FTC Enforces Privacy Policies

Companies that claim to protect their customers’ information in their privacy policy actually have to follow up and do it. The FTC got mobile app companies Fandango and Credit Karma to sign consent decrees in order to settle charges against them for failing to protect their customers’ information.

The main charge against the companies was that they disabled SSL encryption of customers’ communications, leaving them vulnerable to hackers, despite telling customers that they used encryption. SSL is one of the strongest protections for customer data, and is widely available. Notwithstanding the Heartbleed exploit (which affects OpenSSL software), it’s still the most used encryption system out there.

“Consumers are increasingly using mobile apps for sensitive transactions,” said FTC Chair Ramirez.  “Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

There are some resources available from the FTC to help developers keep secure. Importantly, all companies should check your privacy policies and see what you have promised. Remember, if you don’t follow the terms of your privacy policy, you may open the door to liability.

Links

Cyber Report – FTC Announces Mobile App Security Consent Decrees