October 22, 2018

October 22, 2018

Subscribe to Latest Legal News and Analysis

FTC Settlement Requires Fandango and Credit Karma to Establish Comprehensive Security Programs to Protect Consumers’ Sensitive Personal Information

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately stored and transmitted, both failed to reasonably secure mobile apps, leaving personal data such as credit-card information and Social Security numbers at risk for interception by third parties.  In particular, among other claims, the FTC charged the companies with disabling Secure Sockets Layer (“SSL”) encryption, a default security process intended to protect consumers’ information by verifying the security of app communications and ensuring that an attacker cannot access any data sent or received.

The FTC alleged that these vulnerabilities easily could have been tested and prevented, however, each company failed to perform basic security reviews, including establishing an auditing process to oversee and examine security practices and vulnerability reports.  The settlements therefore require that Fandango and Credit Karma establish comprehensive security programs that address any risks during the design and development stages of their apps.  Fandango and Credit Karma also must agree to independent security evaluations every other year for the next 20 years.

More information on Fandango and Credit Karma’s respective settlements with the FTC can be found here and here.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...

202.662.5519