San Jose, USA – June 27, 2015: PayPal Headquarters 2211 North First Street, San Jose, California 95131. Credit: serg3d/iStockphoto.com.
The FTC focused on representations made by Venmo that it utilized “bank grade security systems and data encryption” to protect transactions and safeguard against unauthorized access to financial information. To highlight how far Venmo’s security was from “bank grade,” the FTC singled out specific safeguards that Venmo did not undertake. For example, the FTC cited Venmo’s failure to provide consumers with security notifications regarding changes to account settings (i.e., changes to password or email address or addition of new device), Venmo’s failure to maintain adequate customer support capabilities, and Venmo’s lack of urgency in responding to reports of unauthorized transactions.
It is clear that the FTC considers notifications to consumers when there is a change to their account settings or potential unauthorized access a basic security measure. As a result, companies would be well suited to review their privacy practices to ensure that these notifications are included as part of their security program safeguards. Additionally, companies should consider reviewing their customer support capabilities and employee training to appropriately respond to consumer inquiries and timely escalate reports of unauthorized transactions or access to information.
