The FTC Complaint
As outlined in its complaint, the FTC took issue with a number of MoviePass's business practices. First, the FTC alleged MoviePass deceptively advertised its "unlimited" movie viewing subscription package because it devised and implemented a "password disruption" and "ticket verification" program that limited the frequency with which subscribers could view movies.
On August 20, 2019, however, a security researcher was reported to have breached an exposed database containing consumer personal information. MoviePass confirmed the data breach, which exposed a server containing unencrypted personal information. Financial and other personal information of over 28,000 consumers was affected.
The FTC alleged the breach was made possible because MoviePass:
- Stored personal information in clear text;
- Failed to conduct periodic risk assessments or perform vulnerability and penetration testing;
- Disabled firewalls;
- Failed to provide adequate security training to its employees; and
- Failed to implement safeguards to detect anomalous activity and/or cybersecurity events.
The Proposed Settlement
The proposed settlement prohibits MoviePass from misrepresenting certain terms of its subscription plan. MoviePass is also barred from misrepresenting that it will take reasonable administrative technical, physical, or managerial measures to protect consumers' personal Information from unauthorized access.
MoviePass will need to implement an Information Security Program that includes the following, among other components:
- Documenting the content, implementation, and maintenance of its Information Security Program;
- Providing the written program, evaluations, and updates to its Board of Directors every 12 months and within 30 days of a data breach;
- Designating a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program;
- Training all of its employees at least once every 12 months on how to safeguard personal information;
- Technical measures to monitor all of its networks and all systems and assets within those networks to identify data security events;
- Testing and monitoring the effectiveness of its safeguards; and
- Selecting and retaining service providers capable of safeguarding the personal information they access.
MoviePass will also need to obtain an initial, and then biannual, third-party assessment of its Information Security Program and cooperate with a third-party information security assessor.
The proposed settlement also provides the foundation for an effective Information Security Program that businesses collecting, storing, using, and sharing personal information should have in place.
The list above is the tip of the iceberg. See the proposed settlement for more details.