On April 6, the Federal Trade Commission settled with smart lock maker Tapplock over allegations that it deceived consumers by falsely claiming that its locks were “unbreakable” and that the company took reasonable steps to secure the personal data it collected from users.
Tapplock sells fingerprint-enabled, Internet-connected padlocks that interact with a mobile app to allow users to lock and unlock their locks when within Bluetooth range. The company’s advertisements claimed the locks were “Bold. Sturdy. Secure.” The Tapplock app also collects information about the user, including email addresses, profile photos, and location data.
Despite the company’s claims, security researchers easily identified both physical and electronic vulnerabilities in the locks. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company preemptively discover electronic vulnerabilities with its locks.
Privacy and Security is Critical
With the Internet of Things (IoT) becoming ever more prevalent in daily life, the Tapplock settlement serves as a reminder to developers to take proactive steps to secure their products from unauthorized access and manipulation, and to be careful not to over-promise or exaggerate in their advertising campaigns.
The Tapplock incident also demonstrates that the FTC is willing to evaluate privacy and security claims even in the absence of a data breach.
Key Indicators to Keep in Mind
The settlement provides several guideposts for companies seeking to reduce their risk of coming under the agency’s watchful eye, including:
- Avoiding misrepresentations regarding the extent to which the company maintains and protects the security of the device or the privacy and confidentiality of any gathered personal information
- Documenting in writing the content, implementation procedures and maintenance protocols of the company’s security program
- Providing written evaluations of the security program to the board of directors or senior officer at least once every 12 months
- Designing, implementing, maintaining and documenting safeguards taken to control for any identified internal and external security risks
- Providing annual training to all relevant employees on how to safeguard personal information gathered with the device
- Implementing technical measures to monitor networks and devices
- Instituting data access controls for all databases storing personal information
- Requiring third-party service providers to implement and maintain safeguards for devices and personal information
Our Privacy, Cybersecurity and Data Management team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on these issues.