MoviePass settles claims of personal data failings with FTC

The United States’ consumer watchdog claims the company failed to take reasonable steps to secure personal information it collected from subscribers, such as their names, email addresses, birth dates, credit card numbers and geolocation information.

“For example, the company stored consumers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on who could access personal data,” the FTC said.

“MoviePass noted in its privacy policy that it used reasonable measures to protect personal information including encrypting customer emails and payment information …

“Despite these claims, MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorised access.”

Under the settlement, MoviePass, parent company Helios and Matheson Analytics and their principals, Mitchell Lowe and Theodore Farnsworth, must implement a comprehensive security programme which includes identifying external and internal security risks and taking steps to address those risks.

They are also required to obtain biennial assessments of the company’s information security programme by a third party and notify the FTC of any future data breaches.

In addition, MoviePass’s operators are prohibited from misrepresenting the company’s services.

The FTC alleges the service’s operators took steps to block subscribers from using the service as advertised (a movie a day) by invalidating passwords, launching a ticket verification programme and using ‘trip wires’ to block groups of users, such as those who viewed more than three films per month.

The FTC’s settlement order does not include monetary relief for consumers. MoviePass and Helios have filed for bankruptcy.

Under US law, following publication in the Federal Register there is a 30-day public consultation period about the proposed agreement.