Why HTC’s Settlement is a Game Changer for Secure Development

March 7, 2013

HTC, a mobile device manufacturer, was recently in the press for a settlement with the Federal Trade Commission (FTC). This isn’t the first time an organization has settled with the FTC over security or privacy issues. Twitter, Petco, and others have settled and been subject to FTC audits. However, as a recent blog post by law firm Holland and Knight points out, the HTC settlement is one of the most significant in years. Unlike other cases, the HTC settlement is not based on high-profile breaches. Instead, it points out: “HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices”. The FTC is holding a company accountable for negligence in secure development. It’s worth mentioning that most companies are not otherwise legally required to follow secure development practices. In our experience, American organizations tend to only require applications to undergo increased secure development scrutiny if they fall under the scope of Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Defense Information Systems Agency (DISA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) or other specific legislation for highly regulated industries. In other words, the vast majority of software does not have any legal requirement to build security in.

The HTC settlement means that companies claiming to protect customer data, but don’t provide adequate safeguards, are potentially subject to legal action. No longer is simply having a firewall, a scanner and an SSL certificate sufficient to fit the low standard of due diligence. Information security departments have a new tool in promoting the importance of secure development practices. This is particularly true for non-regulated industries like eCommerce, retail, and independent software vendors (ISVs) where securing software often means a slower time-to-market. Companies that are subject to FTC audits and fail to implement safe guards may be subject to huge fines. We really think this will be a game changer for secure development.

Previous Article
SC with major contributions to HP Cyber Risk Report 2012
SC with major contributions to HP Cyber Risk Report 2012

We work on security assessments daily and see common trends on every engagement. Recognizing these changes ...

Next Article
How to comply with PCI DSS 6.3
How to comply with PCI DSS 6.3

If you process, transmit or store credit card data in your software then you’re likely subject to the Payme...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!