FTC Closes Investigation Into Outdated Encryption on Verizon Internet Routers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Nov. 13 — The Federal Trade Commission staff has closed an investigation into whether Verizon Communications Inc. engaged into deceptive acts or practices by failing to secure the routers it provided to high speed Internet and FiOs customers, according to a Nov. 12 FTC staff letter to Verizon's counsel.

The FTC staff found that Verizon shipped routers to customers with Wired Equivalent Privacy (WEP) as the default security setting. WEP, however, is an “outdated encryption standard” that the Institute of Electrical and Electronics Engineers replaced in 2004 with the Wi-Fi Protected Access (WPA) standard and later the Wi-Fi Protected Access 2 (WPA2) standard, according to the letter.

“As a result, many Verizon customers still have routers that are set to the outdated WEP standard, leaving them vulnerable to hackers,” Maneesha Mithal, associate director of the FTC's Division of Privacy and Identity Protection, said in the letter to Dana B. Rosenfeld, partner at Kelley Drye & Warren LLP in Washington.

“We continue to emphasize that data security is an ongoing process,” Mithal said in the letter. “As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly.”

Challenges to FTC's Authority

The FTC's authority to bring data security enforcement actions under Section 5 of the FTC Act, 15 U.S.C. § 45, is being challenged in legal actions involving hotelier Wyndham Hotels and Resorts LLC and former medical laboratory LabMD Inc.

In July, the U.S. Court of Appeals for the Third Circuit granted Wyndham's petition to appeal portions of a district court opinion refusing to dismiss an FTC enforcement action against the company.

LabMD has also appealed a federal district court's dismissal of its claims against the FTC.

Both appeals are pending.

Mitigation Efforts

Among the reasons cited by the FTC staff for closing the investigation were Verizon's “overall data security practices related to its routers” and its efforts to mitigate any risks to customer information.

According to the letter, Verizon has:

• pulled all routers with WEP as a default setting from its distribution centers and changed the default setting on those devices to WPA2;

• implemented an outreach campaign to customers who still have routers with WEP or no encryption; and

• provided customers who have older routers that aren't compatible with the newer encryption standard an opportunity to upgrade to devices that are compatible with WPA2.

The letter reminded organizations of the FTC's expectations concerning the security of encryption on consumer devices.

“As most all consumer devices on the market today are compatible with WPA2, it would likely be unreasonable for Internet Service Providers ('ISPs') or router manufacturers to continue to default consumer routers to WEP encryption,” Mithal said in the letter to Verizon. “We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings.”

The letter cautioned that the closing of the investigation shouldn't be construed as a determination that there was a violation.

The FTC's closing letter is available at http://www.ftc.gov/system/files/documents/closing_letters/verizon-communications-inc./141112verizonclosingletter.pdf.