On April 6, 2020, the Federal Trade Commission announced the entry of an agreement and consent order, resolving allegations against Tapplock, Inc. The company, headquartered in Ontario, Canada, sells fingerprint-enabled internet-connected “smart locks,” padlocks that interact with a designated mobile app, allowing users to lock and unlock their “smart locks” when they are within Bluetooth range.
According to the FTC, Tapplock’s assertions that its smart locks were “bold,” “sturdy,” “secure,” “strengthened with double-layered lock design” and “designed to be unbreakable” were false, given that three separate security researchers identified critical physical and electronic vulnerabilities in Tapplock’s smart locks. The FTC also found that the company failed to take reasonable measures to secure the smart locks, and did not follow industry best practices to protect consumer data collected by the company — including usernames, email addresses, profile photographs, and lock location. The FTC asserted that through these failures Tapplock engaged in deceptive practices under Section 5(a) of the FTC Act.
The settlement enjoins Tapplock from misrepresenting the extent to which it protects the security of the devices it sells, or the confidentiality of personal information it collects, and requires the company to implement a comprehensive information security program, including training programs, testing, assessment, reporting, and monitoring in order to identify data security events. Pursuant to the settlement, a senior officer in the company must certify compliance with the provisions of the FTC order every year. The settlement also imposes the requirement that an independent third-party professional assessor conduct biennial reviews of Tapplock’s security program for 20 years, and allows the FTC to approve the selection of the assessor.
After a 30-day public comment period, the FTC may make the proposed consent order final.