March 25, 2019

March 22, 2019

Subscribe to Latest Legal News and Analysis

FTC Outlines Expected Privacy Program Elements in BLU Settlement

The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then able to gain full administrative control of phones, according to the FTC complaint. Indeed, the FTC alleged that the software transmitted to ADUPS, without users knowledge, full content of text messages, real-time cell tower location data, contact lists, call logs, and lists of applications installed on phones. This became public in November 2016, and BLU assured consumers on its website that this “unexpected” data collection practices had stopped. According to the FTC, though, older devices still had this software.

The FTC alleged that BLU had engaged in deceptive practices, since its privacy policy said third parties had “access to personal information needed to perform their services or functions, but may not use it for other purposes.” Instead, the FTC stated, ADUPS had access to more information than needed to perform their services. The FTC also found that BLU had been deceptive in stating that it had “appropriate physical, electronic, and managerial security procedures.” As part of the settlement, BLU has agreed to implement and maintain a comprehensive security program and have assessments conducted every two years (for 20 years) by an external party that is qualified as a Certified Secure Software Lifecycle Professional.  BLU also agreed to obtain informed express consent from consumers to have their information shared with third parties. The settlement did not include payment of civil penalties.

The settlement outlines the type of security program the FTC may expect companies to have, and contains seven elements. Namely, (1) having an employee (or employees) in charge of the program, (2) identifying risks that could result in unauthorized access or modification of devices, (3) identification of risks that could result in unauthorized access of personal information, (4) reasonable safeguards to control identified risks, (5) monitoring of the effectiveness of risks, (6) developing steps to make sure services providers are retained that can safeguard personal information, and (7) evaluating and adjusting the program in light of changes to business operations or that come out of issues identified in steps five or six.

Putting it into Practice: This settlement provides a useful roadmap of FTC expectations regarding security. Although specific to a mobile device manufacturer, those in related industries may also want to review their current information security program against the seven-step model outlined by the FTC in this settlement.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...