Privacy Compliance Quick Alert: Faulty Security Process Equals FTC Action
The FTC took action against Fandango and Credit Karma. Here is what it focused on with Fandango:
From the complaint and settlement:
19. Respondent engaged in a number of practices that, taken together, failed to provide
reasonable and appropriate security in the development and maintenance of its mobile
application, including:
a. Overriding the default SSL certificate validation settings provided by the iOS
APIs without implementing other security measures to compensate for the lack of
SSL certificate validation;
b. Failing to appropriately test, audit, assess, or review its applications, including
failing to ensure that the transmission of sensitive personal information was
secure; and
c. Failing to maintain an adequate process for receiving and addressing security
vulnerability reports from third parties.
Takeaway - Check the SSL certificate when transmitting sensitive data. You must have a security audit process and testing only the code is not adequate. You must test what happens when data flows. You must have a dedicated or workable way that consumers or security researchers can flag security vulnerabilities. A mass intake for consumer contact that is automatically sorted is unlikely to suffice.
Read the full complaint here.
Jules Polonetsky is Executive Director of the Future of Privacy Forum