Three US companies have settled with the FTC after they were accused of lying about the security safeguards on their customer information.
Sentinel Labs, SpyChatter, and Vir2us have all agreed to adhere to the US trade regulator’s settlement terms after they were formally charged with falsely claiming certification with the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) standard.
Sentinel Labs produces anti-malware software, while Vir2us makes the Xeropass password manager, and SpyChatter offers a private messaging app.
The CBPR rules [PDF] outline how companies within the APEC nations secure and transfer customer data, as well as how they handle requests to disclose what personal data they have collected.
Among the requirements for certification is an audit performed by an outside “accountability agent” who reviews the business for compliance and then recommends whether to award the certification.
This, the FTC said, was where the three companies fell short. None of them had that review, and thus were not formally certified and had no legal right to claim their products were compliant with the APEC-CBPR. The commission further charged that one of the companies, Sentinel Labs, also falsely claimed it was certified under the TRUSTe program.
“Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable US companies to compete around the world,” FTC chairman Maureen Ohlhausen said of the deal.
“Companies, however, must live up to the promises they make to protect consumer data.”
The settlement itself doesn’t carry any fine, but does put the companies under a looming threat of stiff penalties should they – at any point in the next 20 years – be found to be lying about their security or privacy certifications (or lack thereof). Each violation would put the offender on the hook for FTC fines of up to $40,654. ®
Source: SANS ISC SecNewsFeed @ February 23, 2017 at 01:39PM