Earlier this week, the FTC notified Verizon by letter that it has closed its investigation into whether Verizon violated Section 5 of the FTC Act by failing to secure certain routers supplied to the company’s broadband subscribers. The FTC’s investigation centered on Verizon’s practice of supplying routers that incorporated an outdated default security setting, an encryption standard known as Wired Equivalent Privacy (“WEP”). According to the FTC, flaws in WEP were identified by researchers in 2004, but Verizon continued until recently to ship some WEP router models. According to the FTC, this left some Verizon subscribers vulnerable to hackers.
In its letter, the FTC explained that the following factors led it to close its investigation:
- Verizon’s overall data-security practices related to its routers.
- Verizon’s efforts to mitigate the risk that subscribers using WEP-model routers would be vulnerable to hackers, including:
- by removing the WEP model routers from distribution centers and setting them to Wi-Fi Protected Access 2 (“WPA2”), ensuring that future distributed routers would be set by default to WPA2;
- by implementing an outreach campaign to subscribers currently using WEP or no encryption, and requesting that those subscribers change their security settings to WPA2; and
- offering upgrades to WPA2-compatible units for subscribers in possession of older, incompatible routers.
The FTC emphasized in its closing letter that “data security is an ongoing process.” The FTC also stated that “what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them,” so companies also must change and “adjust security practices accordingly.”
As we’ve previously reported, Verizon recently was the subject of an FCC consumer-privacy investigation regarding its failure to provide subscribers with required notices about Verizon’s use of Customer Proprietary Network Information (CPNI) and whether the company took too long to notify the FCC after discovering the error.