In its first move to address privacy concerns raised by the interconnectivity of multiple devices commonly referenced as the “Internet of Things,” the Federal Trade Commission last week entered an agreement with TrendNet, resolving allegations that the company failed to adequately protect its customers’ private video feeds.
TrendNet, a retailer of Internet and other mobile devices, manufactures IP cameras that permit customers to monitor their homes or businesses remotely, via live video and audio feeds. The live feeds are transmitted via Internet and can be accessed by the customer via computer or mobile device.
Though TrendNet advertised its customers SecurView cameras as secure, the Commission alleges the company’s representations were misleading. According to the Commission’s complaint, from January 2010, the company — whose motto is “Networks People Trust” — transmitted unencrypted user login credentials over the Internet and failed to implement reasonable security measures to prevent unauthorized access to live feeds. The Commission also alleges TrendNet failed to take reasonable steps to ensure that its customers’ security settings would be honored.
In January 2012, a hacker publicly exposed the flaw in TrendNet’s system, posting links to almost 700 customers’ live feeds. The feeds displayed footage of infants sleeping in cribs, young children playing, and private rooms in customers’ homes. TrendNet issued a software patch to resolve the problem affecting 20 of its IP camera models, but it was not an automatic upgrade.
Pursuant to its agreement with the Commission, TrendNet is immediately required to install and maintain a comprehensive security program to protect its customers’ personal information. TrendNet is also required to conduct periodic risk assessments of its security systems for the next 20 years, which will include responding to third-party security vulnerability reports.
TrendNet also must notify its customers of the flaw that allowed third parties to access their live feed information and provide instructions and live customer support on how to resolve the flaw.
Though this is the Commission’s first order against this type of retailer, this case parallels other actions taken by the Commission against companies that misrepresented the nature or extent of its measures to protect its customers’ personal information. As recently as last month, the Commission issued an administrative Part 3 complaint against medical testing laboratory LabMD, Inc. for failing to protect the security of the medical information and other personal data of nearly 10,000 consumers.
Practical Points to Consider
As companies continue to develop interconnected products that link to the Internet, consumer privacy and security issues will become increasingly important. Some practical points for any business to consider are the following:
- If your company is responsible for accessing or storing a customer’s sensitive information, take reasonable steps to ensure that information is secure.
- Periodically assess your system for risks, for instance, by implementing regular vulnerability testing or by conducting a periodic review of third-party vulnerability reports.
- Regularly audit your system to verify that data access restrictions are consistent with each user’s individual security settings.
- To minimize risk further, periodically assess whether the consumer information being collected and retained is actually necessary to the successful operation of your business.