September 28, 2020

Volume X, Number 272

September 28, 2020

Subscribe to Latest Legal News and Analysis

FTC Settles with Company Over Alleged Deceptive Security Practices

The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate.

In its complaint, the FTC cited claims Tapplock made in its product advertisements, including that the product was “secure,” with an “unbreakable” design. The FTC also noted that Tapplock’s privacy policy stated that the company deployed “reasonable precautions and follow[s] industry best practices to make sure [personal information] is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.”

However, security researchers pointed out a number of alleged physical and electronic vulnerabilities. For example, by unscrewing the back panel, a researcher was able to unlock the product within a few seconds. The lack of encryption on the Bluetooth communication between the lock and the app also allowed a researcher to discover and replicate the private keys necessary to lock and unlock the product. There were also issues with how user access was revoked, essentially allowing even revoked users an ability to later authenticate access to another user’s lock.

The FTC alleged that these product vulnerabilities, combined with a lack of certain compliance measures such as: vulnerability testing, written data security policies and procedures, and privacy and security guidance and training for employees designing the software meant that the company was contrary to its security claims of “reasonable precautions” and “industry best practices.”

As part of the settlement, Tapplock will be required to implement a comprehensive information security program, train employees at least once a year on safeguarding personal information, use certain data access controls, and conduct vendor management. Tapplock must also obtain independent third-party assessments of its program every two years and submit that assessment to the FTC for approval.

Putting it Into Practice: This settlement highlights that even in the absence of a data breach, the FTC may look to researchers and other evidence finding security vulnerabilities in products and services that may be contrary to claims made about privacy and security. This settlement also highlights the importance and value the FTC (like other regulators) places on having written information security policies and procedures, regular data security training for employees, and periodic vulnerability tests and security audits; companies will be served by acting proactively to implement or establish such compliance measures.  For organizations based outside the US, this settlement also serves as a reminder of certain factors the FTC may look to when evaluating whether a non-US company is targeting US consumers. Namely, the FTC cited the fact that the product was advertised in U.S. dollars, and fulfilled by a service provider in the US and shipped to a US-based warehouse (and the website refenced this fact).

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 112


About this Author

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional services agreements, and other commercial agreements involving technology. Julia advises on strategic and operational decisions involved with conducting internal investigations in response to government investigations or for purposes of corporate compliance.