A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.
Under the terms of the settlement, Tapplock agrees to implement a comprehensive security program and undertake a number of security measures, including obtaining independent assessments of its security program every two years. In a blog post, the FTC reiterated that Internet of Things (“IoT”) companies wanting to avoid similar mistakes should implement “security by design,” encourage a culture of security, design products with authentication in mind, follow industry best practices (such as encryption techniques), and protect interfaces between their IoT products and other devices and services.
The settlement also prohibits Tapplock from misrepresenting its privacy and security practices. According to Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, “[t]ech companies should remember the basics—when you promise security, you need to deliver security.”