We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
The FTC recently settled with the mobile phone
company BLU Products, Inc., over allegations that the company was
letting one of its vendors pull extensive and detailed personal
information off of users' phones. According to the FTC, BLU
phones were pre-loaded with firmware updating tools made by ADUPS
Technology. ADUPS, through its software, was then able to gain full
administrative control of phones, according to the FTC complaint. Indeed, the FTC
alleged that the software transmitted to ADUPS, without users
knowledge, full content of text messages, real-time cell tower
location data, contact lists, call logs, and lists of applications
installed on phones. This became public in November 2016, and BLU
assured consumers on its website that this "unexpected"
data collection practices had stopped. According to the FTC,
though, older devices still had this software.
The FTC alleged that BLU had engaged in deceptive practices,
since its privacy policy said third parties had "access to
personal information needed to perform their services or functions,
but may not use it for other purposes." Instead, the FTC
stated, ADUPS had access to more information than needed to perform
their services. The FTC also found that BLU had been deceptive in
stating that it had "appropriate physical, electronic, and
managerial security procedures." As part of the
settlement, BLU has agreed to implement and maintain a
comprehensive security program and have assessments conducted every
two years (for 20 years) by an external party that is qualified as
a Certified Secure Software Lifecycle Professional. BLU also
agreed to obtain informed express consent from consumers to have
their information shared with third parties. The settlement did not
include payment of civil penalties.
The settlement outlines the type of security program the FTC may
expect companies to have, and contains seven elements. Namely, (1)
having an employee (or employees) in charge of the program, (2)
identifying risks that could result in unauthorized access or
modification of devices, (3) identification of risks that could
result in unauthorized access of personal information, (4)
reasonable safeguards to control identified risks, (5) monitoring
of the effectiveness of risks, (6) developing steps to make sure
services providers are retained that can safeguard personal
information, and (7) evaluating and adjusting the program in light
of changes to business operations or that come out of issues
identified in steps five or six.
Putting it into Practice: This settlement provides a
useful roadmap of FTC expectations regarding security. Although
specific to a mobile device manufacturer, those in related
industries may also want to review their current information
security program against the seven-step model outlined by the FTC
in this settlement.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
About:
Sheppard Mullin partner Townsend Bourne will present “Cybersecurity Compliance Frameworks for Government Contracting” at the National Contract Management Association’s Government Contract Management Symposium at the Hyatt Regency Crystal City in Arlington, Virginia.
The annual seminar addressing changes and developments in state and federal wage and hour laws is a unique one-day program and hundreds of California employers, personnel managers, controllers, attorneys, payroll managers, and supervisors attend each year.
This year registrants will receive a free copy of the New 2019 Edition of the WAGE AND HOUR MANUAL FOR CALIFORNIA EMPLOYERS by Attorney Simmons (over 1020 pages). The book is the only one of its kind and is widely recognized as the leading text in its field.
The seminar is designed to provide a guide to Human Resource Officials, Personnel Specialists, Consultants, Supervisors and other management officials through the ever-increasing maze of state and federal employment discrimination laws.
The California Department of Fair Employment and Housing and the FEHC have both recognized the value of this manual and obtained copies for investigators, consultants and supervisors throughout California.
The Situation: The European Union's General Data Protection Regulation ("GDPR") has raised questions regarding the scope of coverage and protection afforded by current cyber policies,
For your ease of reference, we reproduce here a formatted, hyperlinked copy of the California Consumer Privacy Act of 2018 (CCPA), current as of October 15, 2018.
In a new class action filed recently against a hospital housekeeping company, employees allege their employer's fingerprint scanning time-tracking system runs afoul of privacy laws.
As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Mayer Brown's Tech Talks, Episode 3: The Big Data Paradox (Video)
