We previously reported that the Federal Trade Commission (FTC) had entered into a proposed settlement with ASUSTek Computer, Inc. in February of 2016. The allegations against ASUS were that it failed to take reasonable steps to secure the software on its routers, despite representations made to consumers about their top security practices. The FTC alleged that the representations made to consumers were misleading.
On July 28, 2016, the FTC, by a vote of 3-0 and following a public comment period, approved the settlement.
The settlement requires ASUS to “establish and maintain a comprehensive security program subject to independent audits over the next 20 years. In addition, ASUS must notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices.”
Finally, the order prohibits ASUS from “misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.”
This case illustrates how important the language is in Privacy Policies or Statements on company websites and representations made in any consumer facing publications. The FTC is all about transparency and consistency between representations made on a company website or other materials and actual data security measures taken with consumers’ information. It is a reminder to take frequent looks at website policies and tweaking them to conform to actual practices.