TRENDnet, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 55717-55719 [2013-22070]
Download as PDF
<![CDATA[
Federal Register / Vol. 78, No. 176 / Wednesday, September 11, 2013 / Notices
indirectly acquire 100 percent of the
voting shares of Condon Bank & Trust,
Coffeyville, Kansas.
A. Federal Reserve Bank of New York
(Ivan Hurwitz, Vice President) 33
Liberty Street, New York, New York
10045–0001:
1. Donald J. Vaccaro, Glastenbury,
Connecticut; to acquire voting shares of
Urban Financial Group, Inc., and
thereby indirectly acquire voting shares
of The Community’s Bank, both in
Bridgeport, Connecticut.
Board of Governors of the Federal Reserve
System, September 5, 2013.
Margaret McCloskey Shanks,
Deputy Secretary of the Board.
Board of Governors of the Federal Reserve
System, September 5, 2013.
Margaret McCloskey Shanks,
Deputy Secretary of the Board.
FEDERAL TRADE COMMISSION
[FR Doc. 2013–22047 Filed 9–10–13; 8:45 am]
ACTION:
emcdonald on DSK67QTVN1PROD with NOTICES
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
Federal Trade Commission.
Proposed Consent Agreement.
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
SUMMARY:
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications will also be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than October 4,
2013.
A. Federal Reserve Bank of Kansas
City (Dennis Denney, Assistant Vice
President) 1 Memorial Drive, Kansas
City, Missouri 64198–0001:
1. Coffeyville Bancorp, Inc.,
Coffeyville, Kansas; to merge with
Coffeyville Financial Corporation,
Omaha, Nebraska, and thereby
Jkt 229001
[File No. 122 3090]
AGENCY:
FEDERAL RESERVE SYSTEM
16:50 Sep 10, 2013
BILLING CODE 6210–01–P
TRENDnet, Inc.; Analysis of Proposed
Consent Order To Aid Public Comment
BILLING CODE 6210–01–P
VerDate Mar<15>2010
[FR Doc. 2013–22048 Filed 9–10–13; 8:45 am]
Comments must be received on
or before October 4, 2013.
ADDRESSES: Interested parties may file a
comment at https://
ftcpublic.commentworks.com/ftc/
trendnetconsent online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘TRENDnet, File No. 122
3090’’ on your comment and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
trendnetconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Laura Berger (202–326–2471), FTC,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
DATES:
PO 00000
Frm 00042
Fmt 4703
Sfmt 4703
55717
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for September 4, 2013), on
the World Wide Web, at https://
www.ftc.gov/os/actions.shtm. A paper
copy can be obtained from the FTC
Public Reference Room, Room 130–H,
600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before October 4, 2013. Write
‘‘TRENDnet, File No. 122 3090’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which . . . is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
E:\FR\FM\11SEN1.SGM
11SEN1
55718
Federal Register / Vol. 78, No. 176 / Wednesday, September 11, 2013 / Notices
emcdonald on DSK67QTVN1PROD with NOTICES
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel grants your request in
accordance with the law and the public
interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
trendnetconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘TRENDnet, File No. 122 3090’’
on your comment and on the envelope,
and mail or deliver it to the following
address: Federal Trade Commission,
Office of the Secretary, Room H–113
(Annex D), 600 Pennsylvania Avenue
NW., Washington, DC 20580. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before October 4, 2013. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, an
agreement containing a consent order
applicable to TRENDnet, Inc.
(‘‘TRENDnet’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Mar<15>2010
16:50 Sep 10, 2013
Jkt 229001
appropriate action or make final the
agreement’s proposed order.
TRENDnet is a California corporation
that among other things, sells
networking devices, such as routers,
modems, and Internet Protocol (‘‘IP’’)
security cameras that allow users to
conduct remote surveillance of their
homes and businesses via the Internet.
In many instances, TRENDnet markets
its IP cameras under the trade name
‘‘SecurView,’’ and tells consumers they
may use the cameras to monitor ‘‘babies
at home, patients in the hospital, offices
and banks, and more.’’ By default, these
IP cameras are subject to security
settings, such as a requirement to enter
a user name and password (‘‘login
credentials’’) in order to access the live
video and audio feeds (‘‘live feeds’’)
over the Internet. On approximately
January 10, 2012, a hacker discovered a
flaw in the IP cameras that allowed
access to these live feeds without
entering login credentials, resulting in
hundreds of previously private live
feeds being made public.
The Commission’s complaint alleges
that TRENDnet violated Section 5(a) of
the FTC Act by falsely representing that
it had taken reasonable steps to ensure
that its IP cameras and mobile apps are
a secure means to monitor private areas
of a consumer’s home or workplace. The
complaint also alleges that TRENDnet
misrepresented that it had taken
reasonable steps to ensure that a user’s
security settings on its devices would be
honored. Finally, the Commission’s
complaint alleges that TRENDnet
engaged in a number of practices that,
taken together, failed to provide
reasonable security to prevent
unauthorized access to personal
information, namely the live feeds from
the IP cameras. Among other things,
TRENDnet:
(1) Transmitted user login credentials
in clear, readable text over the Internet,
despite the existence of free code
libraries (i.e., repositories of
programming language that can be
integrated by third parties), publicly
available since at least 2008, that would
have enabled respondent to secure such
transmissions;
(2) stored user login credentials in
clear, readable text on a user’s mobile
device, despite the existence of free
software, publicly available since 2008,
that would have enabled respondent to
secure such stored credentials;
(3) failed to implement a process to
actively monitor security vulnerability
reports from third-party researchers,
academics, or other members of the
public, despite the existence of free
tools to conduct such monitoring,
thereby delaying the opportunity to
PO 00000
Frm 00043
Fmt 4703
Sfmt 4703
correct discovered vulnerabilities or
respond to incidents;
(4) failed to employ reasonable and
appropriate security in the design and
testing of the software that it provided
consumers to install, operate, and access
its IP cameras. Among other things,
TRENDnet, either directly or through its
service providers, failed to:
(a) Perform security review and
testing of the software at key points,
such as upon the release of the IP
camera or upon the release of software
to install, operate, or access the IP
camera, including measures such as:
i. A security architecture review to
evaluate the effectiveness of the
software’s security infrastructure;
ii. vulnerability and penetration
testing of the software, such as by
inputting invalid, unanticipated, or
random data to the software;
iii. reasonable and appropriate code
review and testing of the software to
verify that access to data is restricted
consistent with a user’s privacy and
security settings; and
(b) implement reasonable guidance or
training for any employees responsible
for the testing, designing, and reviewing
the security of its IP cameras and related
software.
The complaint further alleges that,
due to these failures, TRENDnet
subjected users to a significant risk that
their live feeds would be compromised,
thereby causing significant injury to
consumers. Moreover, the complaint
alleges that affected consumers include
not only those consumers who
maintained login credentials for their
cameras, but also unwitting third parties
who were present in locations under
surveillance by the cameras. The
exposure of personal information
through TRENDnet’s IP cameras
increases the likelihood that consumers
or their property will be targeted for
theft or other criminal activity, increases
the likelihood that consumers’ personal
activities or the activities of their young
children or other family members will
be observed and recorded by strangers
over the Internet, impairs consumers’
peaceful enjoyment of their homes,
increases consumers’ susceptibility to
physical tracking or stalking, and
reduces consumers’ ability to control
the dissemination of personal or
proprietary information (e.g., intimate
video and audio streams or images from
business properties). Indeed, consumers
had little, if any, reason to know that
their information was at risk,
particularly if those consumers
maintained login credentials for their
cameras or were merely unwitting third
parties present in locations where the
cameras were used.
E:\FR\FM\11SEN1.SGM
11SEN1
emcdonald on DSK67QTVN1PROD with NOTICES
Federal Register / Vol. 78, No. 176 / Wednesday, September 11, 2013 / Notices
The proposed order contains
provisions designed to prevent
TRENDnet from engaging in the future
in practices similar to those alleged in
the complaint.
Part I of the proposed order prohibits
TRENDnet from misrepresenting (1) the
extent to which TRENDnet or its
products or services maintain and
protect the security of covered device
functionality or the security, privacy,
confidentiality, or integrity of any
covered information; and (2) the extent
to which a consumer can control the
security of any covered information
input into, stored on, captured with,
accessed, or transmitted by a covered
device.
Part II of the proposed order requires
TRENDnet to establish and implement,
and thereafter maintain, a
comprehensive security program to (1)
address security risks that could result
in unauthorized access to or use of the
functions of covered devices, and (2)
protect the security, confidentiality, and
integrity of covered information,
whether collected by respondent or
input into, stored on, captured with,
accessed or transmitted through a
covered device. The security program
must contain administrative, technical,
and physical safeguards appropriate to
TRENDnet’s size and complexity, nature
and scope of its activities, and the
sensitivity of the information collected
from or about consumers. Specifically,
the proposed order requires TRENDnet
to:
(1) Designate an employee or
employees to coordinate and be
accountable for the security program;
(2) identify material internal and
external risks to the security of covered
devices that could result in
unauthorized access to or use of covered
device functionality, and assess the
sufficiency of any safeguards in place to
control these risks;
(3) identify material internal and
external risks to the security,
confidentiality, and integrity of covered
information that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information,
whether such information is in
TRENDnet’s possession or is input into,
stored on, captured with, accessed, or
transmitted through a covered device,
and assess the sufficiency of any
safeguards in place to control these
risks;
(4) consider risks in each area of
relevant operation, including but not
limited to (a) employee training and
management; (b) product design,
development and research; (c) secure
software design, development, and
VerDate Mar<15>2010
16:50 Sep 10, 2013
Jkt 229001
testing; and (d) review, assessment, and
response to third-party security
vulnerability reports;
(5) design and implement reasonable
safeguards to control the risks identified
through risk assessments, including but
not limited to reasonable and
appropriate software security testing
techniques, such as: (a) Vulnerability
and penetration testing; (b) security
architecture reviews; (c) code reviews;
and (d) other reasonable and
appropriate assessments, audits,
reviews, or other tests to identify
potential security failures and verify
that access to covered information is
restricted consistent with a user’s
security settings;
(6) regularly test or monitor the
effectiveness of the safeguards’ key
controls, systems, and procedures;
(7) develop and use reasonable steps
to select and retain service providers
capable of maintaining security
practices consistent with the order, and
require service providers by contract to
establish and implement, and thereafter
maintain, appropriate safeguards; and
(8) evaluate and adjust its information
security program in light of the results
of testing and monitoring, any material
changes to TRENDnet’s operations or
business arrangement, or any other
circumstances that it knows or has
reason to know may have a material
impact on its security program.
Part III of the proposed order requires
TRENDnet to obtain, within the first one
hundred eighty (180) days after service
of the order and on a biennial basis
thereafter for a period of twenty (20)
years, an assessment and report from a
qualified, objective, independent thirdparty professional, certifying, among
other things, that: (1) It has in place a
security program that provides
protections that meet or exceed the
protections required by Part II of the
proposed order; and (2) its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security of covered
device functionality and the security,
confidentiality, and integrity of covered
information is protected.
Part IV of the proposed order requires
TRENDnet to notify consumers whose
cameras were affected by the breach that
their IP cameras had a flaw that allowed
third parties to access their live feeds
without inputting login credentials; and
provide instructions to such consumers
on how to remove this flaw. In addition,
TRENDnet must provide prompt and
free support with clear and prominent
contact information to help consumers
update and/or uninstall their IP
cameras. TRENDnet must provide this
support via a toll-free, telephonic
PO 00000
Frm 00044
Fmt 4703
Sfmt 4703
55719
number and via electronic mail for two
(2) years.
Parts V through IX of the proposed
order are reporting and compliance
provisions. Part V requires TRENDnet to
retain documents relating to its
compliance with the order for a fiveyear period. Part VI requires
dissemination of the order now and in
the future to all current and future
principals, officers, directors, and
managers, and to persons with
responsibilities relating to the subject
matter of the order. Part VII ensures
notification to the FTC of changes in
corporate status. Part VIII mandates that
TRENDnet submit a compliance report
to the FTC within 60 days, and
periodically thereafter as requested. Part
IX is a provision ‘‘sunsetting’’ the order
after twenty (20) years, with certain
exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed complaint or order or to
modify the order’s terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2013–22070 Filed 9–10–13; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[OMB Control No. 9000–0174; Docket 2012–
0076; Sequence 64]
Submission for OMB Review;
Information Regarding Responsibility
Matters
Department of Defense (DOD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice of request for public
comments regarding an extension, with
changes, to an existing OMB
information clearance.
AGENCY:
Under the provisions of the
Paperwork Reduction Act, the
Regulatory Secretariat will be
submitting to the Office of Management
and Budget (OMB) a request to review
and approve an extension of a
previously approved information
collection requirement regarding
Information Regarding Responsibility
Matters. A notice was published in the
SUMMARY:
E:\FR\FM\11SEN1.SGM
11SEN1
]]>Agencies
[Federal Register Volume 78, Number 176 (Wednesday, September 11, 2013)]
[Notices]
[Pages 55717-55719]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-22070]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 122 3090]
TRENDnet, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before October 4, 2013.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/trendnetconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``TRENDnet, File No. 122
3090'' on your comment and file your comment online at https://ftcpublic.commentworks.com/ftc/trendnetconsent by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex
D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Laura Berger (202-326-2471), FTC,
Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for September 4, 2013), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained
from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania Avenue
NW., Washington, DC 20580, either in person or by calling (202) 326-
2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before October 4, 2013.
Write ``TRENDnet, File No. 122 3090'' on your comment. Your comment--
including your name and your state--will be placed on the public record
of this proceeding, including, to the extent practicable, on the public
Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a
matter of discretion, the Commission tries to remove individuals' home
contact information from comments before placing them on the Commission
Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR
[[Page 55718]]
4.9(c).\1\ Your comment will be kept confidential only if the FTC
General Counsel grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/trendnetconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home you
also may file a comment through that Web site.
If you file your comment on paper, write ``TRENDnet, File No. 122
3090'' on your comment and on the envelope, and mail or deliver it to
the following address: Federal Trade Commission, Office of the
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue NW.,
Washington, DC 20580. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before October 4, 2013. You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order applicable to
TRENDnet, Inc. (``TRENDnet'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
TRENDnet is a California corporation that among other things, sells
networking devices, such as routers, modems, and Internet Protocol
(``IP'') security cameras that allow users to conduct remote
surveillance of their homes and businesses via the Internet. In many
instances, TRENDnet markets its IP cameras under the trade name
``SecurView,'' and tells consumers they may use the cameras to monitor
``babies at home, patients in the hospital, offices and banks, and
more.'' By default, these IP cameras are subject to security settings,
such as a requirement to enter a user name and password (``login
credentials'') in order to access the live video and audio feeds
(``live feeds'') over the Internet. On approximately January 10, 2012,
a hacker discovered a flaw in the IP cameras that allowed access to
these live feeds without entering login credentials, resulting in
hundreds of previously private live feeds being made public.
The Commission's complaint alleges that TRENDnet violated Section
5(a) of the FTC Act by falsely representing that it had taken
reasonable steps to ensure that its IP cameras and mobile apps are a
secure means to monitor private areas of a consumer's home or
workplace. The complaint also alleges that TRENDnet misrepresented that
it had taken reasonable steps to ensure that a user's security settings
on its devices would be honored. Finally, the Commission's complaint
alleges that TRENDnet engaged in a number of practices that, taken
together, failed to provide reasonable security to prevent unauthorized
access to personal information, namely the live feeds from the IP
cameras. Among other things, TRENDnet:
(1) Transmitted user login credentials in clear, readable text over
the Internet, despite the existence of free code libraries (i.e.,
repositories of programming language that can be integrated by third
parties), publicly available since at least 2008, that would have
enabled respondent to secure such transmissions;
(2) stored user login credentials in clear, readable text on a
user's mobile device, despite the existence of free software, publicly
available since 2008, that would have enabled respondent to secure such
stored credentials;
(3) failed to implement a process to actively monitor security
vulnerability reports from third-party researchers, academics, or other
members of the public, despite the existence of free tools to conduct
such monitoring, thereby delaying the opportunity to correct discovered
vulnerabilities or respond to incidents;
(4) failed to employ reasonable and appropriate security in the
design and testing of the software that it provided consumers to
install, operate, and access its IP cameras. Among other things,
TRENDnet, either directly or through its service providers, failed to:
(a) Perform security review and testing of the software at key
points, such as upon the release of the IP camera or upon the release
of software to install, operate, or access the IP camera, including
measures such as:
i. A security architecture review to evaluate the effectiveness of
the software's security infrastructure;
ii. vulnerability and penetration testing of the software, such as
by inputting invalid, unanticipated, or random data to the software;
iii. reasonable and appropriate code review and testing of the
software to verify that access to data is restricted consistent with a
user's privacy and security settings; and
(b) implement reasonable guidance or training for any employees
responsible for the testing, designing, and reviewing the security of
its IP cameras and related software.
The complaint further alleges that, due to these failures, TRENDnet
subjected users to a significant risk that their live feeds would be
compromised, thereby causing significant injury to consumers. Moreover,
the complaint alleges that affected consumers include not only those
consumers who maintained login credentials for their cameras, but also
unwitting third parties who were present in locations under
surveillance by the cameras. The exposure of personal information
through TRENDnet's IP cameras increases the likelihood that consumers
or their property will be targeted for theft or other criminal
activity, increases the likelihood that consumers' personal activities
or the activities of their young children or other family members will
be observed and recorded by strangers over the Internet, impairs
consumers' peaceful enjoyment of their homes, increases consumers'
susceptibility to physical tracking or stalking, and reduces consumers'
ability to control the dissemination of personal or proprietary
information (e.g., intimate video and audio streams or images from
business properties). Indeed, consumers had little, if any, reason to
know that their information was at risk, particularly if those
consumers maintained login credentials for their cameras or were merely
unwitting third parties present in locations where the cameras were
used.
[[Page 55719]]
The proposed order contains provisions designed to prevent TRENDnet
from engaging in the future in practices similar to those alleged in
the complaint.
Part I of the proposed order prohibits TRENDnet from
misrepresenting (1) the extent to which TRENDnet or its products or
services maintain and protect the security of covered device
functionality or the security, privacy, confidentiality, or integrity
of any covered information; and (2) the extent to which a consumer can
control the security of any covered information input into, stored on,
captured with, accessed, or transmitted by a covered device.
Part II of the proposed order requires TRENDnet to establish and
implement, and thereafter maintain, a comprehensive security program to
(1) address security risks that could result in unauthorized access to
or use of the functions of covered devices, and (2) protect the
security, confidentiality, and integrity of covered information,
whether collected by respondent or input into, stored on, captured
with, accessed or transmitted through a covered device. The security
program must contain administrative, technical, and physical safeguards
appropriate to TRENDnet's size and complexity, nature and scope of its
activities, and the sensitivity of the information collected from or
about consumers. Specifically, the proposed order requires TRENDnet to:
(1) Designate an employee or employees to coordinate and be
accountable for the security program;
(2) identify material internal and external risks to the security
of covered devices that could result in unauthorized access to or use
of covered device functionality, and assess the sufficiency of any
safeguards in place to control these risks;
(3) identify material internal and external risks to the security,
confidentiality, and integrity of covered information that could result
in the unauthorized disclosure, misuse, loss, alteration, destruction,
or other compromise of such information, whether such information is in
TRENDnet's possession or is input into, stored on, captured with,
accessed, or transmitted through a covered device, and assess the
sufficiency of any safeguards in place to control these risks;
(4) consider risks in each area of relevant operation, including
but not limited to (a) employee training and management; (b) product
design, development and research; (c) secure software design,
development, and testing; and (d) review, assessment, and response to
third-party security vulnerability reports;
(5) design and implement reasonable safeguards to control the risks
identified through risk assessments, including but not limited to
reasonable and appropriate software security testing techniques, such
as: (a) Vulnerability and penetration testing; (b) security
architecture reviews; (c) code reviews; and (d) other reasonable and
appropriate assessments, audits, reviews, or other tests to identify
potential security failures and verify that access to covered
information is restricted consistent with a user's security settings;
(6) regularly test or monitor the effectiveness of the safeguards'
key controls, systems, and procedures;
(7) develop and use reasonable steps to select and retain service
providers capable of maintaining security practices consistent with the
order, and require service providers by contract to establish and
implement, and thereafter maintain, appropriate safeguards; and
(8) evaluate and adjust its information security program in light
of the results of testing and monitoring, any material changes to
TRENDnet's operations or business arrangement, or any other
circumstances that it knows or has reason to know may have a material
impact on its security program.
Part III of the proposed order requires TRENDnet to obtain, within
the first one hundred eighty (180) days after service of the order and
on a biennial basis thereafter for a period of twenty (20) years, an
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: (1) It has in
place a security program that provides protections that meet or exceed
the protections required by Part II of the proposed order; and (2) its
security program is operating with sufficient effectiveness to provide
reasonable assurance that the security of covered device functionality
and the security, confidentiality, and integrity of covered information
is protected.
Part IV of the proposed order requires TRENDnet to notify consumers
whose cameras were affected by the breach that their IP cameras had a
flaw that allowed third parties to access their live feeds without
inputting login credentials; and provide instructions to such consumers
on how to remove this flaw. In addition, TRENDnet must provide prompt
and free support with clear and prominent contact information to help
consumers update and/or uninstall their IP cameras. TRENDnet must
provide this support via a toll-free, telephonic number and via
electronic mail for two (2) years.
Parts V through IX of the proposed order are reporting and
compliance provisions. Part V requires TRENDnet to retain documents
relating to its compliance with the order for a five-year period. Part
VI requires dissemination of the order now and in the future to all
current and future principals, officers, directors, and managers, and
to persons with responsibilities relating to the subject matter of the
order. Part VII ensures notification to the FTC of changes in corporate
status. Part VIII mandates that TRENDnet submit a compliance report to
the FTC within 60 days, and periodically thereafter as requested. Part
IX is a provision ``sunsetting'' the order after twenty (20) years,
with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order or to modify the
order's terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2013-22070 Filed 9-10-13; 8:45 am]
BILLING CODE 6750-01-P
