August 7, 2020

Volume X, Number 220

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

Canadian Maker of Smart Locks Settles with FTC Over Deceptive Security Claims

A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.

According to the FTC complaint, the smart locks interact with a companion mobile app that enables a user to lock and unlock the smart lock via a Bluetooth connection. The mobile app collects personal information, including usernames, email addresses, profile photos, location history, and the precise location of users’ smart locks. Tapplock advertised the smart locks as “Bold. Sturdy. Secure.” and touted a number of features designed to make the smart locks “unbreakable.” In its privacy policy, Tapplock stated that it takes reasonable precautions and follows industry best practices to make sure users’ personal information is not inappropriately lost, misused, accessed, disclosed, altered or destroyed. Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock and lock the smart locks and gain access to users’ personal information.

Under the terms of the settlement, Tapplock agrees to implement a comprehensive security program and undertake a number of security measures, including obtaining independent assessments of its security program every two years. In a blog post, the FTC reiterated that Internet of Things (“IoT”) companies wanting to avoid similar mistakes should implement “security by design,” encourage a culture of security, design products with authentication in mind, follow industry best practices (such as encryption techniques), and protect interfaces between their IoT products and other devices and services.

The settlement also prohibits Tapplock from misrepresenting its privacy and security practices. According to Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, “[t]ech companies should remember the basics—when you promise security, you need to deliver security.”

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 101


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct