8 March 2018
The Federal Trade Commission (‘FTC’) issued, on 28 February 2018, its report on improving mobile security update practices (‘the Report’), which builds on information provided by eight mobile device manufacturers on their practices, including Apple Inc., Google LLC and Samsung Electronics America, Inc, in response to an FTC order issued in May 2016, as well as responses to a parallel inquiry initiated by the Federal Communications Commission. In particular, the Report outlines the main issues that the industry faces in providing mobile security updates and includes recommendations on how to improve them.
Scott D. Delacourt, Partner at Wiley Rein LLP, told DataGuidance, “The Report is a call to action to manufacturers in a variety of areas […] The biggest takeaway is that manufacturers should make sure they have rigorous situational awareness of their own security updating practices, that they are being consistent in those practices, and that they are benchmarking them against the broader industry. This will not likely require a major adjustment for most manufacturers because market pressures compel them to be vigilant on mobile device security. Every breach and malware attack is a threat to their brand.”
The recommendations listed in the Report include educating consumers on the importance of security updates; adopting a ‘start with security’ approach; keeping, consulting and sharing records on security update processes with partners; streamlining such process; and providing consumers with more and better information to support the security update process.
While the Report is focused on mobile devices, it will have a significant impact on all Internet of Things devices that are potentially vulnerable to attack
Melissa Maalouf, Shareholder at ZwillGen PLLC, said, “While the Report is just ‘guidance’ and not law, the FTC often looks to the recommendations in its guidance documents as factors to consider when evaluating whether a company’s privacy and/or security practices constitute an unfair or deceptive act or practice under the FTC’s broad enforcement authority under Section 5 of the FTC Act of 1914 […] It is very likely that the recommendations in the Report will be taken into account by the FTC in analysing future data security/breach cases involving security vulnerabilities that were not patched but could have been.”
The Report identifies key issues affecting the delivery of security updates by device manufacturers, highlighting the complexity of the mobile ecosystem, which causes the security update process to be complex and time-consuming. The FTC listed additional issues, such as uneven adoption of steps to streamline the security update process causing time gaps between the discovery of vulnerabilities and patching, the lack of formal support policies resulting in variable update support periods and update schedules, as well as the lack of record keeping about update support decisions.
Maalouf concluded, “The recommendations on the whole are relatively general, but they signal that the FTC does not believe that the burden should only be on consumers to proactively install security patches, and instead that the burden should be shared with manufacturers and other players in the mobile device chain to develop solutions […] While the Report is focused on mobile devices, it will have a significant impact on all Internet of Things devices that are potentially vulnerable to attack […] As hackers become increasingly savvy when it comes to exploiting vulnerabilities, it is also increasingly important for the industry to develop a process to address these risks […] Implementing sound security update processes, while potentially resource-intensive in the short term, will likely provide many benefits in the long run.”
PASCALE ARGUINARENA | Privacy Analyst