On April 30, 2018, BLU Products, Inc. (“BLU”) reached a settlement with the Federal Trade Commission (“FTC”) over allegations that BLU allowed ADUPS Technology Co. LTD (“ADUPS”) to collect detailed personal information about BLU’s consumers without their knowledge or consent, despite BLU’s assurances that it would keep the information secure and private, and that BLU generally failed to implement appropriate security procedures to oversee the security practice of its service providers, in violation of the Federal Trade Commission Act.

  • Background. BLU is a Florida corporation that sells mobile devices to consumers through global and national retailers. Since at least 2015, BLU contracted with ADUPS, a Chinese third-party service provider, to issue security system updates to BLU’s devices. According to the FTC’s complaint, although BLU’s privacy policy stated that third parties only “have access to personal information needed to perform their services or functions,” until at least November 2016 ADUPS collected and transferred to its servers more information than necessary to issue such updates, including the full content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on BLU devices. Additionally, the FTC alleges that ADUPS software preinstalled by manufacturers at the direction of BLU on BLU devices contained commonly known security vulnerabilities that could allow hackers to gain full access to the devices, notwithstanding BLU’s promise to exercise “appropriate physical, electronic, and managerial security procedures to protect the personal information provided by consumers.” After reports of ADUPS’ collection and sharing of personal information went public in November 2016, BLU issued a statement to its consumers that ADUPS had updated its software and put an end to such data collection practices.
  • Complaint. The FTC’s complaint against BLU alleges that the company:
    • misled consumers by falsely claiming it limited third-party collection of data from users of BLU’s devices to information needed to perform requested services;
    • falsely represented that it had implemented “appropriate physical, electronic, and managerial security procedures to protect the personal information provided by consumers” by:
      • failing to perform adequate due diligence in the selection and retention of service providers (for example, by failing to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company);
      • failing to adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of its service providers, including ADUPS;
      • failing to contractually require its service providers to adopt and implement data security standards, policies, procedures or practices; and
      • failing to adequately assess the privacy and security risks of third-party software, such as ADUPS.
  • Settlement. Under the proposed settlement agreement, BLU must implement a comprehensive data security program designed to prevent unauthorized access to consumers’ personal information and to address security risks related to BLU devices. The settlement agreement also prohibits BLU from misrepresenting the extent to which it protects the privacy and security of personal information. Pursuant to the proposed settlement agreement, BLU will be subject to record keeping and compliance monitoring requirements, and its security program will undergo third-party assessments every two years for 20 years. BLU will also be required to obtain express affirmative consent from consumers before collecting or disclosing their geolocation information or the content of their communications. The proposed settlement agreement will be subject to public comment for 30 days, ending May 30, 2018, after which the FTC will decide whether to make the proposed consent order final.
  • Observations on Vendor Implications. Per the FTC blog post “Lesson of BLU: Make the right privacy, security calls when working with service providers,” there are certain key lessons companies can learn from this settlement:
    • Spell out your privacy and security expectations to service providers.” The FTC warns that before hiring a third party to process sensitive data, companies should perform adequate due diligence on such third parties to understand how their services work, what they are being given access to, and what should be done to conform their conduct to the promises made to customers. They also recommend corresponding terms be built into third party agreements accordingly.
    • Monitor contractors’ compliance.” The FTC recommends designing procedures to monitor what service providers are doing on companies’ behalf.
    • Review your privacy promises from the perspective of a potential service provider.” The FTC suggests companies reassess their privacy policies when considering bringing on a new service provider that will have access to sensitive information.
    • The discovery of a data mistake should motivate a company to look forward – and back.” Upon a privacy or security breach or lapse, the FTC says it is important companies reassess policies and practices currently in place to protect against repeat breaches in the future. They also advise thinking about what needs to be done to protect existing customers in such a situation.

The authors gratefully acknowledge the assistance of law clerk Mikaela Dealissia in preparing this entry.