Why HTC’s Settlement is a Game Changer for Secure Development

Friday, March 08, 2013

Rohit Sethi

219bfe49c4e7e1a3760f307bfecb9954

HTC, a mobile device manufacturer, was recently in the press for a settlement with the Federal Trade Commission (FTC). This isn’t the first time an organization has settled with the FTC over security or privacy issues. Twitter,  Petco, and others have settled and been subject to FTC audits. However, as a recent blog post by law firm Holland and Knight points out, the HTC settlement is one of the most significant in years.

Unlike other cases, the HTC settlement is not based on high-profile breaches. Instead, it points out: “HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices”.

The FTC is holding a company accountable for negligence in secure development. It’s worth mentioning that most companies are not otherwise legally required to follow secure development practices. In our experience, American organizations tend to only require applications to undergo increased secure development scrutiny if they fall under the scope of  Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Defense Information Systems Agency (DISA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA) or other specific legislation for highly regulated industries. In other words, the vast majority of software does not have any legal requirement to build security in.

Here’s why this is a game changer for secure development:

The HTC settlement means that companies claiming to protect customer data, but don’t provide adequate safeguards, are potentially subject to legal action. No longer is simply having a firewall, a scanner and an SSL certificate sufficient to fit the low standard of due diligence. Information security departments have a new tool in promoting the importance of secure development practices. This is particularly true for non-regulated industries like eCommerce, retail, and independent software vendors (ISVs) where securing software often means a slower time-to-market. Companies that are subject to FTC audits and fail to implement safe guards may be subject to huge fines. 

Cross-posted from the SD Elements blog.

Possibly Related Articles:
10225
General Operating Systems SPAM Viruses & Malware PDAs/Smart Phones
Privacy FTC Settlement HTC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.