FTC Settles with Phone Manufacturer for Deceptive Data Security Practices

Weiner Brodsky Kider PC
Contact

Weiner Brodsky Kider PC

The Federal Trade Commission (FTC) gave final approval to a settlement with a Florida-based mobile phone manufacturer over claims that the company deceived consumers about the disclosure of their personal data to third-party servicers and about the manufacturer’s data security practices. The settlement requires the manufacturer to implement a comprehensive security program to address security risks to consumer data and be subject to continuous review.

According to the FTC’s complaint, the manufacturer and its co-owner/president misled consumers when they claimed that third-party collection of user data on the manufacturer’s devices was limited to only information needed to perform requested services by third parties. However, the manufacturer contracted a China-based third-party service provider to issue security and operating system updates to its mobile devices, and this third-party collected and transferred to its own servers more information than it need to do the job. The transferred data included detailed consumer personal information, full content of consumers’ text messages, real-time location data, call and text message logs, contact lists, and lists of applications used and installed on the devices.

After the collection and sharing by the third-party became public in November of 2016, the manufacturer issued a statement informing consumers that the third-party servicer had stopped its unexpected data collection practices. However, according to the FTC, the manufacturer continued to allow the third-party to operate on its older mobile devices without adequate oversight.

The FTC claimed that the manufacturer and its president failed to implement appropriate security procedures to oversee the security practices of their service providers. According to the FTC, appropriate security procedures should have included performing due diligence of service providers, having written data security procedures regarding service providers, and adequately assessing the privacy and security risk of third-party software installed on the manufacturer’s mobile devices.

The terms of the settlement agreement prohibit the manufacturer from misrepresenting the extent to which it protects the privacy and security of personal information and requires implementation and maintenance of a security program that addresses security risks associated with new and existing mobile devices. Additionally, the manufacturer must also undergo third-party assessment of its security program every two years for 20 years and will be subject to record-keeping and compliance-monitoring requirements.

The FTC’s press release on the final approval of this settlement agreement may be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Weiner Brodsky Kider PC | Attorney Advertising

Written by:

Weiner Brodsky Kider PC
Contact
more
less

Weiner Brodsky Kider PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.