Washington, DC - Keep a watchful eye on your service providers. For conscientious companies, that’s Privacy & Data Security 101. It’s also a key compliance tip from the FTC’s proposed settlement with mobile device manufacturer BLU.
Florida-based BLU sells mobile devices – according to the company, more than 50 million of them – through big-name national and global retailers. It outsources production to manufacturers who built the devices to BLU’s specifications. BLU is also responsible for selecting preinstalled software, the default settings, and certain security features.
Among other claims, BLU made two express promises to its customers. First, BLU said, “We limit the disclosure of your information to only the third parties (e.g. service providers) we use to fulfill our obligations to you” – for example, taking orders, delivering packages, or processing payments. “These companies have access to personal information needed to perform their services or functions, but may not use it for other purposes.” Second, BLU said that it exercises “appropriate physical, electronic, and managerial security procedures to help protect” customers’ personal information.
So how did a third-party software company end up in possession of highly confidential data from BLU customers, including the contents of their text messages? The complaint recaps how that allegedly happened.
Since at least 2015, BLU directed manufacturers to preinstall software from a Chinese company, ADUPS Technology. ADUPS offers advertising, data mining, and firmware over-the-air (FOTA) update services to mobile and Internet of Things connected devices. (FOTA updates allow manufacturers to issue security patches or operating system upgrades to devices over wireless and cellular networks.) BLU signed a contract to have ADUPS perform FOTA updates on their devices. That was all ADUPS was supposed to do, but according to the FTC, that’s not all ADUPS did.
Until at least November 2016, ADUPS software on BLU devices transmitted personal information about consumers to ADUPS’ servers in China without consumers’ knowledge and consent. We’re talking about the content of their texts, real-time cell tower location data, call and text logs with full phone numbers, contact lists, and the apps on each device. According to the complaint, ADUPS’ software transmitted consumers’ texts to its servers every 72 hours and sent back real-time location data every 24 hours. And let’s be clear: That’s not information ADUPS “needed to perform their services or functions.”
The proposed complaint alleges that BLU and company president Samuel Ohev-Zion deceptively represented: 1) that they limited the disclosure of users' information to third-party service providers only to the extent necessary to perform their services, and 2) that they implemented appropriate physical, electronic, and managerial security procedures to protect consumers' information. To settle the case, the respondents have agreed – among other things – to a mandated data security program and data security assessments by a third-party. The order also requires that they get express affirmative consent from consumers before collecting or disclosing their geolocation information or the content of their communications.
The FTC is accepting public comments about the proposed settlement until May 30, 2018. What can other companies learn from the FTC’s latest law enforcement action?
Spell out your privacy and security expectations to service providers. Before you hire a company to process sensitive data, dive into due diligence. Understand how their services work, what are you giving them access to, and what needs to be done to conform their conduct to the promises you make to customers. Build those considerations into your contracts.
Monitor contractors’ compliance. The ink may be dry, but the job has just begun. Build in procedures to keep an eye on what service providers are doing on your behalf. It’s been a cornerstone of Start with Security, Stick with Security, and years of FTC cases: Sensible data practices – including verifying that contractors are living up to your privacy and security expectations – are an ongoing process.
Review your privacy promises from the perspective of a potential service provider. How often should a company reread its privacy policy? The obvious answer is regularly, but one milestone that should definitely trigger a careful reassessment is when you’re thinking about bringing on a service provider who will have access to sensitive information.
The discovery of a data mistake should motivate a company to look forward – and back. When a business gets credible information about a privacy or security lapse, it’s important to reassess policies and practices for the future. But what about existing customers? Think through what needs to be done to protect them, too.