FTC Tapplock Settlement

Not So Safe and Secure: FTC Settles Over Smart Lock Representations

Published On May 29, 2020 | By Plamena Gerovska, Jane Rosen and Jason Wool | Data Security, FTC & State AG
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Federal Trade Commission (“FTC”) recently gave final approval to a settlement with the Canadian smart locks company Tapplock, Inc. over alleged deceptive practices in the data security context. Tapplock offers Internet-connected, fingerprint-enabled padlocks that interact with a companion mobile app to enable US users to open and close their smart locks when within Bluetooth range. 

Notably, the FTC’s complaint did not result from the company suffering a data breach. Instead, three independent security researchers publicly identified a number of “critical physical and electronic vulnerabilities” in Tapplock’s products in June 2018, some of which the FTC says were “reasonably foreseeable [and] could have been avoided if [Tapplock] had implemented simple, low-cost steps.” The FTC’s complaint alleged that the company violated Section 5 of the FTC Act by falsely claiming in its ads that the locks were “secure,” and falsely stating in its privacy policy that it takes “reasonable precautions” and “follow[s] industry best practices” to protect the personal information of its customers.  

The three vulnerabilities discussed in the complaint appear to have been sufficiently severe that their mere existence warranted, in the FTC’s view, enforcement action – the enforcement action was not triggered by a data breach or other exploitation of the vulnerabilities. One of the vulnerabilities affected a Tapplock API and “allowed researchers to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information,” including location history and precise geolocation of smart locks. Another vulnerability involved a lack of encryption of the Bluetooth communication between the lock and the app, allowing a researcher to discover and reproduce the private keys required to lock and unlock the product. In the third, a researcher discovered a flaw that prevented users from effectively revoking access to the device after providing other users with access. 

The FTC concluded that Tapplock did not take reasonable measures or follow industry best practices to secure its products or consumers’ personal information, citing as examples the company’s failure to identify reasonably foreseeable risks to the security of its locks and its customers’ data, such as through vulnerability or penetration testing, its failure to implement procedures to prevent users from circumventing the authentication process to gain access to other customers’ accounts, and its lack of written security policies or appropriate privacy and security training for its employees.

This settlement serves as a reminder that the FTC may take action under Section 5 even absent a data breach if a company does not deliver on its security promises. It also showcases the FTC’s authority over non-US companies who market products to US consumers. 

About The Authors

Prior to joining ZwillGen, Plamena served as a Privacy Analyst at Promontory Financial Group, an IBM company, where she assisted attorneys on compliance with the EU General Data Protection Regulation (“GDPR”), Russian data localization laws and other international privacy laws. Before that, Plamena spent a summer interning at different London law firms supporting the technology teams on issues related to the UK data protection laws and international data transfers.

Jane Rosen’s practice focuses on data privacy, data protection, and technology-related issues. As a Certified Information Privacy Professional (CIPP/US), she advises clients on their legal obligations under applicable privacy laws and regulations, as well as strategies for managing compliance and risks. She has a strong background in transactional contexts such as mergers and acquisitions, joint ventures, financings, restructurings, capital markets offerings and various commercial, licensing and services arrangements.

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.