Written by Adam Veness

The Federal Trade Commission (“FTC”) recently entered into a settlement agreement with TRENDnet, Inc., a company that sells Internet Protocol (“IP”) cameras that allow customers to monitor their homes remotely over the Internet.  Notably, this is the FTC’s first action against a seller of everyday products that connect to the Internet and other mobile devices, commonly referred to as the “Internet of Things.”

The Complaint

In its complaint, the FTC alleged that, despite representing to its customers that TRENDnet’s IP cameras are “secure,” TRENDnet failed to reasonably secure its IP cameras against unauthorized access by third parties.  According to the FTC, TRENDnet transmitted user login credentials in clear, readable text over the Internet and stored user credentials on a user’s mobile device in clear, readable text, despite the availability of free software to secure the transmissions and the stored credentials.  The FTC Further alleged that TRENDnet failed to employ reasonable and appropriate security in the design and testing of the software that it provided consumers for its IP cameras.

Due to TRENDnet’s inadequate security measures, in January 2012, a hacker exploited the vulnerabilities of the TRENDnet system and posted live feeds for nearly 700 of TRENDnet’s IP cameras, including customers that had not made their video feeds public.  These video feeds displayed people in their homes, including sleeping babies and young children playing.  Once TRENDnet learned of this flaw, it uploaded a software patch and attempted to alert its customers of the need to update their IP cameras through TRENDnet’s website.

The Settlement

Last week, TRENDnet entered into a settlement agreement with the FTC to resolve the FTC’s claims.  Pursuant to the settlement agreement, TRENDnet has agreed that it will not misrepresent:

  • the extent to which its products or services maintain and protect the security of its IP cameras;
  • the security, privacy, confidentiality or integrity of the information that its IP cameras or other devices transmit; or
  • the extent to which a consumer can control the security of the information transmitted by the IP cameras.

What’s more, TRENDnet is required to establish, implement and maintain a comprehensive security program that is reasonably designed to address security risks that could result in unauthorized access to the IP cameras or other devices, and to protect the security, confidentiality and integrity of the information that its IP cameras or other devices transmit.  TRENDnet is further required to conduct initial and biennial assessment and reports of such security program by an independent third-party professional every two years for the next twenty years.   Again, some real bottom line costs as a result of these settlements.

Finally, in addition to the measures that TRENDnet must take to protect its customers in the future, TRENDnet must also notify all of its current customers about the flaw in the IP cameras that allowed third parties to access the live feed of TRENDnet customers, and TRENDnet must provide these customers with instructions on how to remove this flaw.

The TRENDnet settlement is the FTC’s first step at regulating data security in the land of the Internet of Things.  Keep a look out to see whether this becomes the FTC’s next hot topic.

 

UPDATE:   We have prepared a detailed Client Alert as a guide to getting started with these new Red Flag Rules and compliance obligations.   You can read it here.

 

It has been several years since the Federal Trade Commission’s Red Flag Rule took effect; and the banking regulators have had the Red Flag Interagency Guidance in place since 2007.   Finally, entities regulated by the Securities and Exchange Commission (SEC), such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission (CFTC), such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.

In announcing the adoption of the rule, new SEC Chair Mary Jo White said, “Current estimates are that about five percent of American adults fall victim to identity theft fraud each year.  It is a risk for everyone, and as technology continues to advance, the risks increase.”

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies. Last year the agencies issued a joint proposal on the identity theft provision. The final rules are “substantially identical” to the proposal, said Norm Champ, director of the SEC’s Division of Investment Management.

Specifically, the rules require that covered entities set up programs that identify, detect, and respond to identity theft “red flags.”    Most of the SEC-regulated entities will not be surprised by these rules.  Dodd-Frank essentially transferred oversight of already-existing Fair Credit Reporting Act requirements from the FTC to the SEC and the CFTC.

SEC Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay “particular attention” to the rules. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rules will become effective 30 days after publication in the Federal Register, and firms will be required to come into compliance six months after that date.


Last week in Washington, D.C., this author had the opportunity to sit in on a panel discussion by the SEC’s Division of Corporation Finance (“CorpFin”) discussing, among other things, recent developments in cybersecurity disclosure in public company filings.  The panel included CorpFin’s Acting Director Lona Nallengara, Deputy Director of Disclosure Operations Shelley Parratt and others from CorpFin.

One question asked of the panel was whether companies are actually listening to the SEC Guidance issued in late 2011.  The panel acknowledged that it has seen improvement in public company disclosure related to cybersecurity (consistent with what we previously reported here), and that the 2011 guidance is still very relevant.  The panel disclosed that the SEC has issued cybersecurity comments to approximately 50 public companies since issuing its guidance.  Specifically, the panel outlined the three major types of cybersecurity comments that the SEC has issued:

1)     Disclose Specific Cybersecurity Breaches:  Although public companies are beginning to include greater disclosure related to how data breaches could occur, the SEC has issued comments requesting that companies disclose whether data breaches have actually occurred and how the company has responded to such breaches.

2)     Cybersecurity Risks Should Stand Alone:  Often public companies include cybersecurity risks mixed in with other unrelated risk factors, such as risks of terrorist attacks or natural disasters.  The SEC has commented that cybersecurity risks should be broken out separately and stand alone because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks.

3)     All Material Breaches Should Be Disclosed:  In some cases, a public company has suffered a cybersecurity attack, but has failed to disclose such attack in its public filings.  The SEC has issued comments requesting additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure, and if such attack is material, then the SEC has requested that the company include the relevant disclosure in its public filings.

Aside from these three main areas, the panel explained that the SEC is interested in greater disclosure regarding the source of cybersecurity attacks that have occurred, e.g., whether the attack is from a competitor, a foreign government or a hacker group.  The SEC is also interested in instances in which the company was initially unaware of a data breach, but a third-party brought it to the company’s attention.  In these cases, the SEC may request disclosure regarding why the company was initially unaware of the breach.  The panel hinted that the SEC will issue comments this year related to these additional areas of interest.

Notably, the panel cautioned that a public company’s board of directors has oversight responsibility when it comes to cybersecurity, and that federal agencies other than the SEC are also focused on cybersecurity issues.

Based on CorpFin’s panel discussion, it appears that increased cybersecurity disclosure is not just the flavor of the month for the SEC.  Public companies should be proactive in their disclosure of cybersecurity risks and incidents to avoid receiving a comment from the SEC.  Companies should remember that the board of directors has an affirmative responsibility to ensure that the company has adequate cybersecurity protection, procedures and public disclosure in its filings.  Keep an eye out this year for new SEC comments related to the SEC’s additional areas of interest mentioned above.


It seems that some of the nation’s largest public company banks must be avid readers of this blog and have taken to heart our 2013 prediction that the SEC would require greater disclosure related to data security risks and breaches.  In their recent annual reports, Goldman Sachs Group Inc., Citigroup, Inc., Bank of America Corp. and many other large banks provided increased disclosure relating to their vulnerability to cybersecurity attacks.

In its Form 10-K, Goldman Sachs cautioned:

“We are regularly the target of attempted cyber attacks, including denial-of-service attacks, and must continuously monitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption. Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems, software and networks may be vulnerable to unauthorized access, misuse, computer viruses or other malicious code and other events that could have a security impact.”

Goldman Sachs went on to discuss how the increased use of mobile technologies has further heightened these cybersecurity risks, and the steps they have taken and plan to take to minimize these risks.

Not wanting to be outdone, Bank of America and Citigroup disclosed in their Form 10-Ks specific instances of how each has been subject to denial-of-service and other cybersecurity incidents.  Although both banks denied that these incidents have had a material impact on or were significant to their operations, they acknowledged that such incidents may continue to occur.

Public companies are finally beginning to shy away from sweeping their cybersecurity secrets under the mouse pad and have started providing investors with honest and clear disclosure about the cybersecurity risks they face and the cybersecurity incidents they have experienced.  Although increased disclosure by public companies is important, public companies should also ensure that they are accurately disclosing their cybersecurity risks and related efforts to prevent data breaches or other incidents.  Not only is the SEC likely to scrutinize public companies that completely fail to disclose their cybersecurity risks and incidents, but the SEC is also likely to pursue those public companies that mischaracterize their preventative measures or downplay the severity of their cybersecurity risks and data breach incidents.

Practice Tip:  As a public company, you should take measures to confirm that your public disclosure accurately reflects the reality with regard to your preventative measures, cybersecurity risks and prior incidents.  Otherwise, you run the risk of disclosing just enough for the SEC to dig deeper into your cybersecurity disclosure and bring to light inconsistencies between your disclosure and your actions.  For information regarding year-end reporting, including cybersecurity disclosure issues, see our Mintz Client Alert here.

The increased disclosure in this annual reporting season is likely only the beginning, and we are seeing the largest public company banks leading the charge on the coattails of Facebook, Inc. and Google, Inc.  Look for more public companies outside of the internet and financial services industry to follow suit in the next round of annual public filings.

 

 

 

 

 

 

 

 

 

 

 

Happy New Year!   We are beginning this week with a series of top Privacy and Security issues for 2013, as we see them.   Let’s start with an issue of interest to publicly traded companies, or companies considering going public in 2013 – a reminder that cybersecurity issues are of interest to the Securities and Exchange Commission (SEC) and are a shareholder disclosure issue.   We expect to see an increased focus in this area in 2013.

By Adam Veness

THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA SECURITY RISKS AND BREACHES

The amount of personal and confidential information maintained electronically by public companies increases every day.  As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company’s business also increases.  In response to this ever-increasing risk, the Securities and Exchange Commission (the “SEC”) is requiring greater disclosure related to data security and this trend will likely increase in 2013.

The SEC issued guidance relating to public company disclosure of data security in the end of 2011.  Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure.  Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches.

The disclosure does not only effect companies dependent on technology as a core part of its business.  Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by SeaWorld Entertainment, Inc.  Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: “Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results.”  This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings.   Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure.   SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor:

Cyber security risks and the failure to maintain the integrity of internal or guest data could result in damages to our reputation and/or subject us to costs, fines or lawsuits.

We collect and retain large volumes of internal and guest data, including credit card numbers and other personally identifiable information, for business purposes, including for transactional or target marketing and promotional purposes, and our various information technology systems enter, process, summarize and report such data. We also maintain personally identifiable information about our employees. The integrity and protection of our guest, employee and Company data is critical to our business and our guests and employees have a high expectation that we will adequately protect their personal information. The regulatory environment, as well as the requirements imposed on us by the credit card industry, governing information, security and privacy laws is increasingly demanding and continue to evolve. Maintaining compliance with applicable security and privacy regulations may increase our operating costs and/or adversely impact our ability to market our theme parks, products and services to our guests. Furthermore, a penetrated or compromised data system or the intentional, inadvertent or negligent release or disclosure of data could result in theft, loss, fraudulent or unlawful use of guest, employee or Company data which could harm our reputation or result in remedial and other costs, fines or lawsuits.

Companies that fail to include adequate disclosure about data security risks already began receiving SEC comments for 10-Ks filed at the end of 2011.  One example of this occurred in the SEC’s review of Freeport-McMoRan Copper & Gold Inc.’s (“Freeport”) 10-K for Fiscal Year Ended December 31, 2011.  In the SEC’s Comment Letter, it noted that Freeport failed to include any risk factors related to cyber attacks.  The SEC commented that in Freeport’s next 10-Q, it should provide “risk factor disclosure describing the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.”  The SEC further referred Freeport to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.  Sure enough, as Freeport promised in its response letter to the SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30, 2012.

In 2013, the SEC is likely to ramp up its cybersecurity risk disclosure requirements and will require all types of public companies to include additional disclosure regarding data security risks and breaches, not just internet-based public companies like Facebook, Inc.      Recommended action for 2013:  If your company files reports with the SEC, you should be paying close attention to the SEC Cybersecurity Guidance and examining your own potential exposure to cybersecurity risks through a comprehensive risk assessment.