On February 23, the FTC announced that computer hardware maker ASUSTeK Computer, Inc. agreed to settle charges that it allegedly failed to protect consumers as required by federal law. The announcement of this settlement is significant because it represents yet another example of the FTC’s efforts to protect consumers in the face of increasing incidents of privacy invasions vis-a-vis the Internet of Things.

The impetus for the FTC complaint was an anonymous message sent from hackers to over 12,000 consumers that said: “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.”  The FTC’s complaint alleged that those routers contained security flaws, and that ASUSTeK was offering unsecure cloud services even though it advertised its routers as having security protections and described the cloud storage as “secure” space.  In sum, the FTC alleged that ASUSTeK’s routers had multiple vulnerabilities, that it failed to provide timely notice to customers about the security vulnerabilities, and that it failed to take reasonable steps to protect consumers from known vulnerabilities.

The proposed settlement agreement contains two noteworthy provisions.  First, ASUSTeK agreed to accurately disclose the extent of its router security protections to its customers.  Second, ASUSTeK agreed to establish, implement, and maintain a security program.  The program would include the identification of security risks in the areas of employee training, product design, and software design.  ASUSTeK also agreed to hire a third-party consultant to analyze its security program.  Consumers are probably asking why these controls were not already in place before the hack.

As the breadth of consumer products that comprise the Internet of Things expands, more companies will be selling and promoting products that could contain security risks similar to those present in ASUSTeK’s routers.  This proposed settlement builds on previous FTC actions and its 2015 Staff Report, which provides the FTC’s views on the Internet of Things and recommendations for best practices.  In particular, the security program set forth in the proposed settlement agreement provides a best practices model for companies that manufacture and/or sell products tied to the internet to aid in compliance with federal law protecting consumer privacy.  Companies that fail to implement or maintain the controls described in the ASUSTeK settlement should be wary in the event they get hacked.

This action highlights the struggle to develop federal laws and associated best practices governing privacy and cybersecurity.  On one hand, the FTC continues to take a strong stance to protect consumer privacy and require companies to take action to protect data.  On the other hand, in the widely discussed debate over whether Apple should be required to develop a key to unlock the iPhone used in connection with the San Bernardino attack, the FBI is seeking an encryption and security work around.  This conflict between privacy protections and access to data will continue to shape the development of federal law in this area.

Comments on the FTC’s proposed settlement are due to the FTC by March 24, 2016.