The Federal Trade Commission (FTC) gave final approval to a settlement with a Florida-based mobile phone manufacturer over claims that the company deceived consumers about the disclosure of their personal data to third-party servicers and about the manufacturer’s data security practices. The settlement requires the manufacturer to implement a comprehensive security program to address security risks to consumer data and be subject to continuous review.
According to the FTC’s complaint, the manufacturer and its co-owner/president misled consumers when they claimed that third-party collection of user data on the manufacturer’s devices was limited to only information needed to perform requested services by third parties. However, the manufacturer contracted a China-based third-party service provider to issue security and operating system updates to its mobile devices, and this third-party collected and transferred to its own servers more information than it need to do the job. The transferred data included detailed consumer personal information, full content of consumers’ text messages, real-time location data, call and text message logs, contact lists, and lists of applications used and installed on the devices.
After the collection and sharing by the third-party became public in November of 2016, the manufacturer issued a statement informing consumers that the third-party servicer had stopped its unexpected data collection practices. However, according to the FTC, the manufacturer continued to allow the third-party to operate on its older mobile devices without adequate oversight.
The FTC claimed that the manufacturer and its president failed to implement appropriate security procedures to oversee the security practices of their service providers. According to the FTC, appropriate security procedures should have included performing due diligence of service providers, having written data security procedures regarding service providers, and adequately assessing the privacy and security risk of third-party software installed on the manufacturer’s mobile devices.
The terms of the settlement agreement prohibit the manufacturer from misrepresenting the extent to which it protects the privacy and security of personal information and requires implementation and maintenance of a security program that addresses security risks associated with new and existing mobile devices. Additionally, the manufacturer must also undergo third-party assessment of its security program every two years for 20 years and will be subject to record-keeping and compliance-monitoring requirements.
The FTC’s press release on the final approval of this settlement agreement may be found here.