As outlined in its complaint, the FTC took issue with a number of MoviePass's business practices. First, the FTC alleged MoviePass deceptively advertised its "unlimited" movie viewing subscription package because it devised and implemented a "password disruption" and "ticket verification" program that limited the frequency with which subscribers could view movies.
On August 20, 2019, however, a security researcher was reported to have breached an exposed database containing consumer personal information. MoviePass confirmed the data breach, which exposed a server containing unencrypted personal information. Financial and other personal information of over 28,000 consumers was affected.
The FTC alleged the breach was made possible because MoviePass:
The proposed settlement prohibits MoviePass from misrepresenting certain terms of its subscription plan. MoviePass is also barred from misrepresenting that it will take reasonable administrative technical, physical, or managerial measures to protect consumers' personal Information from unauthorized access.
MoviePass will need to implement an Information Security Program that includes the following, among other components:
MoviePass will also need to obtain an initial, and then biannual, third-party assessment of its Information Security Program and cooperate with a third-party information security assessor.
The proposed settlement also provides the foundation for an effective Information Security Program that businesses collecting, storing, using, and sharing personal information should have in place.
The list above is the tip of the iceberg. See the proposed settlement for more details.