This article originally appeared in the May 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag!
Many years ago, there was a study assessing the popularity of the legal profession. Regrettably, the study concluded that the public had a relatively low opinion of lawyers; however, the study also concluded that people have a very favorable impression of their own lawyers.
This makes sense. Our job is to protect our clients, to advocate on their behalf, and to save them from legal and economic peril. Good lawyers care about their clients – and should engender their respect and loyalty. Sometimes, however, clients do not like the advice they get from their lawyers.
In the sales world, for example, legal advice is sometimes in direct tension with the marketing and business goals of a company. When you sell a product, you want to tout it as wonderful and distinct. You want your marketing materials to promise exceptional functionality. You want your product to be desirable.
As a lawyer for many national clients with large sales operations, I want all of this for them too; however, I also want them to be responsible and prudent with their marketing practices. Over-promising has its consequences under the law – including the risk of private lawsuits and government enforcement actions alleging deceptive trade practices and consumer fraud.
Sometimes these lessons are hard – as was the case recently for Tapplock Inc.
Inside the FTC Settlement
Tapplock is a Canadian company that sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that, among other things, its smart locks were “Bold. Sturdy. Secure.” The company’s smart locks interact with a companion mobile app that enables users to open and close their locks when they are within Bluetooth range.
The Tapplock app collects personal information – including usernames, email addresses, profile photos and the precise location of users’ smart locks. In addition to touting the security of its locks, Tapplock also claimed in its privacy policy that it took “reasonable precautions” to secure the data it collected.
Unfortunately for Tapplock, the Federal Trade Commission (FTC) disagreed. In a formal complaint, the FTC alleged that, contrary to Tapplock’s representations to consumers, the company’s locks were not secure and consumer data was not sufficiently protected.
In fact, security researchers identified physical and electronic vulnerabilities that enabled them to hack Tapplock’s smart locks and expose holes in the protocols intended to protect usernames, email addresses, profile photos, location history and precise location of the lock.
In April 2020, Tapplock and the FTC reached a settlement that requires Tapplock to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program. In addition, Tapplock is barred from misrepresenting the nature of its product and its privacy and security practices. It also must submit to third-party assessments of its data security program every two years.
Lessons Learned
In writing about this case, I do not mean to discredit Tapplock or its products. My hope for them is that the FTC’s enforcement action leads to a better, more secure product and enhanced protection of consumer data.
People might not like lawyers, but they like good advice. Here, the Tapplock case presents two great lessons for your company:
1. Consult with counsel: Be sure to consult with capable counsel when devising a marketing strategy for a product. Do not promise security if you cannot deliver security. Do not develop marketing materials without a legal review.
2. Do not collect user data if you cannot protect it: As I have written in prior columns, there has been a proliferation of state, federal and international statutes and regulations which provide potentially heavy penalties for the failure to protect personally identifiable information. If you are not prepared to conduct a sophisticated review of your data collection and preservation policies in consultation with a capable lawyer, then you are at risk.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at tpastore@mmwr.com.
