FTC settles with Fandango for security breach

In the midst of contentious litigation with Wyndham and LabMD, which allege that the Federal Trade Commission (FTC) does not have jurisdiction over security practices, the FTC this week approved a settlement with Fandango Inc. following an investigation of its information security practices. Although Fandango is not required to pay any fine or penalty as a result of the investigation, it is required to “establish and implement, and thereafter maintain, a comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing products and services for consumers, and (2) protect the security, integrity and confidentiality of covered information, whether collected by respondent or input into, stored on, captured with, or accessed through a computer using respondent’s products or services.” The plan must be in writing and “shall contain administrative, technical[] and physical safeguards appropriate to respondent’s size and complexity[;] the nature and scope of respondent’s activities[;] and the sensitivity of the covered information.” Sounds like an OCR Order for a HIPAA violation.

Fandango is further required to perform a security risk assessment, design and implement security safeguards to control the risks, use reasonable steps to select and retain service providers and require service providers by contract to implement and maintain appropriate safeguards (similar to the Massachusetts data security regulations and HIPAA), continually evaluate the security program and effectiveness and include employee training. Finally, Fandango is required to obtain initial and biennial risk assessments and reports from a third-party professional and provide the reports to the FTC for 20 years and to notify the FTC if Fandango dissolves, assigns, sells or merges with a successor corporation.

The initial alleged violation was that Fandango disabled a critical default process, SSL certificate validation, that would have verified that its mobile application communications was secure. As a result, the app was vulnerable to being intercepted over wireless networks. FTC Chairwoman Edith Ramirez stated that this case should “remind app developers of the need to make data security central to how they design their apps.” The settlement outlines what every company should be doing to protect its data—particularly in this age of massive data breaches, even though there is no official published guidance from the FTC. It is a combination of security measures consistent with the HIPAA Security Rule, the Massachusetts data security regulations and commercially acceptable best practices. This should be the framework of an enterprise-wide privacy and security plan. The FTC’s involvement with data security is not going away despite the fight by Wyndham and LabMD, so now is the time to place it high on the priority list.