Company Selling Internet Viewable Cameras Settles FTC Claims It Failed to Protect Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

A retailer that sells internet-connected security video cameras to homes and businesses has settled Federal Trade Commission charges that it failed to reasonably secure its cameras, leading to the online posting of live feeds of some 700 cameras, the FTC announced Sept. 4 (In re TRENDnet, Inc., FTC, No. 122 3090, proposed consent order 9/4/13).

The settlement with Torrance, Calif.-based TRENDnet Inc. is the FTC's “first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices--commonly referred to as the 'Internet of Things,' ” the commission said in a Sept. 4 statement. The commission is hosting a Nov. 19 workshop on the topic (12 PVLR 1059, 6/17/13).

According to the FTC's proposed administrative complaint, TRENDnet's internet protocol cameras allow its customers to monitor the security of their homes or businesses through live video and audio feeds available over the internet and mobile devices.

The FTC alleged that TRENDnet “engaged in a number of practices that, taken together, failed to provide reasonable security to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras.” Those practices allegedly included:

• the transmission of users' login credentials in clear, readable text over the internet;

• the storage of users' login credentials in clear, readable text on their mobile devices;

• the failure to implement a process to monitor third-party security vulnerability reports; and

• the failure to use “reasonable and appropriate security” when designing and testing the IP camera software.


January 2012 Breach

Between April 2010 and February 2012, a setting in the camera software malfunctioned and failed to honor a user's choice concerning whether login credentials should be required to access the live feeds, the FTC alleged. As a result, all users' live feeds became publicly accessible, the FTC said.

In January 2012, a hacker exploited this vulnerability and posted information about the publicly accessible video feeds online, the commission said. Other hackers then allegedly posted links to the live feeds of nearly 700 cameras. “Among other things, these compromised live feeds displayed private areas of users' homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities,” the FTC said.

The FTC said that following the breach, TRENDnet made available new software to correct the vulnerability and alerted customers concerning the new software.

TRENDnet's actions constitute unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), the FTC alleged. Specifically, its representation that its products are a secure means to monitor a user's home or workplace and its representation that it will honor a user's security settings constitute false or misleading representations, the commission said.

In addition, the FTC said TRENDnet's “fail[ure] to provide reasonable security to prevent unauthorized access to the live feeds from its IP cameras” is an unfair act or practice. The FTC's authority to regulate the data security practices of companies under Section 5's unfairness prong is under review in a controversial case involving Wyndham hotels (FTC v. Wyndham Worldwide Corp., D.N.J., No. 2:13-cv-01887, motions to dismiss filed 4/26/13) (12 PVLR 1465, 9/2/13).

Proposed Settlement Terms

Under the terms of the proposed consent order, TRENDnet has agreed to refrain from misrepresenting the security of its devices or the extent to which consumers can control the security of their information.

The proposed pact would require the company to establish and implement a comprehensive security program and obtain third-party assessments of its security programs every two years for 20 years.

In addition, TRENDnet would have to notify its customers that the cameras had a flaw that allowed third parties to access information from the live feeds and provide free support, through phone and email for two years, to help customers update or uninstall their cameras.

According to the proposed order, the company neither admitted nor denied the allegations in the proposed complaint.

The FTC said it is accepting comments on the proposed agreement through Oct. 4. It released an analysis of the proposed consent order to aid public comment.

Laura D. Berger and Andrea V. Arias, of the FTC, in Washington, represented the commission. John Sun, of the Law Offices of John L. Sun, in Tustin, Calif., represented TRENDnet.

The proposed agreement containing consent order is available at

The proposed administrative complaint is available at

The FTC's analysis of the proposed consent order is available at

Request Bloomberg Law: Privacy & Data Security