FTC settles with cellphone manufacturer over data security issues
On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested services. According to the complaint, released at the same time as the settlement, the manufacturer contracted with a Chinese technology company to issue security and operating system updates to the manufacturer’s devices. When issuing those updates, the Chinese company collected and transferred personal information about the device owners without their consent or knowledge, including text messages, call logs, and contact lists. In November 2016, the public became aware of this practice and the manufacturer issued a notice informing its customers that the Chinese company changed its software to no longer collect the personal information. However, the manufacturer allegedly continued to allow this practice on older devices. The FTC alleges that the manufacturer failed to perform adequate due diligence in the selection of the Chinese company and failed to adopt and implement written security standards for their third-party providers. Under the settlement, the manufacturer, among other things, is (i) prohibited from future misrepresentations about security and privacy; (ii) required to establish and implement a comprehensive data security program; and (iii) subject to data security assessments every two years by a third party for the next 20 years.