ASUSTeK Computer, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 9856-9859 [2016-04190]
Download as PDF
<![CDATA[
mstockstill on DSK4VPTVN1PROD with NOTICES
9856
Federal Register / Vol. 81, No. 38 / Friday, February 26, 2016 / Notices
Title: Section 69.605, Reporting and
Distribution of Pool Access Revenues,
Part 69–Access Charges.
Form Number: N/A.
Type of Review: Extension of a
currently approved collection.
Respondents: Business or other forprofit.
Number of Respondents and
Responses: 1,064 respondents; 12,757
responses.
Estimated Time per Response: 0.75
hours–1 hour.
Frequency of Response: Annual and
monthly reporting requirements and
third party disclosure requirement.
Obligation to Respond: Required to
obtain or retain benefits. Statutory
authority for this information collection
is contained in 47 U.S.C. 154, 201, 202,
203, 205, 218 and 403 of the
Communications Act of 1934, as
amended.
Total Annual Burden: 9,568 hours.
Total Annual Cost: No cost.
Privacy Impact Assessment: No
impact(s).
Nature and Extent of Confidentiality:
There is no need for confidentiality.
Needs and Uses: The Commission is
requesting approval for an extension (no
change in the reporting and/or third
party disclosure requirements).
Due to consolidation in the
telecommunications marketplace, there
is a decrease in the Commission’s
burden estimates. Section 69.605
requires that access revenues and cost
data shall be reported by participants in
association tariffs to the association for
computation of monthly pool revenues
distributions. The association shall
submit a report on or before February 1
of each calendar year describing the
associations’ cost study review process
for the preceding calendar year as well
as the results of that process. For any
revisions to the cost study results made
or recommended by the association that
would change the respective carrier’s
calculated annual common line or
traffic sensitive revenue requirement by
ten percent or more, the report shall
include the following information:
(1) Name of the carrier;
(2) A detailed description of the
revisions;
(3) The amount of the revisions;
(4) The impact of the revisions on the
carrier’s calculated common line and
traffic sensitive revenue requirements;
and
(5) The carrier’s total annual common
line and traffic sensitive revenue
requirement. The information is used to
compute charges in tariffs for access
service (or origination and termination)
and to compute revenue pool
distributions. Neither process could be
implemented without the information.
VerDate Sep<11>2014
20:41 Feb 25, 2016
Jkt 238001
Federal Communications Commission.
Gloria J. Miles,
Federal Register Liaison Officer, Office of the
Secretary.
[FR Doc. 2016–04131 Filed 2–25–16; 8:45 am]
BILLING CODE 6712–01–P
FEDERAL TRADE COMMISSION
[File No. 142–3156]
ASUSTeK Computer, Inc.; Analysis of
Proposed Consent Order To Aid Public
Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
FEDERAL RESERVE SYSTEM
Notice of Proposals To Engage in or
To Acquire Companies Engaged in
Permissible Nonbanking Activities
The companies listed in this notice
have given notice under section 4 of the
Bank Holding Company Act (12 U.S.C.
1843) (BHC Act) and Regulation Y, (12
CFR part 225) to engage de novo, or to
acquire or control voting securities or
assets of a company, including the
companies listed below, that engages
either directly or through a subsidiary or
other company, in a nonbanking activity
that is listed in § 225.28 of Regulation Y
(12 CFR 225.28) or that the Board has
determined by Order to be closely
related to banking and permissible for
bank holding companies. Unless
otherwise noted, these activities will be
conducted throughout the United States.
Each notice is available for inspection
at the Federal Reserve Bank indicated.
The notice also will be available for
inspection at the offices of the Board of
Governors. Interested persons may
express their views in writing on the
question whether the proposal complies
with the standards of section 4 of the
BHC Act.
Unless otherwise noted, comments
regarding the notices must be received
at the Reserve Bank indicated or the
offices of the Board of Governors not
later than March 24, 2016.
A. Federal Reserve Bank of Chicago
(Colette A. Fried, Assistant Vice
President) 230 South LaSalle Street,
Chicago, Illinois 60690–1414:
1. Royal Financial, Inc., Chicago,
Illinois; to merge with Park Bancorp,
Inc., and indirectly acquire Park Federal
Savings Bank, both in Chicago, Illinois,
and thereby engage in operating a
savings association, pursuant to section
225.28(b)(4)(ii).
Board of Governors of the Federal Reserve
System, February 23, 2016.
Michael J. Lewandowski,
Associate Secretary of the Board.
[FR Doc. 2016–04132 Filed 2–25–16; 8:45 am]
BILLING CODE 6210–01–P
PO 00000
Frm 00053
Fmt 4703
Sfmt 4703
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before March 24, 2016.
ADDRESSES: Interested parties may file a
comment at https://ftcpublic.comment
works.com/ftc/asusconsent online or on
paper, by following the instructions in
the Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘ASUSTeK Computer
Inc.,—Consent Agreement; File No.
142–3156’’ on your comment and file
your comment online at https://
ftcpublic.commentworks.com/ftc/
asusconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, write ‘‘ASUSTeK Computer
Inc.,—Consent Agreement; File No.
142–3156’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW., Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Nithan Sannappa (202) 326–3185 or
Jarad Brown (202) 326–2927, Bureau of
Consumer Protection, 600 Pennsylvania
Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
SUMMARY:
E:\FR\FM\26FEN1.SGM
26FEN1
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 81, No. 38 / Friday, February 26, 2016 / Notices
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for February 23, 2016), on
the World Wide Web at: https://www.ftc.
gov/os/actions.shtm.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before March 24, 2016. Write
‘‘ASUSTeK Computer Inc.,—Consent
Agreement; File No. 142–3156’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which . . . is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Sep<11>2014
20:41 Feb 25, 2016
Jkt 238001
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
asusconsent by following the
instructions on the web-based form. If
this Notice appears at https://www.
regulations.gov/#!home, you also may
file a comment through that Web site.
If you file your comment on paper,
write ‘‘ASUSTeK Computer Inc.,—
Consent Agreement; File No. 142–3156’’
on your comment and on the envelope,
and mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW., Suite CC–
5610 (Annex D), Washington, DC 20580,
or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before March 24, 2016. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent order applicable to ASUSTeK
Computer, Inc. (‘‘ASUS’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
ASUS is a hardware manufacturer
that, among other things, sells routers,
PO 00000
Frm 00054
Fmt 4703
Sfmt 4703
9857
and related software and services,
intended for consumer use. Routers
forward data packets along a network. In
addition to routing network traffic,
consumer routers typically function as a
hardware firewall for the local network,
and act as the first line of defense in
protecting consumer devices on the
local network, such as computers,
smartphones, internet-protocol (‘‘IP’’)
cameras, and other connected
appliances, against malicious incoming
traffic from the internet. ASUS marketed
its routers as including security features
such as ‘‘intrusion detection,’’ and
instructed consumers to ‘‘enable the
[router’s] firewall to protect your local
network against attacks from hackers.’’
Many of ASUS’s routers also include
‘‘cloud’’ software features called
AiCloud and AiDisk that allow
consumers to attach a USB storage
device to their router and then
wirelessly access and share files. ASUS
publicized AiCloud as a ‘‘private
personal cloud for selective file sharing’’
that featured ‘‘indefinite storage and
increased privacy’’ and described the
feature as ‘‘the most complete,
accessible, and secure cloud platform.’’
Similarly, ASUS promoted AiDisk as a
way to ‘‘safely secure and access your
treasured data through your router.’’
The Commission’s complaint alleges
that, despite these representations,
ASUS engaged in a number of practices
that, taken together, failed to provide
reasonable security in the design and
maintenance of the software developed
for its routers and related ‘‘cloud’’
features. The complaint challenges these
failures as both deceptive and unfair.
Among other things, the complaint
alleges that ASUS failed to:
a. Perform security architecture and
design reviews to ensure that the
software is designed securely, including
failing to:
i. Use readily-available secure
protocols when designing features
intended to provide consumers with
access to their sensitive personal
information. For example, ASUS
designed the AiDisk feature to use FTP
rather than a protocol that supports
transit encryption;
ii. implement secure default settings
or, at the least, provide sufficient
information that would ensure that
consumers did not unintentionally
expose sensitive personal information;
iii. prevent consumers from using
weak default login credentials. For
example, respondent allowed
consumers to retain weak default login
credentials to protect critical functions,
such as username ‘‘admin’’ and
password ‘‘admin’’ for the admin
console, and username ‘‘Family’’ and
E:\FR\FM\26FEN1.SGM
26FEN1
mstockstill on DSK4VPTVN1PROD with NOTICES
9858
Federal Register / Vol. 81, No. 38 / Friday, February 26, 2016 / Notices
password ‘‘Family’’ for the AiDisk FTP
server;
b. perform reasonable and appropriate
code review and testing of the software
to verify that access to data is restricted
consistent with a user’s privacy and
security settings;
c. perform vulnerability and
penetration testing of the software,
including for well-known and
reasonably foreseeable vulnerabilities
that could be exploited to gain
unauthorized access to consumers’
sensitive personal information and local
networks, such as authentication
bypass, clear-text password disclosure,
cross-site scripting, cross-site request
forgery, and buffer overflow
vulnerabilities;
d. implement readily-available, lowcost protections against well-known and
reasonably foreseeable vulnerabilities,
as described in (c), such as input
validation, anti-CSRF tokens, and
session time-outs;
e. maintain an adequate process for
receiving and addressing security
vulnerability reports from third parties
such as security researchers and
academics;
f. perform sufficient analysis of
reported vulnerabilities in order to
correct or mitigate all reasonably
detectable instances of a reported
vulnerability, such as those elsewhere
in the software or in future releases; and
g. provide adequate notice to
consumers regarding (i) known
vulnerabilities or security risks, (ii)
steps that consumers could take to
mitigate such vulnerabilities or risks,
and (iii) the availability of software
updates that would correct or mitigate
the vulnerabilities or risks.
The Complaint further alleges that,
due to these failures, ASUS has
subjected its customers to a significant
risk that their sensitive personal
information and local networks will be
subject to unauthorized access. For
example, on or before February 1, 2014,
a group of hackers exploited
vulnerabilities and design flaws in
ASUS’s routers to gain unauthorized
access to thousands of consumers’ USB
storage devices. Numerous consumers
reported having their routers
compromised, and some complained
that a major search engine had indexed
the files that the vulnerable routers had
exposed, making them easily searchable
online. Others claimed to be the victims
of related identity theft, including a
consumer who claimed identity thieves
had gained unauthorized access to his
USB storage device, which contained
his family’s sensitive personal
information, such as login credentials,
social security numbers, dates of birth,
VerDate Sep<11>2014
20:41 Feb 25, 2016
Jkt 238001
and tax returns. According to the
consumer, the identity thieves used this
information to make thousands of
dollars of fraudulent charges to his
financial accounts, requiring him to
cancel accounts and place a fraud alert
on his credit report. In addition, in
April 2015, a malware researcher
discovered a large-scale, active exploit
campaign that reconfigured vulnerable
routers so that the attackers could
control and redirect consumers’ web
traffic. This exploit campaign
specifically targeted numerous ASUS
router models.
The proposed consent order contains
provisions designed to prevent ASUS
from engaging in the future in practices
similar to those alleged in the
complaint. Part I of the proposed
consent order prohibits ASUS from
misrepresenting: (1) The extent to which
it maintains and protects the security of
any covered device (including routers),
or the security, privacy, confidentiality,
or integrity of any covered information;
(2) the extent to which a consumer can
use a covered device to secure a
network; and (3) the extent to which a
covered device is using up-to-date
software.
Part II of the proposed consent order
requires ASUS to establish and
implement, and thereafter maintain, a
comprehensive security program that is
reasonably designed to (1) address
security risks related to the
development and management of new
and existing covered devices; and (2)
protect the privacy, security,
confidentiality, and integrity of covered
information. The security program must
contain administrative, technical, and
physical safeguards appropriate to
ASUS’s size and complexity, nature and
scope of its activities, and the sensitivity
of the covered device’s function or the
sensitivity of the covered information.
Specifically, the proposed order
requires ASUS to:
a. Designate an employee or
employees to coordinate and be
accountable for the information security
program;
b. identify material internal and
external risks to the security of covered
devices that could result in
unauthorized access to or unauthorized
modification of a covered device, and
assess the sufficiency of any safeguards
in place to control these risks;
c. identify material internal and
external risks to the privacy, security,
confidentiality, and integrity of covered
information that could result in the
unintentional exposure of such
information by consumers or the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
compromise of such information, and
assessment of the sufficiency of any
safeguards in place to control these
risks;
d. consider risks in each area of
relevant operation, including, but not
limited to: (1) Employee training and
management, including in secure
engineering and defensive
programming; (2) product design,
development, and research; (3) secure
software design, development, and
testing, including for default settings; (4)
review, assessment, and response to
third-party security vulnerability
reports, and (5) prevention, detection,
and response to attacks, intrusions, or
systems failures;
e. design and implement reasonable
safeguards to control the risks identified
through risk assessment, including
through reasonable and appropriate
software security testing techniques,
and regularly test or monitor the
effectiveness of the safeguards’ key
controls, systems, and procedures;
f. develop and use reasonable steps to
select and retain service providers
capable of maintaining security
practices consistent with the order, and
require service providers by contract to
implement and maintain appropriate
safeguards; and
g. evaluate and adjust its information
security program in light of the results
of testing and monitoring, any material
changes to ASUS’s operations or
business arrangement, or any other
circumstances that it knows or has
reason to know may have a material
impact on its security program.
Part III of the proposed consent order
requires ASUS to obtain, within the first
one hundred eighty (180) days after
service of the order and on a biennial
basis thereafter for a period of twenty
(20) years, an assessment and report
from a qualified, objective, independent
third-party professional, certifying,
among other things, that: (1) It has in
place a security program that provides
protections that meet or exceed the
protections required by Part II of the
proposed consent order; and (2) its
security program is operating with
sufficient effectiveness to provide
reasonable assurance that the security of
covered devices and the privacy,
security, confidentiality, and integrity of
covered information is protected.
Part IV of the proposed consent order
requires ASUS to provide clear and
conspicuous notice to consumers when
a software update for a covered device
that addresses a security flaw is
available or when ASUS is aware of
reasonable steps that a consumer could
take to mitigate a security flaw in a
covered device. In addition to posting
E:\FR\FM\26FEN1.SGM
26FEN1
Federal Register / Vol. 81, No. 38 / Friday, February 26, 2016 / Notices
notice on its Web site and informing
consumers that contact the company,
ASUS must provide security-related
notifications directly to consumers. For
this purpose, ASUS must provide
consumers with an opportunity to
register an email address, phone
number, device, or other information
during the initial setup or configuration
of a covered device.
Parts V through IX of the proposed
consent order are reporting and
compliance provisions. Part V requires
ASUS to retain documents relating to its
compliance with the order. The order
requires that materials relied upon to
prepare the assessments required by
Part III be retained for a three-year
period, and that all other documents
related to compliance with the order be
retained for a five-year period. Part VI
requires dissemination of the order now
and in the future to all current and
future subsidiaries, current and future
principals, officers, directors, and
managers, and to all current and future
employees, agents, and representatives
having supervisory responsibilities
relating to the subject matter of the
order. Part VII ensures notification to
the FTC of changes in corporate status.
Part VIII mandates that ASUS submit a
compliance report to the FTC within 60
days, and periodically thereafter as
requested. Part IX is a provision
‘‘sunsetting’’ the order after (20) years,
with certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed consent order. It is not
intended to constitute an official
interpretation of the proposed
complaint or consent order or to modify
the consent order’s terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2016–04190 Filed 2–25–16; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
mstockstill on DSK4VPTVN1PROD with NOTICES
[CMS–3331–N]
Medicare Program; Meeting of the
Medicare Evidence Development and
Coverage Advisory Committee—April
27, 2016
Centers for Medicare &
Medicaid Services (CMS), HHS.
ACTION: Notice of meeting.
AGENCY:
VerDate Sep<11>2014
20:41 Feb 25, 2016
Jkt 238001
This notice announces that a
public meeting of the Medicare
Evidence Development & Coverage
Advisory Committee (MEDCAC)
(‘‘Committee’’) will be held on
Wednesday, April 27, 2016. This
meeting will specifically focus on
obtaining the MEDCAC’s
recommendations regarding the
definition of treatment resistant
depression (TRD) as well as to advise
CMS on the use of the definition of TRD
in the context of coverage with evidence
development and treatment outcomes.
This meeting is open to the public in
accordance with the Federal Advisory
Committee Act (5 U.S.C. App. 2, section
10(a)).
DATES: Meeting Date: The public
meeting will be held on Wednesday,
April 27, 2016 from 7:30 a.m. until 4:30
p.m., Eastern Daylight Time (EDT).
Deadline for Submission of Written
Comments: Written comments must be
received at the address specified in the
ADDRESSES section of this notice by 5:00
p.m., EDT, Monday, March 28, 2016.
Once submitted, all comments are final.
Deadlines for Speaker Registration
and Presentation Materials: The
deadline to register to be a speaker and
to submit PowerPoint presentation
materials and writings that will be used
in support of an oral presentation is 5:00
p.m., EDT on Monday, March 28, 2016.
Speakers may register by phone or via
email by contacting the person listed in
the FOR FURTHER INFORMATION CONTACT
section of this notice. Presentation
materials must be received at the
address specified in the ADDRESSES
section of this notice.
Deadline for All Other Attendees
Registration: Individuals may register
online at https://www.cms.gov/apps/
events/upcomingevents.asp?strOrder
By=1&type=3 or by phone by contacting
the person listed in the FOR FURTHER
INFORMATION CONTACT section of this
notice by 5:00 p.m. EDT, Wednesday,
April 20, 2016.
We will be broadcasting the meeting
live via Webcast at https://www.cms.gov/
live/.
Deadline for Submitting a Request for
Special Accommodations: Persons
attending the meeting who are hearing
or visually impaired, or have a
condition that requires special
assistance or accommodations, are
asked to contact the Executive Secretary
as specified in the FOR FURTHER
INFORMATION CONTACT section of this
notice no later than 5:00 p.m., EDT
Friday, April 1, 2016.
ADDRESSES: Meeting Location: The
meeting will be held in the main
auditorium of the Centers for Medicare
SUMMARY:
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
9859
& Medicaid Services, 7500 Security
Boulevard, Baltimore, MD 21244.
Submission of Presentations and
Comments: Presentation materials and
written comments that will be presented
at the meeting must be submitted via
email to MedCACpresentations@
cms.hhs.gov or by regular mail to the
contact listed in the FOR FURTHER
INFORMATION CONTACT section of this
notice by the date specified in the DATES
section of this notice.
FOR FURTHER INFORMATION CONTACT:
Maria Ellis, Executive Secretary for
MEDCAC, Centers for Medicare &
Medicaid Services, Center for Clinical
Standards and Quality, Coverage and
Analysis Group, S3–02–01, 7500
Security Boulevard, Baltimore, MD
21244 or contact Ms. Ellis by phone
(410–786–0309) or via email at
Maria.Ellis@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
I. Background
MEDCAC, formerly known as the
Medicare Coverage Advisory Committee
(MCAC), is advisory in nature, with all
final coverage decisions resting with
CMS. MEDCAC is used to supplement
CMS’ internal expertise. Accordingly,
the advice rendered by the MEDCAC is
most useful when it results from a
process of full scientific inquiry and
thoughtful discussion, in an open
forum, with careful framing of
recommendations and clear
identification of the basis of those
recommendations. MEDCAC members
are valued for their background,
education, and expertise in a wide
variety of scientific, clinical, and other
related fields. (For more information on
MCAC, see the MEDCAC Charter
(https://www.cms.gov/Regulations-andGuidance/Guidance/FACA/Downloads/
medcaccharter.pdf) and the CMS
Guidance Document, Factors CMS
Considers in Referring Topics to the
MEDCAC (https://www.cms.gov/
medicare-coverage-database/details/
medicare-coverage-documentdetails.aspx?MCDId=10)).
II. Meeting Topic and Format
This notice announces the
Wednesday, April 27, 2016, public
meeting of the Committee. During this
meeting, the Committee will discuss
recommendations regarding the
definition of treatment resistant
depression (TRD) and provide advice to
CMS on the use of the definition of TRD
in the context of coverage with evidence
development and treatment outcomes.
Background information about this
topic, including panel materials, is
available at https://www.cms.gov/
E:\FR\FM\26FEN1.SGM
26FEN1
]]>Agencies
[Federal Register Volume 81, Number 38 (Friday, February 26, 2016)]
[Notices]
[Pages 9856-9859]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-04190]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 142-3156]
ASUSTeK Computer, Inc.; Analysis of Proposed Consent Order To Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the draft complaint and the terms of the consent
order--embodied in the consent agreement--that would settle these
allegations.
DATES: Comments must be received on or before March 24, 2016.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/asusconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``ASUSTeK Computer
Inc.,--Consent Agreement; File No. 142-3156'' on your comment and file
your comment online at https://ftcpublic.commentworks.com/ftc/asusconsent by following the instructions on the web-based form. If you
prefer to file your comment on paper, write ``ASUSTeK Computer Inc.,--
Consent Agreement; File No. 142-3156'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Nithan Sannappa (202) 326-3185 or
Jarad Brown (202) 326-2927, Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent
[[Page 9857]]
agreement, and the allegations in the complaint. An electronic copy of
the full text of the consent agreement package can be obtained from the
FTC Home Page (for February 23, 2016), on the World Wide Web at: https://www.ftc.gov/os/actions.shtm.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before March 24, 2016.
Write ``ASUSTeK Computer Inc.,--Consent Agreement; File No. 142-3156''
on your comment. Your comment--including your name and your state--will
be placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the
Commission tries to remove individuals' home contact information from
comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/asusconsent by following the instructions on the web-based form. If
this Notice appears at https://www.regulations.gov/#!home, you also may
file a comment through that Web site.
If you file your comment on paper, write ``ASUSTeK Computer Inc.,--
Consent Agreement; File No. 142-3156'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before March 24, 2016. You can find more information,
including routine uses permitted by the Privacy Act, in the
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent order applicable to ASUSTeK Computer, Inc.
(``ASUS'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
ASUS is a hardware manufacturer that, among other things, sells
routers, and related software and services, intended for consumer use.
Routers forward data packets along a network. In addition to routing
network traffic, consumer routers typically function as a hardware
firewall for the local network, and act as the first line of defense in
protecting consumer devices on the local network, such as computers,
smartphones, internet-protocol (``IP'') cameras, and other connected
appliances, against malicious incoming traffic from the internet. ASUS
marketed its routers as including security features such as ``intrusion
detection,'' and instructed consumers to ``enable the [router's]
firewall to protect your local network against attacks from hackers.''
Many of ASUS's routers also include ``cloud'' software features
called AiCloud and AiDisk that allow consumers to attach a USB storage
device to their router and then wirelessly access and share files. ASUS
publicized AiCloud as a ``private personal cloud for selective file
sharing'' that featured ``indefinite storage and increased privacy''
and described the feature as ``the most complete, accessible, and
secure cloud platform.'' Similarly, ASUS promoted AiDisk as a way to
``safely secure and access your treasured data through your router.''
The Commission's complaint alleges that, despite these
representations, ASUS engaged in a number of practices that, taken
together, failed to provide reasonable security in the design and
maintenance of the software developed for its routers and related
``cloud'' features. The complaint challenges these failures as both
deceptive and unfair. Among other things, the complaint alleges that
ASUS failed to:
a. Perform security architecture and design reviews to ensure that
the software is designed securely, including failing to:
i. Use readily-available secure protocols when designing features
intended to provide consumers with access to their sensitive personal
information. For example, ASUS designed the AiDisk feature to use FTP
rather than a protocol that supports transit encryption;
ii. implement secure default settings or, at the least, provide
sufficient information that would ensure that consumers did not
unintentionally expose sensitive personal information;
iii. prevent consumers from using weak default login credentials.
For example, respondent allowed consumers to retain weak default login
credentials to protect critical functions, such as username ``admin''
and password ``admin'' for the admin console, and username ``Family''
and
[[Page 9858]]
password ``Family'' for the AiDisk FTP server;
b. perform reasonable and appropriate code review and testing of
the software to verify that access to data is restricted consistent
with a user's privacy and security settings;
c. perform vulnerability and penetration testing of the software,
including for well-known and reasonably foreseeable vulnerabilities
that could be exploited to gain unauthorized access to consumers'
sensitive personal information and local networks, such as
authentication bypass, clear-text password disclosure, cross-site
scripting, cross-site request forgery, and buffer overflow
vulnerabilities;
d. implement readily-available, low-cost protections against well-
known and reasonably foreseeable vulnerabilities, as described in (c),
such as input validation, anti-CSRF tokens, and session time-outs;
e. maintain an adequate process for receiving and addressing
security vulnerability reports from third parties such as security
researchers and academics;
f. perform sufficient analysis of reported vulnerabilities in order
to correct or mitigate all reasonably detectable instances of a
reported vulnerability, such as those elsewhere in the software or in
future releases; and
g. provide adequate notice to consumers regarding (i) known
vulnerabilities or security risks, (ii) steps that consumers could take
to mitigate such vulnerabilities or risks, and (iii) the availability
of software updates that would correct or mitigate the vulnerabilities
or risks.
The Complaint further alleges that, due to these failures, ASUS has
subjected its customers to a significant risk that their sensitive
personal information and local networks will be subject to unauthorized
access. For example, on or before February 1, 2014, a group of hackers
exploited vulnerabilities and design flaws in ASUS's routers to gain
unauthorized access to thousands of consumers' USB storage devices.
Numerous consumers reported having their routers compromised, and some
complained that a major search engine had indexed the files that the
vulnerable routers had exposed, making them easily searchable online.
Others claimed to be the victims of related identity theft, including a
consumer who claimed identity thieves had gained unauthorized access to
his USB storage device, which contained his family's sensitive personal
information, such as login credentials, social security numbers, dates
of birth, and tax returns. According to the consumer, the identity
thieves used this information to make thousands of dollars of
fraudulent charges to his financial accounts, requiring him to cancel
accounts and place a fraud alert on his credit report. In addition, in
April 2015, a malware researcher discovered a large-scale, active
exploit campaign that reconfigured vulnerable routers so that the
attackers could control and redirect consumers' web traffic. This
exploit campaign specifically targeted numerous ASUS router models.
The proposed consent order contains provisions designed to prevent
ASUS from engaging in the future in practices similar to those alleged
in the complaint. Part I of the proposed consent order prohibits ASUS
from misrepresenting: (1) The extent to which it maintains and protects
the security of any covered device (including routers), or the
security, privacy, confidentiality, or integrity of any covered
information; (2) the extent to which a consumer can use a covered
device to secure a network; and (3) the extent to which a covered
device is using up-to-date software.
Part II of the proposed consent order requires ASUS to establish
and implement, and thereafter maintain, a comprehensive security
program that is reasonably designed to (1) address security risks
related to the development and management of new and existing covered
devices; and (2) protect the privacy, security, confidentiality, and
integrity of covered information. The security program must contain
administrative, technical, and physical safeguards appropriate to
ASUS's size and complexity, nature and scope of its activities, and the
sensitivity of the covered device's function or the sensitivity of the
covered information. Specifically, the proposed order requires ASUS to:
a. Designate an employee or employees to coordinate and be
accountable for the information security program;
b. identify material internal and external risks to the security of
covered devices that could result in unauthorized access to or
unauthorized modification of a covered device, and assess the
sufficiency of any safeguards in place to control these risks;
c. identify material internal and external risks to the privacy,
security, confidentiality, and integrity of covered information that
could result in the unintentional exposure of such information by
consumers or the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and assessment of
the sufficiency of any safeguards in place to control these risks;
d. consider risks in each area of relevant operation, including,
but not limited to: (1) Employee training and management, including in
secure engineering and defensive programming; (2) product design,
development, and research; (3) secure software design, development, and
testing, including for default settings; (4) review, assessment, and
response to third-party security vulnerability reports, and (5)
prevention, detection, and response to attacks, intrusions, or systems
failures;
e. design and implement reasonable safeguards to control the risks
identified through risk assessment, including through reasonable and
appropriate software security testing techniques, and regularly test or
monitor the effectiveness of the safeguards' key controls, systems, and
procedures;
f. develop and use reasonable steps to select and retain service
providers capable of maintaining security practices consistent with the
order, and require service providers by contract to implement and
maintain appropriate safeguards; and
g. evaluate and adjust its information security program in light of
the results of testing and monitoring, any material changes to ASUS's
operations or business arrangement, or any other circumstances that it
knows or has reason to know may have a material impact on its security
program.
Part III of the proposed consent order requires ASUS to obtain,
within the first one hundred eighty (180) days after service of the
order and on a biennial basis thereafter for a period of twenty (20)
years, an assessment and report from a qualified, objective,
independent third-party professional, certifying, among other things,
that: (1) It has in place a security program that provides protections
that meet or exceed the protections required by Part II of the proposed
consent order; and (2) its security program is operating with
sufficient effectiveness to provide reasonable assurance that the
security of covered devices and the privacy, security, confidentiality,
and integrity of covered information is protected.
Part IV of the proposed consent order requires ASUS to provide
clear and conspicuous notice to consumers when a software update for a
covered device that addresses a security flaw is available or when ASUS
is aware of reasonable steps that a consumer could take to mitigate a
security flaw in a covered device. In addition to posting
[[Page 9859]]
notice on its Web site and informing consumers that contact the
company, ASUS must provide security-related notifications directly to
consumers. For this purpose, ASUS must provide consumers with an
opportunity to register an email address, phone number, device, or
other information during the initial setup or configuration of a
covered device.
Parts V through IX of the proposed consent order are reporting and
compliance provisions. Part V requires ASUS to retain documents
relating to its compliance with the order. The order requires that
materials relied upon to prepare the assessments required by Part III
be retained for a three-year period, and that all other documents
related to compliance with the order be retained for a five-year
period. Part VI requires dissemination of the order now and in the
future to all current and future subsidiaries, current and future
principals, officers, directors, and managers, and to all current and
future employees, agents, and representatives having supervisory
responsibilities relating to the subject matter of the order. Part VII
ensures notification to the FTC of changes in corporate status. Part
VIII mandates that ASUS submit a compliance report to the FTC within 60
days, and periodically thereafter as requested. Part IX is a provision
``sunsetting'' the order after (20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed consent order. It is not intended to constitute an official
interpretation of the proposed complaint or consent order or to modify
the consent order's terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2016-04190 Filed 2-25-16; 8:45 am]
BILLING CODE 6750-01-P
