Privacy Compliance Quick Alert: Faulty Security Process Equals FTC Action

The FTC took action against Fandango and Credit Karma. Here is what it focused on with Fandango:

From the complaint and settlement:

19. Respondent engaged in a number of practices that, taken together, failed to provide
reasonable and appropriate security in the development and maintenance of its mobile
application, including:

a. Overriding the default SSL certificate validation settings provided by the iOS
APIs without implementing other security measures to compensate for the lack of
SSL certificate validation;

b. Failing to appropriately test, audit, assess, or review its applications, including
failing to ensure that the transmission of sensitive personal information was
secure; and

c. Failing to maintain an adequate process for receiving and addressing security
vulnerability reports from third parties.

Takeaway - Check the SSL certificate when transmitting sensitive data. You must have a security audit process and testing only the code is not adequate. You must test what happens when data flows. You must have a dedicated or workable way that consumers or security researchers can flag security vulnerabilities. A mass intake for consumer contact that is automatically sorted is unlikely to suffice.

Read the full complaint here.

Jules Polonetsky is Executive Director of the Future of Privacy Forum