Squire Patton Boggs’ State Attorneys General Practice Group is comprised of lawyers who have served at senior levels in state AG offices around the country and whose practices focus, to one degree or another, on representing clients before these increasingly assertive and powerful, yet often overlooked, government agencies, as explained in detail here.
In these updates, we will call attention to the most noteworthy state AG news or developments emerging in the previous week.
On June 1, Democratic governors and state AGs launched the “United States Climate Alliance,” which is a group of states committed to upholding the environmental promises established through the Paris Climate Accord. Responding to President Trump’s decision to withdraw from the Paris Climate Accord, Pennsylvania AG Josh Shapiro stated that he is “incredibly distressed and disturbed.” Massachusetts AG Maura Healey voiced her disappointment with President Trump’s recent environmental actions and vowed to “hold the line on important measures that have been put in place to protect our habitat and prevent climate change.” AG Healey went on to suggest that President Trump has placed “hundreds of thousands” of clean energy jobs in jeopardy. The AGs did not discuss specific legal strategies but emphasized their commitment to continue challenging President Trump’s “unfortunate executive actions.”
Ohio AG Mike DeWine sued five major prescription opioid manufacturers alleging that the companies “helped unleash a health care crisis that has had far-reaching financial, social, and deadly consequences in the State of Ohio.” The lawsuit asserts that the drug companies purposefully mislead Ohioans by presenting false marketing information regarding the risks and benefits of prescription opioids. AG DeWine said, “[t]hese drug manufacturers led prescribers to believe that opioids were not addictive, that addiction was an easy thing to overcome or that addiction could actually be treated by taking even more opioids.” The lawsuit alleges that the companies violated the Ohio Consumer Sales Practices Act and falsely inflated the benefits of opioid medication.
In Safetech IoT Settlement, New York Attorney General Outlines Reasonable Security Program
In the first state Attorney General action against a wireless security company for failing to implement adequate security in its Internet of Things (IoT) devices, the New York Attorney General recently settled with wireless lock company Safetech. According to the settlement, there were alleged security shortcomings despite the fact that the company promised “Privacy When You Want It, Security When You Need It” and represented that its locks protected belongings by securing areas. The Attorney General alleged that the security deficiencies and representations that Safetech made ran contrary to New York state laws that prohibit deceptive acts or practices and false advertising, and that give the Attorney General power to enjoin repeated fraudulent or illegal acts.
The settlement mirrors similar enforcement actions taken by the Federal Trade Commission in the IoT space, such as the D-Link case, ASUS case, and TRENDnet case. These increasingly frequent regulator enforcement actions indicate that IoT device manufacturers should carefully think about security when designing devices.
The Safetech enforcement action started after independent researchers reported in August 2016 that Safetech did not encrypt its users’ passwords when transmitted from a smartphone to the locks. Moreover, the researchers revealed that Safetech did not force users to reset default passwords, which could be discovered easily by brute force attacks. The Attorney General subsequently investigated the company and its practices, ultimately alleging that the security deficiencies discovered by the independent researchers could leave consumers susceptible to hacking and physical theft. According to the settlement, Safetech must now implement a comprehensive security program. The outline of that program sheds light on what the New York Attorney General may consider “reasonable security” for IoT devices.
The settlement agreement requires Safetech to encrypt all passwords and other security credentials; and prompt users to change the default password during the initial setup process. Safetech also agreed to establish a written comprehensive security program reasonably designed to accomplish the following objectives: (1) address security risks of devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information. The program must include:
- Accountable employee designation;
- Identification of material risks that could lead to unauthorized access to the locks and affect privacy, security, confidentiality, and integrity of security information;
- Performance of risk assessments on operations including employee training, product design, secure software design, response to third party security vulnerability reports, as well as prevention, detection and response to attacks and other security failures;
- Implementation of reasonable safeguards against risks identified during the risk assessment;
- Regular testing of the effectiveness of the safeguards;
- Reasonable vendor management, including contracts that address security; and
- Adjustment of the security program in light of testing.
The bottom line is that the FTC is not the only cop on the beat. Attorneys General are becoming increasingly active in the IoT space. Companies should carefully consider the security they implement and take into account recommendations issued by regulators.