- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 19th, 2014
FTC Closes Investigation of Verizon Router Security Citing Company’s Steps to Mitigate Consumer Harm
The FTC recently closed an investigation into whether Verizon engaged in unfair or deceptive acts or practices by failing to ensure that routers it shipped to customers, in connection with its DSL and FiOS services, had proper encryption security. Verizon took steps to mitigate consumer harm, and the company's efforts helped avoid regulatory sanctions. Here's what happened.
The Institute of Electrical and Electronics Engineers ("IEEE") is an influential professional association that, among other things, publishes standards for wireless local area network ("WLAN") products. Way back in 1999, the IEEE's standard for encryption security was called Wire Equivalent Privacy ("WEP"). For a while, WEP was the default setting on many devices. But In 2004, once it was discovered that WEP leaves WLANs vulnerable to attacks from hackers (who could intercept and modify transmission and gain access to restricted networks), the IEEE announced a new, more secure, standard called Wi-Fi protected Access ("WPA"), and later, Wi-Fi Protected Access 2 ("WPA2").
The problem was that Verizon accidentally shipped router models to its consumers with the WEP security standard set as the default, instead of the WPA2 standard.
The FTC closed its investigation into whether the error was a violation of section 5 of the FTC Act, citing Verizon's 1) "overall data security practices related to its routers;" and 2) efforts "to mitigate the risk to its customers' information." The closing letter noted that Verizon did a few things to fix its mistake: It recalled all WEP-defaulted routers from distribution centers and set them to WPA2; implemented a vigorous outreach campaign to customers that were defaulted to WEP, or defaulted to no encryption, and asked them to update their settings; and perhaps most impressively, for customers with older routers incompatible with WPA2, Verizon offered to upgrade them to WPA2-compatible units.
The FTC remarked in closing that although in the past a WEP default setting "may not have been unreasonable," it is now; cautioning: "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."
We urge all Internet Service Providers or router manufacturers to default consumer routers to WPA2. If some of your products are still defaulted to WEP, we recommend calling a data security and privacy lawyer, or a data breach specialist, and to consider beginning a public outreach plan to ensure that no harm comes to your consumers' information. Preemptively addressing router encryption problems now may prevent data privacy and security problems, as well as consumer trust violations, down the road.
For more information on this closing letter, or on any other technology, or data privacy and security law issues, please contact Greg Boyd at (212) 826-5581 or firstname.lastname@example.org, Sean Kane at (212) 705-4845 or email@example.com, or Jessica Smith at (212) 705-4876 or firstname.lastname@example.org, or any other member of the Frankfurt Kurnit Technology, Digital Media, & Privacy Group.
Other Advertising Law Alerts
FTC Issues a $2 Million Reminder to Ad Agencies
The Federal Trade Commission ("FTC") and the State of Maine have announced a $2 million dollar settlement with ad agency Marketing Architects, Inc. ("MAI") for deceptive weight-loss claims.
February 12 2018
Introducing the Frankfurt Kurnit Advertising Law Blog
January 27 2018
FTC Research Indicates Disclosures Help Consumers Recognize Ads
The FTC has long stated that consumers should be able to recognize an ad as an ad. And if disclosures are necessary to ensure that consumers will recognize that an ad is an ad, then those disclosures must be made in a way that ensures that consumers can understand them.
January 5 2018