On March 28, 2014, the Federal Trade Commission (FTC) announced settlements with Fandango, LLC and Credit Karma, Inc. resolving charges that the companies misrepresented the security of their mobile apps in violation of Section 5 of the FTC Act.1 The FTC alleged that the companies failed to take reasonable steps to securely transmit sensitive personal information by disabling a default security process and failing to conduct adequate vulnerability scans. The settlements demonstrate the FTC's continued focus on the mobile and information security areas following multiple staff reports covering mobile devices2 and recent settlements resolving allegations of inadequate data security practices.3
The Fandango Movies app allows consumers to find movie information and purchase tickets. In its complaint, the FTC alleged that within the app and during the ticket purchasing process, Fandango provided statements that the app was secure. During the purchasing process, the app collected credit card information from some consumers and transmitted the information via a Secure Sockets Layer (SSL) connection. The FTC alleged, however, that Fandango disabled a default security setting for the connection, which left the data transmission vulnerable to interception.
The FTC further alleged that Fandango did not test its app for the SSL vulnerability during its first four years in use. While there were no known breaches of credit card information related to the app during that time, a security researcher allegedly attempted to alert Fandango to the vulnerability. The FTC claimed that Fandango's customer service system incorrectly flagged the researcher's message, however, and thus the vulnerability was not appropriately addressed.
The FTC alleged that Fandango and Credit Karma violated Section 5 of the FTC Act by making false or misleading statements that they provided reasonable and appropriate security for consumers' information. Specifically, the FTC alleged that a combination of three factors led to each company's failure to provide reasonable and appropriate security:
The FTC alleged that both companies overrode the mobile operating systems' default SSL settings without compensating for the reduction in security created by these overrides.
The FTC alleged that both companies failed to appropriately test their apps.
The FTC alleged that Fandango failed to maintain an adequate process for receiving security vulnerability reports from third parties, while Credit Karma allegedly failed to reasonably and appropriately oversee its service provider.
In the FTC's settlement agreements and consent orders with Fandango and Credit Karma, both companies agreed to refrain from misrepresenting the privacy and security measures in their apps or other products and services. The companies also agreed to establish comprehensive information security programs and undergo independent audits of their programs for the next 20 years.
These settlements are especially important for mobile app developers. Through these and other recent actions, the FTC has demonstrated a desire to pursue data security cases even where the commission has not alleged any evidence of a data breach or tangible harm to consumers. In particular, the FTC has now signaled that disabling default security settings in mobile operating systems will subject an app to scrutiny under Section 5. Additionally, the FTC's settlement with Credit Karma serves as an important reminder of the privacy and data security impacts that vendors can have on organizations, even in cases where the vendor may not have access to personal information. Companies using outside vendors to develop mobile apps for consumers should ensure that privacy and security issues are a part of their vendor oversight practices, as the FTC has continued to express a willingness to hold companies accountable for the actions of their service providers.