The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information. The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately stored and transmitted, both failed to reasonably secure mobile apps, leaving personal data such as credit-card information and Social Security numbers at risk for interception by third parties. In particular, among other claims, the FTC charged the companies with disabling Secure Sockets Layer (“SSL”) encryption, a default security process intended to protect consumers’ information by verifying the security of app communications and ensuring that an attacker cannot access any data sent or received.
The FTC alleged that these vulnerabilities easily could have been tested and prevented, however, each company failed to perform basic security reviews, including establishing an auditing process to oversee and examine security practices and vulnerability reports. The settlements therefore require that Fandango and Credit Karma establish comprehensive security programs that address any risks during the design and development stages of their apps. Fandango and Credit Karma also must agree to independent security evaluations every other year for the next 20 years.