This article first appeared on June 8, 2021

The folks behind MoviePass have agreed to settle charges with the Federal Trade Commission that the business worked to subvert customers’ ability to use the film subscription service and failed to protect personal data, in a messy case that’s quite the example of poor leadership and poor privacy compliance all rolled into one.

For those who may not remember, MoviePass was one of the wackier startups of the 2010s, promising to disrupt the film industry with discounted movie tickets. Its biggest claim to fame arrived in 2017, when the company announced that for $9.95 per month, subscribers to its mobile app would be allowed to see one film per day in major cinemas throughout the United States.

If you’re thinking, “Wow, a plan that great sounds too good to be true!” — well, yes. You grasp the fundamental issue here.

MoviePass quickly went into financial distress, and implemented various retreats from its initial $9.95 promise: imposing blackout periods on specific films; paring back to only three free films per month for the $9.95 fee; and so forth. The owners, a data analytics firm named Helios & Matheson, finally pulled the plug on MoviePass in September 2019, and then filed for bankruptcy itself in January 2020. Fade to black.

The FTC, meanwhile, brought a complaint against MoviePass for the shenanigans of its senior executives Mitchell Lowe (CEO of MoviePass) and Theodore Farnsworth (CEO of Helios & Matheson while the firm operated MoviePass, now chairman of Helios). According to the FTC, Lowe and Farnsworth engaged in a variety of tactics to prevent MoviePass subscribers from using their accounts as promised by the MoviePass service agreement.

For example, as alleged in the FTC complaint, in 2018 the executives devised a “password disruption program” where MoviePass deliberately invalidated the passwords of its 75,000 most prolific users. Then the company warned those users that “we have detected suspicious activity or potential fraud” on their accounts — but when users tried to reset their passwords, MoviePass then gave them the run-around with a bogus password-reset program that never actually worked.

Needless to say, this idea alarmed other MoviePass executives. At least one, the FTC says, told Lowe, Farnsworth and other senior execs that so many warnings about suspicious activity “could insinuate there may have been a data breach.” Another said subscribers might start to chatter online about whether their personal data was really safe.

Not to worry. MoviePass had an actual data breach on its hands anyway.

MoviePass Privacy Breach

In August 2019, news broke that MoviePass had failed to secure subscribers’ personal data. After a technical analysis, MoviePass confirmed that more than 28,000 subscribers had their personal data — credit card numbers and expiration dates; names, addresses, dates of birth, and more — exposed on a publicly visible web server for four months in 2019. That server had also been accessed by users in foreign countries where MoviePass didn’t operate. (Read: hackers.)

How did that breach happen? Through the failure of MoviePass to implement basic data privacy protections, the FTC said. Personal data was left unencrypted; risk assessments weren’t performed; training wasn’t conducted; security controls weren’t used. The company even disabled a firewall in April 2019 to move its data onto a new server, which seems to be the one left exposed to anybody with an internet connection.

Anyway, here we are: the FTC announced on Monday that it had reached a settlement with Lowe, Farnsworth, and the last corporate remnants of Helios & Matheson, which is still working its way through a Chapter 7 bankruptcy filing.

The company will pay no monetary penalty because there’s no company left. Lowe and Farnsworth, meanwhile, “will be barred from misrepresenting their business and data security practices” in any future business they run; and must also implement rigorous data security programs in any future endeavors, too. (Lowe and Farnsworth themselves neither admit nor deny the allegations in the FTC complaint.)

Which, at long last, brings us to the information security practices that the FTC wants Lowe and Farnsworth to implement, should they ever be in charge of a business again. That’s worth an exploration, since the FTC has been talking up the importance of keeping customers’ personal data secure — and that posture is only going to increase in the Biden Administration, both at the FTC and in other regulatory agencies.

Standards for Good Data Stewardship

The FTC’s required information security program has eight parts. They are:

  • Document the content, implementation, and maintenance of the program in writing.
  • Provide that written documentation to the board at least once a year, and within 30 days of any significant security incident.
  • Assign a specific, qualified employee to oversee the security program.
  • Perform a security risk assessment at least once a year, or within 30 days of any significant security incident.
  • Implement risk-based safeguards for data protection. And while the specific safeguards might vary from one business to the next, those safeguards should always include employee training, technical measures to monitor network access, and access controls for sensitive data.
  • Test those safeguards at least once a year, and within 30 days of a significant cybersecurity incident. (The safeguards must include network penetration testing, also done at least once a year.)
  • Require any third parties handling confidential data to maintain their own sufficient safeguards for any confidential information of yours that they might handle.
  • Review and re-evaluate the security program at least annually.

CISOs and internal auditors could print out that list and pin it to the office bulletin board, really. (Assuming we all return to offices sometime soon.) The FTC’s requirements are an excellent summary of the fundamentals that any company should have in place for an effective privacy compliance program.

The agreement also requires an independent assessment of the information security program by a third party. Any business that Lowe and Farnsworth are involved with must fully cooperate with that independent assessor. Those covered businesses will also need to report cybersecurity incidents to the FTC within 30 days of the incident happening.

The lesson for the rest of us: implement a rigorous data security program — which, really, reads a lot like any other compliance program. Executive leadership, risk assessments, internal controls, monitoring of third parties, training, periodic review of program effectiveness. Ain’t it funny how those things keep cropping up?