James Denvil and Paul Otto of Hogan Lovells write:
The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek (“ASUS”). In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its router software. The Commission cited the company’s alleged failure to address vulnerability reports as one of the its primary concerns. The settlement reiterates the warnings contained in the FTC’s recent Start with Security Guide and prior settlements with HTC America and Fandango: the FTC expects companies to implement adequate processes for receiving security vulnerability reports and addressing them within a reasonable time.
Read more on Hogan Lovells Chronicle of Data Protection. Additional discussion of this matter can be found on Covington & Burling’s Inside Privacy