A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.

According to the FTC complaint, the smart locks interact with a companion mobile app that enables a user to lock and unlock the smart lock via a Bluetooth connection. The mobile app collects personal information, including usernames, email addresses, profile photos, location history, and the precise location of users’ smart locks. Tapplock advertised the smart locks as “Bold. Sturdy. Secure.” and touted a number of features designed to make the smart locks “unbreakable.” In its privacy policy, Tapplock stated that it takes reasonable precautions and follows industry best practices to make sure users’ personal information is not inappropriately lost, misused, accessed, disclosed, altered or destroyed. Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock and lock the smart locks and gain access to users’ personal information.

Under the terms of the settlement, Tapplock agrees to implement a comprehensive security program and undertake a number of security measures, including obtaining independent assessments of its security program every two years. In a blog post, the FTC reiterated that Internet of Things (“IoT”) companies wanting to avoid similar mistakes should implement “security by design,” encourage a culture of security, design products with authentication in mind, follow industry best practices (such as encryption techniques), and protect interfaces between their IoT products and other devices and services.

The settlement also prohibits Tapplock from misrepresenting its privacy and security practices. According to Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, “[t]ech companies should remember the basics—when you promise security, you need to deliver security.”