- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 19th, 2014
FTC Closes Investigation of Verizon Router Security Citing Company’s Steps to Mitigate Consumer Harm
The FTC recently closed an investigation into whether Verizon engaged in unfair or deceptive acts or practices by failing to ensure that routers it shipped to customers, in connection with its DSL and FiOS services, had proper encryption security. Verizon took steps to mitigate consumer harm, and the company's efforts helped avoid regulatory sanctions. Here's what happened.
The Institute of Electrical and Electronics Engineers ("IEEE") is an influential professional association that, among other things, publishes standards for wireless local area network ("WLAN") products. Way back in 1999, the IEEE's standard for encryption security was called Wire Equivalent Privacy ("WEP"). For a while, WEP was the default setting on many devices. But In 2004, once it was discovered that WEP leaves WLANs vulnerable to attacks from hackers (who could intercept and modify transmission and gain access to restricted networks), the IEEE announced a new, more secure, standard called Wi-Fi protected Access ("WPA"), and later, Wi-Fi Protected Access 2 ("WPA2").
The problem was that Verizon accidentally shipped router models to its consumers with the WEP security standard set as the default, instead of the WPA2 standard.
The FTC closed its investigation into whether the error was a violation of section 5 of the FTC Act, citing Verizon's 1) "overall data security practices related to its routers;" and 2) efforts "to mitigate the risk to its customers' information." The closing letter noted that Verizon did a few things to fix its mistake: It recalled all WEP-defaulted routers from distribution centers and set them to WPA2; implemented a vigorous outreach campaign to customers that were defaulted to WEP, or defaulted to no encryption, and asked them to update their settings; and perhaps most impressively, for customers with older routers incompatible with WPA2, Verizon offered to upgrade them to WPA2-compatible units.
The FTC remarked in closing that although in the past a WEP default setting "may not have been unreasonable," it is now; cautioning: "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."
We urge all Internet Service Providers or router manufacturers to default consumer routers to WPA2. If some of your products are still defaulted to WEP, we recommend calling a data security and privacy lawyer, or a data breach specialist, and to consider beginning a public outreach plan to ensure that no harm comes to your consumers' information. Preemptively addressing router encryption problems now may prevent data privacy and security problems, as well as consumer trust violations, down the road.
For more information on this closing letter, or on any other technology, or data privacy and security law issues, please contact Greg Boyd at (212) 826-5581 or email@example.com, Sean Kane at (212) 705-4845 or firstname.lastname@example.org, or Jessica Smith at (212) 705-4876 or email@example.com, or any other member of the Frankfurt Kurnit Technology, Digital Media, & Privacy Group.
Other Advertising Law Alerts
New Low-Budget Waiver is Now Available for Digital Commercial Productions
Advertisers and agencies that are signatories to the SAG-AFTRA Commercials Contract can now take advantage of a new waiver issued by SAG-AFTRA and the Joint Policy Committee on Broadcast Talent Union Relations when producing low-budget digital commercials.
November 10 2017
FTC Updates Endorsement Guide FAQs and Settles First-Ever Action Against Individual “Influencers”
Recent developments demonstrate the FTC's continued interest in social media endorsements.
September 11 2017
FTC Announces Reforms to Its Investigative Process
Recently, the FTC announced a set of internal reforms intended to improve the process by which the Commission investigates unfair, deceptive and fraudulent business practices. The reforms relate to the Civil Investigative Demands ("CID") that the FTC's Bureau of Consumer Protection issues to request information from investigation targets.
September 7 2017