The FTC has brought its first data security enforcement action involving the “Internet of Things.” See the FTC’s Complaint at here. According to the complaint, TRENDnet, a seller of Internet Protocol (“IP”) cameras, failed to implement reasonable security procedures in the design and implementation of its cameras, the accompanying software, and related mobile apps. Hackers subsequently gained access to TRENDnet’s website and live feed from approximately 700 IP cameras. Through this unauthorized access, hackers broadcast live footage of adults and children in their homes – engaging in their daily activities – to the Internet.
The FTC brought a claim for deceptive practices under Section 5 of the FTC Act, alleging that TRENDnet had touted its camera’s use for securing people and property and then failed to provide adequate security for the information obtained through those cameras. The Commission also claimed these failures, taken together, constituted unfair practices under Section 5.
The FTC’s specific allegations provide a roadmap for its enforcement priorities. The complaint emphasizes that TRENDnet failed to:
- Secure transmission of login credentials over the Internet, instead transmitting them in clear, readable text;
- Store credentials in a secure manner, instead storing them in clear, readable text on a user’s mobile device;
- Implement a process for active monitoring of publically known security vulnerabilities, which would have allowed TRENDnet to address them;
- Employ reasonable and appropriate security in the design and testing of software that TRENDnet provided with its IP cameras.
TRENDnet is different from routine data breach cases resulting from allegedly inadequate safeguards in its emphasis on the connectivity between the tangible device and the Internet. The FTC held TRENDnet responsible for failing to implement safeguards during the testing, design, and development of the software and the mobile apps that linked its devices to the Internet. The message from the TRENDnet complaint is that the FTC will hold sellers of tangible items connected to the Internet to the same security standards as those companies which solely collect and use consumer data online.
The FTC will be holding a workshop in November on the “Internet of Things,” and companies should expect the FTC’s continued attention to this emerging frontier.
