HTC, a mobile device manufacturer, was recently in the press for a settlement with the Federal Trade Commission (FTC). This isn’t the first time an organization has settled with the FTC over security or privacy issues. Twitter, Petco, and others have settled and been subject to FTC audits. However, as a recent blog post by law firm Holland and Knight points out, the HTC settlement is one of the most significant in years. Unlike other cases, the HTC settlement is not based on high-profile breaches. Instead, it points out: “HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices”. The FTC is holding a company accountable for negligence in secure development. It’s worth mentioning that most companies are not otherwise legally required to follow secure development practices. In our experience, American organizations tend to only require applications to undergo increased secure development scrutiny if they fall under the scope of Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Defense Information Systems Agency (DISA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) or other specific legislation for highly regulated industries. In other words, the vast majority of software does not have any legal requirement to build security in.
The HTC settlement means that companies claiming to protect customer data, but don’t provide adequate safeguards, are potentially subject to legal action. No longer is simply having a firewall, a scanner and an SSL certificate sufficient to fit the low standard of due diligence. Information security departments have a new tool in promoting the importance of secure development practices. This is particularly true for non-regulated industries like eCommerce, retail, and independent software vendors (ISVs) where securing software often means a slower time-to-market. Companies that are subject to FTC audits and fail to implement safe guards may be subject to huge fines. We really think this will be a game changer for secure development.