FTC Enforcement reminds Companies to live up their Promises

By: Nicole Kardell

The FTC recently announced its settlement with Tapplock, Inc., a maker of smart padlocks (Internet-connected fingerprint-enabled padlocks that you can use in lieu of old-fashioned combo locks). The FTC investigated the Canadian-based company for its allegedly false claims that its Internet-connected smart locks were designed to be “unbreakable” and that the company took reasonable steps to secure the data that it collected from consumers.  

According to the FTC’s announcement, FTC security researchers investigated and identified a number of physical and electronic vulnerabilities in Tapplock’s padlocks. These vulnerabilities allowed researchers to unlock the company’s smart locks physically by simply unscrewing the back panel of the locks and electronically by exploiting unencrypted Bluetooth connections between the product’s app and lock. Researchers further were able to bypass an account authentication process to access Tapplock user accounts, including viewing usernames, email addresses, profile photos, location histories, and the precise locations of the padlocks.  

The FTC’s findings led to a complaint that it filed against Tapplock. The complaint alleges that Tapplock’s representations—in advertising, on its website, and in its public-facing privacy policy—were false and misleading. For instance, the complaint identifies several past Tapplock advertisements that touted its smart locks were “secure,” “strengthened with double-layered lock design,” designed with “anti-shim and anti-pry technologies,” and designed to be “unbreakable.” The complaint notes that Tapplock’s public-facing privacy statement provided: “To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.” 

According to the FTC’s complaint, these representations were “false or misleading” and violated Section 5(a) of the Federal Trade Commission Act. The complaint alleges that several “security researchers” were able to demonstrate that Tapplock did not live up to its promises.  

The FTC’s settlement will require Tapplock, among other things to (1) implement a comprehensive security program, (2)  refrain from misrepresenting its privacy and security practices, and (3)  obtain third-party assessments of its information security program every two years (subject to FTC approval of the assessor). 

On the FTC’s Business Blog discussion of the Tapplock settlement, the Commission provided general guidance for businesses in the Internet of Things space. For instance (1) build security into products at the outset; (2) create written security standards, designate a senior executive responsible for product security, and train staff to recognize vulnerabilities; (3) design products to incorporate effective authentication procedures; (4) employ industry best practices, including standard encryption; and (5) ensure interfaces are secured. 

The guidance that the FTC provides sounds a lot like privacy principles underlying prevailing regulatory frameworks (e.g., the GDPR). And they are good standards that companies should employ, not only to avoid hot water with the Commission, but to avoid a data breach and to avoid problems with others regulators in jurisdictions where you do business.  

But another point we would like to emphasize: the FTC’s authority to investigate and to institute enforcement actions against companies like Tapplock is based upon Section 5(a) of the Federal Trade Commission Act, which empowers the Commission to protect against “unfair or deceptive acts or practices in or affecting commerce.” The FTC did not file its complaint against Tapplock exclusively for its security failures. It filed suit against Tapplock because the company publicly claimed it was secure, which the FTC proved to be wrong. If Tapplock’s advertisements and privacy statement asserted that its technology was “pretty good” and “may be secure;” if it’s privacy statement had said that “we cannot guarantee your data will be secure with us, but we work on data security to try to make sure it’s safe from misuse,” the FTC likely would not have had an action against the company. (The company probably wouldn’t have had many takers of its padlocks either.) The FTC’s power comes from using company’s claims against them.  

An important takeaway for businesses: be smart about data privacy and data security, but also, be honest with your consumers and be careful not to go “too big” in your privacy claims. Say what you do and do what you say.