- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
November 19th, 2014
FTC Closes Investigation of Verizon Router Security Citing Company’s Steps to Mitigate Consumer Harm
The FTC recently closed an investigation into whether Verizon engaged in unfair or deceptive acts or practices by failing to ensure that routers it shipped to customers, in connection with its DSL and FiOS services, had proper encryption security. Verizon took steps to mitigate consumer harm, and the company's efforts helped avoid regulatory sanctions. Here's what happened.
The Institute of Electrical and Electronics Engineers ("IEEE") is an influential professional association that, among other things, publishes standards for wireless local area network ("WLAN") products. Way back in 1999, the IEEE's standard for encryption security was called Wire Equivalent Privacy ("WEP"). For a while, WEP was the default setting on many devices. But In 2004, once it was discovered that WEP leaves WLANs vulnerable to attacks from hackers (who could intercept and modify transmission and gain access to restricted networks), the IEEE announced a new, more secure, standard called Wi-Fi protected Access ("WPA"), and later, Wi-Fi Protected Access 2 ("WPA2").
The problem was that Verizon accidentally shipped router models to its consumers with the WEP security standard set as the default, instead of the WPA2 standard.
The FTC closed its investigation into whether the error was a violation of section 5 of the FTC Act, citing Verizon's 1) "overall data security practices related to its routers;" and 2) efforts "to mitigate the risk to its customers' information." The closing letter noted that Verizon did a few things to fix its mistake: It recalled all WEP-defaulted routers from distribution centers and set them to WPA2; implemented a vigorous outreach campaign to customers that were defaulted to WEP, or defaulted to no encryption, and asked them to update their settings; and perhaps most impressively, for customers with older routers incompatible with WPA2, Verizon offered to upgrade them to WPA2-compatible units.
The FTC remarked in closing that although in the past a WEP default setting "may not have been unreasonable," it is now; cautioning: "what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them."
We urge all Internet Service Providers or router manufacturers to default consumer routers to WPA2. If some of your products are still defaulted to WEP, we recommend calling a data security and privacy lawyer, or a data breach specialist, and to consider beginning a public outreach plan to ensure that no harm comes to your consumers' information. Preemptively addressing router encryption problems now may prevent data privacy and security problems, as well as consumer trust violations, down the road.
For more information on this closing letter, or on any other technology, or data privacy and security law issues, please contact Greg Boyd at (212) 826-5581 or email@example.com, Sean Kane at (212) 705-4845 or firstname.lastname@example.org, or Jessica Smith at (212) 705-4876 or email@example.com, or any other member of the Frankfurt Kurnit Technology, Digital Media, & Privacy Group.
Other Advertising Law Alerts
What the Advertising Industry Can Learn from Kim Kardashian’s Settlement with the SEC
On October 3, 2022, the Securities and Exchange Commission (SEC) announced that it entered into a $1.26 million settlement with Kim Kardashian over her social media promotion of the EMAX token without disclosing payment she received from token issuer, EthereumMax. The matter provides important lessons for advertisers. Read more.
October 10 2022
Get Ready for California’s New “Automatic Renewal” Rules
California recently amended its Automatic Purchase Renewals law. The amended statute - effective July 1st -- require marketers to provide consumers of automatic renewal or continuous service offers with more information and easier ways to terminate. Read more.
June 22 2018
“Made in the U.S.A.” Claims Continue to be Scrutinized
In 2016, California amended Section 17533.7 of the California Business and Professions Code ("Section 17533"), liberalizing the standard for selling products labeled "Made in U.S.A" to California consumers. Read more.
June 4 2018