On September 4, 2013, the Federal Trade Commission announced a settlement with TRENDnet, Inc. (“TRENDnet”) stemming from allegations that TRENDnet’s failure to provide reasonable security for its Internet Protocol (“IP”) security cameras allowed hackers to publicly post online live feeds from approximately 700 customers’ cameras. As the FTC noted in its press release, “this is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’”
TRENDnet sells “nanny cam” style IP security cameras that provide customers the ability to monitor their homes and businesses by remotely viewing live video feeds. In its complaint, the FTC alleged that TRENDnet’s failure to provide reasonable security to prevent unauthorized access to customers’ feeds was an unfair act or practice. Specifically, the FTC alleged that TRENDnet (1) transmitted customers’ login credentials over the Internet in clear, readable text; (2) stored customers’ login credentials on their mobile apps in clear, readable text; (3) failed to implement a process to actively review security vulnerability reports; and (4) failed to employ reasonable and appropriate security design in the software for its IP security cameras. As a result of TRENDnet’s deficient security practices, the complaint charged that strangers may have been able to view TRENDnet customers’ personal activities on the Internet, thus impairing the affected individuals’ “peaceful enjoyment” of their homes and increasing the risk that their property would be targeted for criminal activity.
The settlement, which terminates 20 years from its issuance, includes requirements that TRENDnet:
- refrain from misrepresenting the security of its products and software;
- establish, implement and maintain a comprehensive information security program;
- obtain biennial assessments of its information security program from an independent third-party auditor;
- maintain, and submit to the FTC upon request, all information relied on to complete the biennial assessments of its information security program and all documents related to its compliance with the settlement;
- notify affected customers;
- deliver copies, and obtain signed acknowledgements, of the settlement to current and future TRENDnet principals, directors, employees and agents;
- notify the FTC of any changes in structure that may affect its compliance with the settlement; and
- submit a report to the FTC detailing the manner and form of TRENDnet’s compliance with the settlement.
Read the FTC Business Center Blog’s post about the TRENDnet settlement. The FTC’s Consumer Information Blog also posted about the settlement.
Update: On February 7, 2014, the FTC approved the final settlement order with TRENDnet.