Your business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely.
On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. (“ASUS”) agreed to a 20-year consent order, resolving claims that it engaged in unfair and deceptive practices in connection with routers it sold to U.S. consumers. According to the FTC’s complaint, ASUS failed to take reasonable steps to secure the software for its routers, which it offered to consumers specifically for protecting their local networks and accessing their sensitive personal information. The FTC alleged that ASUS’s router firmware and admin console were susceptible to a number of “well-known and reasonably foreseeable vulnerabilities”; that its cloud applications included multiple vulnerabilities that would allow cyber attackers to gain easy, unauthorized access to consumers’ files and router login credentials; and that the application encouraged consumers to choose weak login credentials. By failing to take reasonable actions to remedy these issues, ASUS subjected its customers to a significant risk that their sensitive personal information and local networks would be subject to unauthorized access.
As an illustration, the FTC cited a security incident in which hackers gained unauthorized access to the personal information of thousands of ASUS consumers due to the vulnerabilities in ASUS’s cloud services. These hackers posted a list of IP addresses for 12,937 vulnerable ASUS routers online, as well as the login credentials for 3,131 accounts.
Under the consent order, ASUS is required to establish, implement, and maintain a comprehensive security program, as well as obtain biennial assessments and reports from independent third-party auditors, for the next 20 years. In addition, ASUS must notify consumers of software updates or any reasonable steps a consumer could take to mitigate a known security flaw. The company is prohibited from misrepresenting the security of its products moving forward. Finally, during the next 20 years, ASUS must notify the FTC of any major changes within the company that may affect compliance obligations under the consent order.
One takeaway from this case is the broad scope of Section 5 of the FTC Act, under which the FTC prosecutes “unfair or deceptive acts or practices in or affecting commerce.” The term “unfair or deceptive acts or practices” includes not just domestic activities, but also “acts or practices involving foreign commerce that (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States.” In other words, being a foreign-based company is not an excuse for failing to safeguard the consumers’ personal information (both domestic and foreign consumers) in your custody. If your company’s products or services are directed to consumers in the United States, or if your company collects personal information from consumers in the United States, you may be subject to Section 5 regardless of where your headquarters is located. And the consequences for violating Section 5 can be costly.
What can you do to help prevent this from happening?
- Conduct internal reviews. You can start by reviewing your privacy and security policies, including those posted on your own websites and those distributed to your employees. You may also want to conduct data mapping of where you collect personal information to better assess your exposure.
- Educate yourself. Learning the current state of privacy and security laws and regulations is a must, but be cautious to utilize reliable resources. Husch Blackwell’s white paper summarizes the FTC’s enforcement history on data security. You can also learn more from the FTC’s website.
- Discuss your situation with an attorney. Privacy lawyers are up to date on the latest laws and enforcement practices, and they can help you to review your infrastructure and compliance to give you recommendations moving forward. In addition to helping ensure your current business practices comply with relevant regulations, a good privacy attorney can help structure new ventures to make them more resilient to future evolution of international privacy laws.