To date, the U.S. Federal Trade Commission has brought over 60 enforcement actions regarding company data security practices, and 2016 is already no different. On February 23, 2016, the FTC and Taiwanese computer hardware manufacturer ASUSTeK Computer, Inc., settled the FTC’s charges that ASUS-branded wireless routers, which were manufactured for home use and allowed consumers to attach a hard drive and create cloud storage, had major security issues. These issues included the ability to exploit security bugs and default login credentials to access sensitive consumer information on the devices. According to the FTC, in February 2014, hackers exploited these flaws to gain unauthorized access to over 12,900 consumers’ devices. The FTC’s complaint alleges various security misrepresentations by ASUS in regard to the routers marketed to consumers, as well as insufficient security practices related to their vulnerabilities.
Under the proposed consent order, ASUS must maintain a comprehensive security program to address security risks and protect the privacy and security of customer information, and will be subject to independent audits for 20 years. The consent agreement details that the comprehensive security program must include:
- The designation of an employee to coordinate and be held accountable for the security program;
- The identification of material internal and external risks to the security of ASUS routers that could result in unauthorized access to or unauthorized modification of the routers, and assessment of the sufficiency of any safeguards in place to control these risks;
- The identification of material internal and external risks to the privacy, security, confidentiality, and integrity of customer information that could result in the unintentional exposure of such information by consumers or the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
- Written risk assessments that include: (1) employee training and management, including in secure engineering and defensive programming; (2) product design, development, and research; (3) secure software design, development, and testing; (4) review, assessment, and response to third-party security vulnerability reports; and (5) prevention, detection, and response to attacks, intrusions, or systems failures;
- The design and implementation of reasonable safeguards to control the risks identified through risk assessment to identify potential security failures and verify that access to ASUS routers is restricted consistent with a user’s security settings;
- Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
- The development and use of reasonable steps to select and retain service providers capable of maintaining appropriate security practices, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with this order; and
- The evaluation and adjustment of the ASUS security program in light of the results of the testing and monitoring required by the program.
Under the order, ASUS must also obtain written risk assessments from “a qualified, objective, independent third-party professional” and provide these to the FTC, with the first report due 180 days after entry of the consent agreement, and every two years for the next 20 years. ASUS must also provide clear communication to its customers regarding security updates and recognized security flaws.
The consent order was published in the Federal Register on February 26, 2016, and will remain subject to public comment until March 24, 2016. In the meantime, the FTC has published tips for consumers who have ASUS routers to help protect the security of their information. After the order is entered, every violation of the order can result in a civil penalty of up to $16,000.