Federal Trade Commission (FTC) Settles with HTC America Over Charges it Failed to Secure Smartphone Software
Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In itscomplaint, the FTC charged HTC with violations of the Federal Trade Commission Act. On July 2 the FTC approved a final order settling these charges.
The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.
HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.
As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.