On April 6, the Federal Trade Commission announced a settlement with Tapplock, Inc. for falsely claiming in its privacy policy that its fingerprint-sensing smart locks were “unbreakable” and that it followed “industry best practices” to ensure that a user’s personal information was protected. After three security researchers identified various physical and electronic vulnerabilities with the smart locks in June 2018, the FTC’s Bureau of Consumer Protection alleged that Tapplock – a Canadian company – violated Sections 4 and 5 of the Federal Trade Commission Act.

While Tapplock and the FTC agreed that the Internet of Things company neither admits nor denies any of the allegations in the complaint, the FTC specifically alleged several vulnerabilities that left a user’s personal information easily accessible and exposed even after the user revoked an intruder’s unauthorized access. In addition, the FTC alleged that Tapplock promised its Internet-connected, Morse-Code unlocking, and Bluetooth accessible smart locks were “secure,” yet the company “failed to take reasonable precautions” or even test that its claims were true.

Tapplock’s fingerprint-enabled smart locks boast enterprise-level encryption, proprietary anti-shim technology, and multiple cybersecurity protocols. Users can control the smart locks with a mobile app that collects personal information including usernames, email addresses, profile photos, location history, and the precise geolocation of the lock. Contrary to its claims that such information remained secure, the FTC alleged that a user could login to her account and then access another user’s account without that user’s credentials, circumventing Tapplock’s authentication procedures altogether. Another alleged vulnerability allowed a security researcher to lock and unlock any nearby smart lock via Tapplock’s unencrypted Bluetooth link.

The FTC unanimously voted 5-0 to issue the complaint and to accept the standard consent order that we have seen in similar cases that will last for at least 20 years. These standard terms require Tapplock to implement and maintain a comprehensive security program and to conduct periodic vulnerability and penetration testing to ensure the effectiveness of the new safeguards. Tapplock cannot misrepresent in any manner the extent to which it protects the security of its smart locks and users’ personal information. Tapplock must also procure assessments of the new security program from an independent third-party professional every two years and submit that assessment to the FTC for approval. Finally, Tapplock must certify its compliance annually, submit officer and employee acknowledgments of the order for 20 years, and create certain records subject to FTC inspection upon written request.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Miranda Dore Miranda Dore

Miranda Dore is an attorney in the firm’s government investigations, compliance and enforcement section. Her practice focuses on representing clients involved in regulatory, civil and criminal investigations and litigation.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Ashley L. Taylor, Jr. Ashley L. Taylor, Jr.

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations…

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.