FTC Outlines Expected Privacy Program Elements in BLU Settlement
Posted on June 22, 2018
The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then able to gain full administrative control of phones, according to the FTC complaint. Indeed, the FTC alleged that the software transmitted to ADUPS, without users knowledge, full content of text messages, real- time cell tower location data, contact lists, call logs, and lists of applications installed on phones. This became public in November 2016, and BLU assured consumers on its website that this “unexpected” data collection practices had stopped. According to the FTC, though, older devices still had this software.
The FTC alleged that BLU had engaged in deceptive practices, since its privacy policy said third parties had “access to personal information needed to perform their services or functions, but may not use it for other purposes.” Instead, the FTC stated, ADUPS had access to more information than needed to perform their services. The FTC also found that BLU had been deceptive in stating that it had “appropriate physical, electronic, and managerial security procedures.” As part of the settlement, BLU has agreed to implement and maintain a comprehensive security program and have assessments conducted every two years (for 20 years) by an external party that is qualified as a Certified Secure Software Lifecycle Professional. BLU also agreed to obtain informed express consent from consumers to have their information shared with third parties. The settlement did not include payment of civil penalties.
The settlement outlines the type of security program the FTC may expect companies to have, and contains seven elements. Namely, (1) having an employee (or employees) in charge of the program, (2) identifying risks that could result in unauthorized access or modification of devices, (3) identification of risks that could result in unauthorized access of personal information, (4) reasonable safeguards to control identified risks, (5) monitoring of the effectiveness of risks, (6) developing steps to make sure services providers are retained that can safeguard personal information, and (7) evaluating and adjusting the program in light of changes to business operations or that come out of issues identified in steps five or six.
PUTTING IT INTO PRACTICE: This settlement provides a useful roadmap of FTC expectations regarding security. Although specific to a mobile device manufacturer, those in related industries may also want to review their current information security program against the seven-step model outlined by the FTC in this settlement.
DoC Comments on Privacy Shield In Advance of GDPR
Posted on May 22, 2018
The Department of Commerce issued an update to explain how it has supported the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks. As we have written previously, the Shield gives E.U. companies a basis under which it can send personal data to entities in the U.S. The comments from Commerce come after the Europeans raised concerns about the sufficiency of the program, which gets re-evaluated annually.
Some of the measures Commerce pointed to that it has implemented include a more rigorous reviews of corporate privacy policies and requiring companies to delay public representations of Privacy Shield participation until the Department of Commerce’s review process is complete. Commerce also stated that it is conducting more monitoring of companies, and is strengthening enforcement. In addition, the update calls for the appointment of a Privacy Shield Ombudsperson with whom consumers can raise concerns about corporate use of their information.
PUTTING IT INTO PRACTICE: These comments from the Department of Commerce show that they recognize that Privacy Shield is under scrutiny as we come into the final few days prior to GDPR implementation.
                    Eye on Privacy 2018 Year in Review 16