Crowell & Moring

FTC Settles IoT Enforcement Action; HHS Releases HIPAA/NIST Crosswalk; HHS Provides FAQs on Patient Fees for PHI Release; Judicial Redress Act Becomes Law

FTC Identifies Reasonable Security Measures Through IoT Enforcement Action

The Federal Trade Commission (FTC) settled charges with ASUSTek Computer, Inc. (ASUS), a manufacturer of home router and home networking (or “home cloud”) equipment, related to the security of the devices. According to the settlement, ASUS advertised that its home routers and networking equipment could protect the connected computers “from any unauthorized access, hacking, and virus attacks.” The FTC alleged, however, that ASUS did not secure data in a reasonable way and instead exposed consumers to hackers. The settlement emphasizes the FTC’s interest in securing devices connected to the Internet of Things (IoT) and provides additional guidance regarding the FTC’s view of “reasonable” security.

The FTC’s complaint alleged the following:

  • Some ASUS equipment provided “home cloud” features that allowed consumers to connect storage devices (such as a USB hard drive) to the routers to allow household members to access the storage from multiple devices, and even over the internet. The FTC alleged that the application to access the “home cloud” contained multiple vulnerabilities that allowed hackers to access the information simply by finding out the router’s IP address and bypassing the access page.
  • The ASUS web application allegedly included a vulnerability in the way login credentials were stored in plain text, allowing attackers to gain full access to the router and its settings. The FTC alleged that consumers were not timely notified of the vulnerability despite consumer complaints. Indeed, Asus allegedly waited eight months after developing the fix to notify its customers by email.
  • According to the FTC, ASUS claimed that its remote access features provided a secure way to transfer files. However, the information in transit was allegedly not encrypted. Moreover, during system setup, the file sharing feature defaulted to “limitless access rights.” This allegedly created a file transfer protocol (FTP) server that would provide anyone on the internet who had the router’s IP address with access to the consumer’s USB storage device. The FTC also criticized the fact that the setup options did not explain the information access/sharing settings to consumers.

This case provides important FTC enforcement takeaways. Companies (particularly those in the IoT field) must “provide reasonable security in the design and maintenance” of their equipment. Per the ASUS complaint, the FTC considers reasonable security to include the following actions:

  1. use readily-available secure protocols when designing features intended to provide consumers with access to sensitive data;
  2. implement secure default settings, or at least provide information about security settings choices;
  3. prevent consumers from using weak default login credentials to protect critical security features or sensitive data;
  4. provide reasonable and appropriate review and testing of the software to verify that access to data is restricted consistent with users’ privacy and security settings;
  5. perform vulnerability and penetration testing that test for both well-known and reasonably foreseeable vulnerabilities;
  6. implement readily-available, low-cost protections (such as session time-outs) against well-known and reasonably foreseeable vulnerabilities;
  7. maintain an adequate process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics;
  8. sufficiently analyze reported vulnerabilities to correct or mitigate all reasonably detectable instances of a reported vulnerability; and
  9. provide adequate notice to consumers regarding (i) known vulnerabilities or security risks, (ii) steps that consumers could take to mitigate such vulnerabilities or risks, and (iii) the availability of software updates that would correct or mitigate the vulnerabilities or risks.

While the rules above will technically only apply to ASUS through the proposed consent order, they provide valuable guidance for other IoT companies regarding the FTC’s security expectations.

HHS Releases HIPAA/NIST Crosswalk

The U.S. Department of Health and Human Services (HHS) released a “crosswalk” or “mapping” document which identifies commonalities between the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. HIPAA covered entities must implement data security safeguards to comply with the HIPAA Security Rule.  HHS’s new crosswalk is designed to help health care organizations that use the CSF to identify gaps in their security programs, help address those gaps, and map their HIPAA compliance measures to the industry standards identified in the CSF.

HHS Publishes PHI Access Fees FAQs

The U.S. Department of Health and Human Services (HHS) also provided a set of Frequently Asked Questions (FAQs) on appropriate fees for the release of Personal Health Information (PHI) to patients. The FAQs come second in a series of guidance that HHS has provided to help covered entities (e.g., health plans and health care providers) understand a patient’s HIPAA Right of Access to his or her own PHI, and the proper methods for releasing that information directly to the patient or a third-party at the patient’s request. The guidance will help health care providers and health plans understand when and how they can provide patient access to records within the confines of the HIPAA Privacy Rule, and how they may recoup the cost of providing that access.

Judicial Redress Act Becomes Law

The Judicial Redress Act, which will provide foreign citizens with the right to challenge certain U.S. agency uses of personal data, has been signed into law by President Obama. The law was lauded by the President as a way to ensure privacy protections for our allies. The Judicial Redress Act was a prerequisite for the finalization of the EU-U.S. Umbrella Agreement.