On April 6, 2020, Tapplock, Inc., a Canadian maker of internet-connected smart locks, entered into a settlement with the Federal Trade Commission (“FTC”) to resolve allegations that the company deceived consumers by falsely claiming that it had implemented reasonable steps to secure user data and that its locks were “unbreakable.”  The FTC alleged that these representations amounted to deceptive conduct under Section 5 of the FTC Act.  In its press release accompanying the settlement, the FTC provided guidance for IoT companies regarding the design and implementation of privacy and security measures for “smart” devices, as discussed further below in this post.

Tapplock sells internet-connected padlocks, which the user can either open by using a companion mobile app when within Bluetooth range or by using their fingerprint.  Tapplock advertised its smart locks as “unbreakable” and “strengthened with double-layered lock design.”  It also stated in its privacy policy that the company took reasonable security precautions and follows industry best practices to protect user data.

In its complaint, the FTC alleged that, contrary to those advertisements and the privacy policy, Tapplock’s products were not secure.  In June 2018, three separate security researchers identified physical security and electronic vulnerabilities with the products.  Citing these researchers, the FTC alleged that Tapplock did not take reasonable steps to secure its products or users’ account data.  The FTC said that these practices were contrary to disclosures to users and amounted to a false or misleading practice in violation of Section 5 of the FTC Act.

Among other allegations that the Company lacked reasonable security measures, the FTC’s complaint noted that the company had not:

  • adopted and implemented written data security standards, policies, procedures or practices;
  • identified reasonably foreseeable risks, such as through vulnerability or penetration testing;
  • implemented privacy and security guidance or training for employees responsible for software design, testing, and approval; or
  • sufficiently detected and prevented users from bypassing authentication procedures to gain access to Tapplock’s API information about user accounts.

The 20-year settlement prohibits Tapplock from making misrepresentations about the security of its products or with respect to its handling of personal information.  Moreover, under the settlement’s requirements, Tapplock must implement a comprehensive security program.  Among other requirements, this security program must include:

  • documentation of the security program and evaluations to the board of directors or similar corporate governing body;
  • designation of a qualified employee to coordinate the security program;
  • implementation of safeguards to control risks involved with the internet-connected locks, which may include: employee training, technical measures, and access controls; and
  • biennial, independent privacy assessments.

In its press release regarding the settlement, the FTC provides advice for IoT businesses regarding their privacy and security practices.  Specifically, the FTC recommends that IoT companies:

  • implement “security by design” by implementing security measures in products at the outset of product design and development efforts and by conducting vulnerability and penetration testing before product release;
  • encourage a culture of security through written security standards and designating a senior official responsible for security;
  • design products with secure authentication in mind, which the FTC says “is a must in the Internet of Things” due to the potential for a vulnerable IoT device to allow broader access to the network to which it is connected;
  • take advantage of advice and guidance from security experts to properly implement security measures, such as encryption; and
  • protect interfaces between your product and other devices or services, which may prevent security weaknesses at the point where a service communicates with your device.

The FTC’s authority extends to foreign defendants—such as the Canadian Tapplock—in certain  circumstances.  Section 5 of the FTC Act empowers the agency to enforce “unfair or deceptive acts or practices in or affecting commerce.”  In 2006, Congress passed the Undertaking Spam, Spyware, and Fraud Enforcement with Enforcers beyond Borders Act of 2006 (“U.S. Safe Web Act of 2006”), which amends the FTC Act and clarifies that unfair or deceptive practices includes acts or practices “involving foreign commerce” that “(i) cause or are likely to cause reasonably foreseeable injury within the United States, or (ii) involve material conduct occurring in the United States.”

The FTC’s guidance for IoT companies will be important for companies to consider as they design, manufacture, and provide IoT devices.  Regular updates on developments related to IoT and cybersecurity can be found on Covington’s Internet of Things website.