Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps. In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate. (This type of attack is sometimes called a “man-in-the-middle attack.”) Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs.
These cases are important for a number of reasons: they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities. But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act. Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.
The complaints assert that the respondents violated Section 5 by engaging in practices inconsistent with representations made to consumers about the security that would be provided for personal information. In other words, the cases are classic FTC deception cases. To be sure, the FTC often alleges deception in cases where it alleges a respondent has failed to provide reasonable security for personal data. But those allegations are often secondary to allegations that flawed security practices violate Section 5’s unfairness prong, regardless of the representations the respondent had made. Notable recent examples of this approach include the complaints against TRENDnet, HTC America, and DesignerWare (each of which was settled).
The notable omission of an explicit unfairness charge should be viewed in light of the Wyndham case, in which the FTC’s interpretation of its unfairness authority as a basis for pursuing companies for unreasonable data security practices is being challenged. A ruling on Wyndham’s motion to dismiss the FTC’s complaint should be issued in the near future. It is unclear whether the FTC’s actions today reflect hesitation on the part of the agency to assert a power that, in a matter of days or weeks, could be put into serious jeopardy.