The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then able to gain full administrative control of phones, according to the FTC complaint. Indeed, the FTC alleged that the software transmitted to ADUPS, without users knowledge, full content of text messages, real-time cell tower location data, contact lists, call logs, and lists of applications installed on phones. This became public in November 2016, and BLU assured consumers on its website that this “unexpected” data collection practices had stopped. According to the FTC, though, older devices still had this software.
The settlement outlines the type of security program the FTC may expect companies to have, and contains seven elements. Namely, (1) having an employee (or employees) in charge of the program, (2) identifying risks that could result in unauthorized access or modification of devices, (3) identification of risks that could result in unauthorized access of personal information, (4) reasonable safeguards to control identified risks, (5) monitoring of the effectiveness of risks, (6) developing steps to make sure services providers are retained that can safeguard personal information, and (7) evaluating and adjusting the program in light of changes to business operations or that come out of issues identified in steps five or six.
Putting it into Practice: This settlement provides a useful roadmap of FTC expectations regarding security. Although specific to a mobile device manufacturer, those in related industries may also want to review their current information security program against the seven-step model outlined by the FTC in this settlement.