Legal Brief: Tapplock Settles with FTC

May 11, 2020
Settlement teaches a hard lesson about protecting customers' personal information
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at tpastore@mmwr.com.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at tpastore@mmwr.com.

This article originally appeared in the May 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag!

Many years ago, there was a study assessing the popularity of the legal profession. Regrettably, the study concluded that the public had a relatively low opinion of lawyers; however, the study also concluded that people have a very favorable impression of their own lawyers.

This makes sense. Our job is to protect our clients, to advocate on their behalf, and to save them from legal and economic peril. Good lawyers care about their clients – and should engender their respect and loyalty. Sometimes, however, clients do not like the advice they get from their lawyers.

In the sales world, for example, legal advice is sometimes in direct tension with the marketing and business goals of a company. When you sell a product, you want to tout it as wonderful and distinct. You want your marketing materials to promise exceptional functionality. You want your product to be desirable.

As a lawyer for many national clients with large sales operations, I want all of this for them too; however, I also want them to be responsible and prudent with their marketing practices. Over-promising has its consequences under the law – including the risk of private lawsuits and government enforcement actions alleging deceptive trade practices and consumer fraud.

Sometimes these lessons are hard – as was the case recently for Tapplock Inc.

Inside the FTC Settlement

Tapplock is a Canadian company that sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that, among other things, its smart locks were “Bold. Sturdy. Secure.” The company’s smart locks interact with a companion mobile app that enables users to open and close their locks when they are within Bluetooth range.

The Tapplock app collects personal information – including usernames, email addresses, profile photos and the precise location of users’ smart locks. In addition to touting the security of its locks, Tapplock also claimed in its privacy policy that it took “reasonable precautions” to secure the data it collected.

Unfortunately for Tapplock, the Federal Trade Commission (FTC) disagreed. In a formal complaint, the FTC alleged that, contrary to Tapplock’s representations to consumers, the company’s locks were not secure and consumer data was not sufficiently protected.

In fact, security researchers identified physical and electronic vulnerabilities that enabled them to hack Tapplock’s smart locks and expose holes in the protocols intended to protect usernames, email addresses, profile photos, location history and precise location of the lock.

In April 2020, Tapplock and the FTC reached a settlement that requires Tapplock to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program. In addition, Tapplock is barred from misrepresenting the nature of its product and its privacy and security practices. It also must submit to third-party assessments of its data security program every two years.

Lessons Learned

In writing about this case, I do not mean to discredit Tapplock or its products. My hope for them is that the FTC’s enforcement action leads to a better, more secure product and enhanced protection of consumer data.

People might not like lawyers, but they like good advice. Here, the Tapplock case presents two great lessons for your company:  

1. Consult with counsel: Be sure to consult with capable counsel when devising a marketing strategy for a product. Do not promise security if you cannot deliver security. Do not develop marketing materials without a legal review.

2. Do not collect user data if you cannot protect it: As I have written in prior columns, there has been a proliferation of state, federal and international statutes and regulations which provide potentially heavy penalties for the failure to protect personally identifiable information. If you are not prepared to conduct a sophisticated review of your data collection and preservation policies in consultation with a capable lawyer, then you are at risk.

Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at tpastore@mmwr.com.

Sponsored Recommendations

NYPD launches Knightscope security robot service in Manhattan subway

The first two weeks will be spent on training, configuration and setup protocols for the autonomous robot to navigate followed by patrol activities between the hours of 12:00am...

Hornetsecurity releases "Microsoft 365: The Essential Companion Guide"

Microsoft 365: The Essential Companion Guide is a comprehensive resource that provides an in-depth analysis of Microsoft 365 to help users maximize their efforts when using this...

SecurityDNA podcast recap: discussing digital twins, venture capital and smart cities with security industry futurist Jon Polly

Jon Polly utilizes his knowledge of past security trends to analyze the impact that regulating artificial intelligence and the expansion of digital twins will have on the industry...

One in six attacks on U.S. government offices linked to LockBit

The report revealed that many ransomware threat actors are no longer going after "big game" targets, instead focusing on smaller organizations they presume to be less well-defended...