Lesson of BLU: Make the right privacy, security calls when working with service providers

Share This Page

Keep a watchful eye on your service providers. For conscientious companies, that’s Privacy & Data Security 101. It’s also a key compliance tip from the FTC’s proposed settlement with mobile device manufacturer BLU.

Florida-based BLU sells mobile devices – according to the company, more than 50 million of them – through big-name national and global retailers. It outsources production to manufacturers who built the devices to BLU’s specifications. BLU is also responsible for selecting preinstalled software, the default settings, and certain security features.

Among other claims, BLU made two express promises to its customers. First, BLU said, “We limit the disclosure of your information to only the third parties (e.g. service providers) we use to fulfill our obligations to you” – for example, taking orders, delivering packages, or processing payments. “These companies have access to personal information needed to perform their services or functions, but may not use it for other purposes.” Second, BLU said that it exercises “appropriate physical, electronic, and managerial security procedures to help protect” customers’ personal information.

So how did a third-party software company end up in possession of highly confidential data from BLU customers, including the contents of their text messages? The complaint recaps how that allegedly happened.

Since at least 2015, BLU directed manufacturers to preinstall software from a Chinese company, ADUPS Technology. ADUPS offers advertising, data mining, and firmware over-the-air (FOTA) update services to mobile and Internet of Things connected devices. (FOTA updates allow manufacturers to issue security patches or operating system upgrades to devices over wireless and cellular networks.) BLU signed a contract to have ADUPS perform FOTA updates on their devices. That was all ADUPS was supposed to do, but according to the FTC, that’s not all ADUPS did.

Until at least November 2016, ADUPS software on BLU devices transmitted personal information about consumers to ADUPS’ servers in China without consumers’ knowledge and consent. We’re talking about the content of their texts, real-time cell tower location data, call and text logs with full phone numbers, contact lists, and the apps on each device. According to the complaint, ADUPS’ software transmitted consumers’ texts to its servers every 72 hours and sent back real-time location data every 24 hours. And let’s be clear: That’s not information ADUPS “needed to perform their services or functions.”

The proposed complaint alleges that BLU and company president Samuel Ohev-Zion deceptively represented: 1) that they limited the disclosure of users' information to third-party service providers only to the extent necessary to perform their services, and 2) that they implemented appropriate physical, electronic, and managerial security procedures to protect consumers' information. To settle the case, the respondents have agreed – among other things – to a mandated data security program and data security assessments by a third-party. The order also requires that they get express affirmative consent from consumers before collecting or disclosing their geolocation information or the content of their communications.

The FTC is accepting public comments about the proposed settlement until May 30, 2018. What can other companies learn from the FTC’s latest law enforcement action?

Spell out your privacy and security expectations to service providers. Before you hire a company to process sensitive data, dive into due diligence. Understand how their services work, what are you giving them access to, and what needs to be done to conform their conduct to the promises you make to customers. Build those considerations into your contracts.

Monitor contractors’ compliance. The ink may be dry, but the job has just begun. Build in procedures to keep an eye on what service providers are doing on your behalf. It’s been a cornerstone of Start with Security, Stick with Security, and years of FTC cases: Sensible data practices – including verifying that contractors are living up to your privacy and security expectations – are an ongoing process.

Review your privacy promises from the perspective of a potential service provider. How often should a company reread its privacy policy? The obvious answer is regularly, but one milestone that should definitely trigger a careful reassessment is when you’re thinking about bringing on a service provider who will have access to sensitive information.

The discovery of a data mistake should motivate a company to look forward – and back. When a business gets credible information about a privacy or security lapse, it’s important to reassess policies and practices for the future. But what about existing customers? Think through what needs to be done to protect them, too.

Looking for compliance guidance? Start with Security and Stick with Security offer specific tips on working with security providers. Pressed for time? Watch this video.

Comments

I have owned five Blue Phone for the past 2 to 3 years. I bought it from Frys because n It was the biggest screen for a mobile device (7in). The 5 phones, as I broke one and got another, had viruses, according to the several versions of Anti Virus SW, I used over the past year. At least one virus version I could not uninstall. The Anti-Virus companies I consulted..(lookout, Avast, MalwareBytes,etc.) All said the virus's were put on by the manufacturer and they could not remove them without reinstalling the OS. What do i do to get a refund for all this time and hassle?

I have been using BLU phones for 3 years and was unaware that my data was at risk from transfers to unauthorized companies in China. Why? This is not what I signed up for! I use a reputable phone carrier but now I don't know who to trust with my personal data on mobile phones. This illegal data theft should be stopped NOW!!!

I've recently had a problem with spyware being on my phone with out my knowledge or consent. My provider is TMobil and manufacturer is LG. Each blame the other. Unexceptable!!l

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.