On April 30,2018, the Federal Trade Commission (FTC) announced a settlement with mobile phone manufacturer BLU Products and its owner over allegations that the company failed to implement appropriate procedures to oversee their service providers’ security practices, which allowed the service provider to install software containing commonly known security vulnerabilities on consumers’ mobile devices and to collect detailed personal information about consumers, such as text messages and location information, without consumers’ notice and consent.

According to the FTC’s complaint, BLU and its owner contracted with China-based ADUPS Technology to preinstall certain security software on BLU devices. The complaint alleged that, unbeknownst to consumers, the ADUPS software on BLU devices transmitted their personal information to ADUPS servers, including contents of text messages, real-time location data, call and text message logs, contact lists, and a list of applications installed on the device. The FTC did not allege that ADUPS used or disclosed consumers’ personal information.

Separately, the complaint alleged that the ADUPS software contained commonly known security vulnerabilities that, for example, made them susceptible to “command injection” attacks, which an unknown third party could exploit to gain full access to users’ devices and, among other things, factory reset a device, take screenshots and video recordings of a device’s screen, and install malicious applications.

According to the FTC, the respondents violated the FTC Act by making two separate deceptive claims in the BLU privacy policy: first, that the company would share personal information with service providers only where the service providers needed the personal information to perform their services or function; and second, that the respondents implemented appropriate physical, electronic, and managerial security procedures, when, in fact, they failed to implement appropriate procedures to oversee their service providers’ security practices.

The complaint offers insights into the FTC’s expectations as to how companies should approach their service providers. Specifically, the complaint indicates that the FTC expects companies to: (1) perform adequate due diligence in the selection and retention of service providers, including assessing and evaluating their privacy or security practices before engaging them; (2) adopt and implement written data security standards, policies, procedures, or practices that apply to the oversight of service providers; (3) contractually require service providers to adopt and implement data security standards, policies, procedures, or practices; and (4) assess the privacy and security risks of any third-party software the company causes to be installed on consumers’ devices.

Under the FTC’s consent order, the respondents must implement a comprehensive data security program that addresses security risks associated with new and existing mobile devices, helps prevent unauthorized access of consumers’ personal information, and addresses security risks related to BLU phones. In addition, BLU will be required to engage in third-party assessments of its security program every two years for 20 years, as well as comply with record keeping and compliance monitoring requirements.

Speaking on a panel at a May 2018 conference, Jared Ho, the FTC staff attorney that led the FTC’s BLU investigation, warned that taking a hands-off approach with regard to service providers may land companies in hot water. To avoid FTC scrutiny, companies should do their due diligence in the selection of service providers, spell out their security expectations in their contracts, and adopt internal security policies that address the oversight of service providers.