The Federal Trade Commission (“FTC”) recently gave final approval to a settlement with the Canadian smart locks company Tapplock, Inc. over alleged deceptive practices in the data security context. Tapplock offers Internet-connected, fingerprint-enabled padlocks that interact with a companion mobile app to enable US users to open and close their smart locks when within Bluetooth range.
Notably, the FTC’s complaint did not result from the company suffering a data breach. Instead, three independent security researchers publicly identified a number of “critical physical and electronic vulnerabilities” in Tapplock’s products in June 2018, some of which the FTC says were “reasonably foreseeable [and] could have been avoided if [Tapplock] had implemented simple, low-cost steps.” The FTC’s complaint alleged that the company violated Section 5 of the FTC Act by falsely claiming in its ads that the locks were “secure,” and falsely stating in its privacy policy that it takes “reasonable precautions” and “follow[s] industry best practices” to protect the personal information of its customers.
The three vulnerabilities discussed in the complaint appear to have been sufficiently severe that their mere existence warranted, in the FTC’s view, enforcement action – the enforcement action was not triggered by a data breach or other exploitation of the vulnerabilities. One of the vulnerabilities affected a Tapplock API and “allowed researchers to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information,” including location history and precise geolocation of smart locks. Another vulnerability involved a lack of encryption of the Bluetooth communication between the lock and the app, allowing a researcher to discover and reproduce the private keys required to lock and unlock the product. In the third, a researcher discovered a flaw that prevented users from effectively revoking access to the device after providing other users with access.
The FTC concluded that Tapplock did not take reasonable measures or follow industry best practices to secure its products or consumers’ personal information, citing as examples the company’s failure to identify reasonably foreseeable risks to the security of its locks and its customers’ data, such as through vulnerability or penetration testing, its failure to implement procedures to prevent users from circumventing the authentication process to gain access to other customers’ accounts, and its lack of written security policies or appropriate privacy and security training for its employees.
This settlement serves as a reminder that the FTC may take action under Section 5 even absent a data breach if a company does not deliver on its security promises. It also showcases the FTC’s authority over non-US companies who market products to US consumers.