In my last post, we discussed how the FTC used its powers in commerce to protect customers from cybersecurity threats. We specifically looked at the case FTC versus Wyndham Worldwide Corporation, where the FTC established that unsafe cybersecurity practices violated consumer fairness laws.
In this post, we’ll examine the case of the FTC versus ASUS, a technology company that sells computers and an assortment of computer accessories. The investigation focused on ASUS brand routers, which went on the market in 2009. It took until 2012 to find the security vulnerabilities, and then another couple of years to file a formal complaint due to ASUS being unresponsive and unwilling to fix the problem.
FTC charged the Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk
The charge was a classic case of false advertising, but with a digital twist. ASUS claimed that their new routers made private servers for your sensitive information just by plugging a flash drive into the hardware, but that was far from the truth.
Third-party security researchers investigated this system and found that the “secure” routers were made with little to no intentions of security in mind. They contacted ASUS in November of 2013, but ASUS took no action. The researchers attempted to talk to ASUS about the issue multiple times but received no assurance that the security problems would be solved.
After media coverage of the security concerns appeared in Europe, ASUS took notice and released firmware updates without even notifying their customers. As a result of their inadequacy, hackers exploited the vulnerabilities on February 1, 2014, and the data of thousands of customers was stolen and put on online.
Unfair Security Practices
The FTC wrote a formal complaint about this and was very knowledgeable about fine technical details in their documents. This seems abnormal for a government agency, but it just shows that more tech-savvy people are entering the workforce as time progresses. Their complaint was ten pages long, included five counts against ASUS, but 80% of the complaint focused on unfair security practices. ASUS most likely thought they would avoid trouble by relying on their assumption of the technological ignorance of FTC investigators, but they were wrong.
This shows how important cybersecurity is becoming for businesses all around the world, and that the FTC is taking notice.
What will you do to protect your customers?