The Federal Trade Commission (FTC) released a report summarizing the results of its investigation into improving mobile device security, particularly in regard to releasing security updates (i.e., patches) for devices in active use. Based on its findings, the report presents recommendations for providing timely security updates consistent with consumers’ reasonable expectations, disclosing better information about security update practices and educating consumers to better understand their role in the security update process. These recommendations are aimed at mobile industry stakeholders, including device manufacturers and telecom carriers, and may be applied by the agency to any organization that develops, manufactures or otherwise provides Internet-connected devices. The guidance provides a framework of practices, and failure to adhere to these practices may put particular companies at greater risk of FTC enforcement or increased risk of consumer class actions because plaintiffs’ firms often look to agency guidance in bringing new types of claims.
On February 28, 2018, the FTC released a report summarizing the results of its investigation into improving mobile device security, particularly in regard to releasing security updates (i.e., patches) for devices in active use (the report).1
In May 2016, the FTC issued formal requests for information to eight leading companies in the mobile device industry. In surveying the companies’ responses and known challenges facing the industry, the report found that mobile devices frequently operate with significant vulnerabilities for extended periods of time either because the device manufacturers or service carriers do not issue a security update or because users do not provide approval to install the updates when made available.2 In addition, the report also incorporates unpublished findings from a parallel investigation conducted by the Federal Communications Commission (FCC).3 The FTC’s report aims its recommendations primarily at manufacturers and carriers, and seeks to streamline security update processes throughout the industry as well as improve the consumer’s experience through education and transparency.
The report emphasizes that the industry’s adoption of its recommendations is important to conform with consumers’ reasonable expectations for mobile device security. In doing so, the FTC may be offering a not-so-subtle hint that failure to meet its recommendations could constitute unfair practices under Section 5 of the FTC Act.