The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.
Link: Press Release from Consumer Financial Protection Bureau | Full CFPB Complaint
The FBI has issued a warning in relation to the security risks that Internet of Things devices pose to consumers.
According to the FBI, the main security risks associated with Internet of Things devices are:
- an exploitation of the Universal Plug and Play protocol (UPnP) – the process when a device remotely connects and communicates on a network automatically without authentication – to gain access to Internet of Things devices,
- an exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information,
- overloading the devices to render the Internet of Things devices inoperable, and
- interfering with business transactions.
The FBI offers tips on how consumers and businesses can protect themselves, for example:
- isolate Internet of Things devices on their own protected networks,
- disable UPnP on routers,
- purchase Internet of Things devices from manufacturers with a track record of providing secure devices,
- regularly updating Internet of Things devices with security patches,
- if a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it operate on a home network with a secured Wi-Fi router, and
- ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the internet.
Link: FBI announcement
The US Court of Appeal for the Third Circuit has confirmed the Federal Trade Commission’s (FTC) authority to take action against a private company for poor IT security practices under § 45(a) of the FTC Act, on the basis that they are “unfair or deceptive acts or practices in or affecting commerce”.
Wyndham (a hotel chain) had suffered a number of significant data breaches, and the FTC alleged that these were made possible by poor IT security practices, including storing payment information without encryption, failing to maintain and enforce IT security policies on hotel sites connecting to its central system, and failing to apply appropriate ‘incident response’ procedures.
Wyndham raised several arguments in support of its claim that the FTC’s “unfairness” authority did not extend to regulating data security:
- Wyndham argued that conduct is only unfair when it injures consumers through “unscrupulous or unethical behaviour”. The Court rejected this argument on the basis that these requirements are not part of the statutory meaning of “unfair”.
- Wyndham argued that it could not be taken to have treated its customers in an unfair manner when the business itself was also the victim of criminals’ activity. Again, the Court disagreed with this contention. The Court also held that a business could be subject to an unfairness claim even where the company’s conduct was not the proximate cause of an injury, as long as the company’s conduct facilitated the most proximate cause and the outcome was reasonably foreseeable.
The Court sent the case back to the US District Court to determine whether Wyndham’s security measures were indeed “unfair” within the meaning of the Act.
Link: FTC v Wyndham Worldwide Corporation