May 11, 2017
Aggressive Regulation on Data Breaches
by John Farley
The FTC appears to be taking preemptive measures against a company making IoT devices, not waiting for a cyberattack to occur first.
Below is an excerpt from John Farley’s new book: “Online and Under Attack: What Every Business Needs To Do Now To Manage Cyber Risk and Win Its Cyber War.“
The Internet of Things
Every one of us lives in a brave new connected world. For most of us, our first foray into the online world occurred at work, as business discovered the internet provided a means to efficiencies that made them more competitive. The convenience of the internet has spilled over in dramatic fashion into our personal lives. The average home contains 13 internet-connected devices, and that number is growing fast. It has given birth to the term we know today as the Internet of Things (IoT). According to the FTC’s 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World,” the number of internet-connected devices surpassed the number of people living on the earth several years ago. As of 2015, there were an estimated 25 internet-connected devices. The FTC estimates that this number will double to 50 billion by 2020.
Consumers love the convenience that these products bring, and manufacturers recognize this. There has been a tremendous rush to the market, as everything from security cameras, DVRs, routers, TVs, cars, thermostats and children’s toys are being designed to connect to the internet. The list grows daily. Unfortunately, recent history has shown that as manufacturers hurry to capture their share of the market for these devices, many have ignored the concept of security at the design stage. Instead, the focus was to get products manufactured quickly and economically. Extra steps in the product design stage, such as addressing security, would likely increase design time, make them more difficult for the consumer to set up and ultimately increase cost. As a result, many products in our homes lack basic cybersecurity controls and are subject to online threats as demonstrated earlier in this book in the Dynamic Network Systems attack in October 2016. Many products come with easily guessed passwords or none at all. When security flaws are recognized by manufacturers, they are often not easily patchable.
See also: Firms Ally to Respond to Data Breaches
The FTC has taken notice and made its concerns heard in January 2017 by filing a lawsuit against Taiwanese D-Link and its U.S. subsidiary, D-Link Systems. In the complaint, the FTC alleges the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to do things like monitor their homes and children in real time. Consumers simply access the live feeds from their home cameras using their mobile devices or any computer.
The crux of the lawsuit alleges that D-Link failed to protect consumers from “widely known and reasonably foreseeable risks of unauthorized access.” There are several allegations made by the FTC where it alleges D-Link failed to do the following:
- Take reasonable software testing and remediation measures to protect its routers and IP cameras against well-known and easily preventable software security flaws that would potentially allow remote attackers to gain control of consumers’ devices.
- Take reasonable steps to maintain the confidentiality of the “signature” key that D-Link used, which resulted in the exposure of the private key on a public website for approximately six months.
- Use free software, available since at least 2008, to secure users’ mobile app login credentials, instead storing those credentials in clear, readable text on users’ mobile devices.
The case is especially noteworthy because it is not alleging a known breach of security in D-Link devices. Instead, the FTC appears to be taking measures against the company, and not waiting for a successful cyberattack to occur before acting. So we may refer back to the FTC 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World” for guidance. In that report, the following recommendations are made by the FTC:
- Build security measures into devices from the outset and at every stage of development—don’t wait to implement retroactive security measures after the devices have already been produced and sold.
- Consistently maintain up-to-date software to secure consumer personal information, and ensure regular software testing. Any identified vulnerabilities should be remediated promptly; connected devices should be monitored throughout their life cycles; and security patches should be issued to cover known risks.
- Take steps to implement reasonable access-control measures for IoT devices, including making sure proprietary device signatures remain confidential.
- Accurately describe the products’ safety and security features in marketing and promotional materials.
See also: Data Breach Law Could Hurt Consumer