On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.
The settlement stems from an FTC complaint alleging that ASUS failed to securely design and maintain its network routers and cloud storage applications, which resulted in a number of software vulnerabilities impacting the security of its products and customers’ information. In the complaint, the FTC claimed that despite knowing about these security flaws, the company failed to mitigate them in a timely manner and provide prompt notice to customers about vulnerabilities that placed their network routers and sensitive personal information on network-connected devices at risk of compromise. According to the FTC, these security flaws resulted in hackers compromising thousands of customers’ ASUS routers and network-connected devices, including over 12,900 connected devices, in February 2014. In addition to alleging that the company failed to provide reasonable security in the design and maintenance of the software developed for its routers and related “cloud” features, the FTC’s complaint asserted that ASUS misrepresented the security of its products due to its alleged security failures.
The consent order entered into between ASUS and the FTC requires the company to notify consumers when a software update is available, or when the company is aware of reasonable steps that a consumer could take to mitigate a security flaw. The consent order also requires the company to maintain a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing network devices developed by the company, and (2) protect the privacy, security, confidentiality and integrity of individually-identifiable consumer information collected or handled by such devices. The company also is prohibited from misrepresenting the security of its products, including whether or not a product is using up-to-date software.