Advertising Law Alerts

November 19th, 2014

FTC Closes Investigation of Verizon Router Security Citing Company’s Steps to Mitigate Consumer Harm

The FTC recently closed an investigation into whether Verizon engaged in unfair or deceptive acts or practices by failing to ensure that routers it shipped to customers, in connection with its DSL and FiOS services, had proper encryption security. Verizon took steps to mitigate consumer harm, and the company's efforts helped avoid regulatory sanctions. Here's what happened.

Background.

The Institute of Electrical and Electronics Engineers ("IEEE") is an influential professional association that, among other things, publishes standards for wireless local area network ("WLAN") products. Way back in 1999, the IEEE's standard for encryption security was called Wire Equivalent Privacy ("WEP"). For a while, WEP was the default setting on many devices. But In 2004, once it was discovered that WEP leaves WLANs vulnerable to attacks from hackers (who could intercept and modify transmission and gain access to restricted networks), the IEEE announced a new, more secure, standard called Wi-Fi protected Access ("WPA"), and later, Wi-Fi Protected Access 2 ("WPA2").

The problem.

The problem was that Verizon accidentally shipped router models to its consumers with the WEP security standard set as the default, instead of the WPA2 standard.

The solution.

The FTC closed its investigation into whether the error was a violation of section 5 of the FTC Act, citing Verizon's 1) "overall data security practices related to its routers;" and 2) efforts "to mitigate the risk to its customers' information." The closing letter noted that Verizon did a few things to fix its mistake: It recalled all WEP-defaulted routers from distribution centers and set them to WPA2; implemented a vigorous outreach campaign to customers that were defaulted to WEP, or defaulted to no encryption, and asked them to update their settings; and perhaps most impressively, for customers with older routers incompatible with WPA2, Verizon offered to upgrade them to WPA2-compatible units.

The FTC remarked in closing that although in the past a WEP default setting "may not have been unreasonable," it is now; cautioning: "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."

We urge all Internet Service Providers or router manufacturers to default consumer routers to WPA2. If some of your products are still defaulted to WEP, we recommend calling a data security and privacy lawyer, or a data breach specialist, and to consider beginning a public outreach plan to ensure that no harm comes to your consumers' information. Preemptively addressing router encryption problems now may prevent data privacy and security problems, as well as consumer trust violations, down the road.

For more information on this closing letter, or on any other technology, or data privacy and security law issues, please contact Greg Boyd at (212) 826-5581 or gboyd@fkks.com, Sean Kane at (212) 705-4845 or skane@fkks.com, or Jessica Smith at (212) 705-4876 or jsmith@fkks.com, or any other member of the Frankfurt Kurnit Technology, Digital Media, & Privacy Group.