The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then able to gain full administrative control of phones, according to the FTC complaint. Indeed, the FTC alleged that the software transmitted to ADUPS, without users knowledge, full content of text messages, real-time cell tower location data, contact lists, call logs, and lists of applications installed on phones. This became public in November 2016, and BLU assured consumers on its website that this “unexpected” data collection practices had stopped. According to the FTC, though, older devices still had this software.

The FTC alleged that BLU had engaged in deceptive practices, since its privacy policy said third parties had “access to personal information needed to perform their services or functions, but may not use it for other purposes.” Instead, the FTC stated, ADUPS had access to more information than needed to perform their services. The FTC also found that BLU had been deceptive in stating that it had “appropriate physical, electronic, and managerial security procedures.” As part of the settlement, BLU has agreed to implement and maintain a comprehensive security program and have assessments conducted every two years (for 20 years) by an external party that is qualified as a Certified Secure Software Lifecycle Professional.  BLU also agreed to obtain informed express consent from consumers to have their information shared with third parties. The settlement did not include payment of civil penalties.

The settlement outlines the type of security program the FTC may expect companies to have, and contains seven elements. Namely, (1) having an employee (or employees) in charge of the program, (2) identifying risks that could result in unauthorized access or modification of devices, (3) identification of risks that could result in unauthorized access of personal information, (4) reasonable safeguards to control identified risks, (5) monitoring of the effectiveness of risks, (6) developing steps to make sure services providers are retained that can safeguard personal information, and (7) evaluating and adjusting the program in light of changes to business operations or that come out of issues identified in steps five or six.

Putting it into Practice: This settlement provides a useful roadmap of FTC expectations regarding security. Although specific to a mobile device manufacturer, those in related industries may also want to review their current information security program against the seven-step model outlined by the FTC in this settlement.