “Safeguards Rule”) as part of its systematic review of all FTC rules and guides. The Safeguards Rule, which took effect in 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program for handling customer information.

The FTC seeks comments on a number of questions, including the economic impact and benefits of the Rule; possible conflict between the Rule and state, local or other federal laws or regulations; and the effect on the Rule of any technological, economic or other industry changes. The Commission vote approving the Federal Register Notice was 3-0. The notice will be published shortly and instructions for filing comments appear in the Notice. Comments must be received on or before November 7, 2016.

After a public comment period, the Federal Trade Commission has approved a final order resolving the Commission’s complaint against ASUSTeK Computer, Inc., charging that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The settlement was first announced in February 2016. In its complaint, the FTC alleged that ASUS failed to take reasonable steps to secure the software on its routers, despite making promises to consumers about their security.

Under the terms of the consent order, ASUS is required to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. In addition, ASUS must notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through e-mail, text message, or push notification). The consent order also prohibits the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software. The Commission vote to approve the final order and letters to commenters was 3-0.

A recent Federal Trade Commission investigation into one company’s decision to stop providing support for an Internet of Things (IoT) device illuminates some pitfalls IoT businesses should avoid in introducing and marketing these innovative products.

In that case, a company acquired the marketer of a “Smart Home Hub” and then decided to shut down support for the device, thereby rendering it inoperable. Although we closed that investigation, it raises broader issues about what happens when an IoT product or service, or the updates and support for them, stops. First, there are serious issues at play when consumers purchase products that unexpectedly stop functioning due to a unilateral decision by the company that sold it. Second, when a company stops providing technical support, including security updates, for an IoT device, consumers may be left with an out-of-date product that is vulnerable to critical security or privacy bugs. So, if you’re an IoT business, product designer, or marketer, this scenario should make a light bulb go on in your head.

Ask yourself:

• Are you selling a device, a service, or both? What are you telling consumers you’re selling?
• Are consumers getting a fixed-term rental or subscription, or are they getting something they will own and can rely on for the life of the device?
• Would reasonable consumers expect to be able to keep using the device – and have it be fully functional – if the company, even many years later, rides off into the sunset? Would they expect the device to have an “expiration date”?
• Could consumers keep using your device in the ways they would reasonably expect based on their experience with similar devices?
• What did you tell consumers at the outset – or what would they otherwise expect – about the security you would provide for the life of the device?

The Federal Trade Commission and State of Florida have taken action against defendants who ran an international tech support operation and allegedly misrepresented to consumers that malware or hackers had compromised their computers and that the operation was associated with or certified by Microsoft and Apple to fix their computers. A federal court has temporarily shut down the defendants’ operation, frozen their assets, and placed control of the businesses with a court-appointed receiver. The complaint alleges that defendants, based in Florida, Iowa, Nevada, and Canada, relied on a combination of deceptive online ads and misleading, high-pressure sales tactics to frighten consumers into spending hundreds of dollars for dubious computer “repairs” and antivirus software.

“Scammers like these use incredibly deceptive tactics that make consumers think they are receiving warnings from legitimate technology companies,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “We are proud to work with the Florida Attorney General’s Office to put an end to these fraudulent practices.” According to the complaint, the defendants caused consumers’ computers to display advertisements designed to resemble security alerts from Microsoft or Apple. These ads warned consumers that their computers could be infected with malware and urged them to call a toll-free number in the ad to safeguard both their computer and sensitive personal information stored on it.

You may have heard about it in the news: reports that Russian hackers have stolen more than a billion unique username and password combinations, and more than 500 million e-mail addresses, grabbed from thousands of websites. What should you do about it?

• Once you have strong passwords, you need to keep them safe. Think twice when you’re asked to enter usernames and passwords, and never provide them in response to an email.
• If you see charges that you don’t recognize, contact your bank or credit card provider right away and speak to the fraud department.
• By taking these steps, you can lessen the odds scammers will get a hold of your information, and also minimize the consequences if they do.

Following a public comment period, the Federal Trade Commission has approved the Safe Harbor Program of iKeepSafe, also known as the Internet Keep Safe Coalition, as a safe harbor oversight program under the Children’s Online Privacy Protection Act (COPPA) and the agency’s COPPA Rule.

The FTC’s COPPA Rule requires operators of online sites and services directed at children under the age of 13 to provide notice and obtain permission from a child’s parents before collecting personal information from that child.

The COPPA safe harbor provision promotes flexibility and efficiency by encouraging industry members and others to develop their own COPPA oversight programs, known as “safe harbor” programs.

A new staff report issued by the Federal Trade Commission finds that many mobile apps for use in shopping do not provide consumers with important information -- such as how the apps manage payment-related disputes or handle consumer data -- prior to download.

The report, “What’s the Deal? An FTC Study on Mobile Shopping Apps,” looked at some of the most popular apps used by consumers to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices. The report makes a number of recommendations to companies that provide mobile shopping apps to consumers:

• Apps should make clear consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.
• Apps should more clearly describe how they collect, use, and share consumer data.
• Companies should ensure that their data security promises translate into sound data security practices.
• Beyond recommendations for companies, the report also urges consumers to closely examine the apps’ stated policies on issues like dispute resolution and liability limits, as well as privacy and data security and evaluate them in choosing which apps to use.

The Restore Online Shoppers’ Confidence Act (ROSCA) is a new law that makes it illegal to charge a consumer for goods or services sold in an Internet transaction through any negative option method -- including trial conversions, continuity plans, or automatic renewals -- unless the business:

1. clearly and conspicuously discloses all materials terms of the transaction before getting consumers’ billing information;
2. gets consumers’ express informed consent before charging their accounts; and
3. offers simple ways for people to stop the recurring charges.