Sentinel Labs, SpyChatter, Vir2us settle with FTC over fake security certificate claims

The trio has been accused of lying to customers about the security standards of their services.

it-security.jpg
Stock photo

Sentinel Labs, SpyChatter, and Vir2us have settled with the US Federal Trade Commission (FTC) after being accused of lying to their customers about security certificates and compliance.

Earlier this week, the FTC said the three companies -- an endpoint protection provider, a private message app provider, and a cybersecurity software distributor -- have all agreed to settlement terms to keep the complaint out of the courtroom.

In a statement, the US watchdog said the firms were formally charged in separate but similar complaints for deceiving consumers about their participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.

According to the FTC, Sentinel Labs, SpyChatter, and Vir2us all "falsely represented in their online privacy policies that they participated in the APEC CBPR system."

The APEC CBPR is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. To earn membership, companies must undergo a review by a third-party "accountability" agent.

The APEC rules (.PDF) state that members must implement "appropriate" privacy measures for handling personal, sensitive data; protecting individual privacy, and promoting the free flow of information in a secure manner across borders.

Holding APEC certifications gives customers reassurance that their information is managed securely to a set standard. However, the FTC alleges the charged companies were not, and never have been, certified -- despite claiming that they were.

In addition, SentinelOne allegedly claimed to be a participant in a TRUSTe privacy program, but such claims were false.

"Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable US companies to compete around the world," said acting chairman Maureen Ohlhausen. "Companies, however, must live up to the promises they make to protect consumer data."

While no fines have been attached to the settlement, the US agency did reveal that each of the three companies is now "prohibited from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization."

In a statement to ZDNet, Kylie Heintz, corporate communications at SentinelOne said, "SentinelOne respects the privacy of its customers and is glad to have amicably resolved this matter with the FTC."

If Sentinel Labs, SpyChatter, or Vir2us break this agreement in the future, the consequences are likely to be severe, as they could face thousands of dollars in fines -- or worse.

ZDNet has reached out to SpyChatter and Vir2us and will update if we hear back.

Measuring third-party security risks within minutes, not months: