Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Chinese laptop-maker Lenovo Group Ltd Sept. 5 agreed to no-fault settlements with the FTC and 32 states over charges it installed ad software that compromised customers’ web security and invaded users’ privacy.
The settlements demonstrate the power of dual federal and state data security and privacy regulator enforcement actions to force both remedial and monetary consequences for companies.
Lenovo agreed as part of its Federal Trade Commission settlement not to misrepresent any feature of installed software related to consumer internet browsing-based advertising and to get affirmative user consent before installing such software on computers. The company also must implement and maintain a comprehensive data security software program for adware it loads on its computers, and submit to FTC oversight for the next 20 years.
Lenovo agreed to pay 32 state attorneys general $3.5 million under the separate state agreement. Lenovo also must change consumer disclosures related to installed ad software, get consumer consent and provide an opt-out mechanism before loading similar software, and disable or remove the ad software. Lenovo must submit to biennial audits, for 20 years, of a new comprehensive security compliance program under its settlement with the states.
The FTC settlement didn’t include civil monetary penalties because the agency lacks the authority to levy them directly under its general consumer protection powers. The FTC may seek civil fines if a company fails to abide by a consent agreement, such as the one Lenovo made with the commission, or other settlement order.
Acting FTC Chairman Maureen K. Ohlhausen told reporters Sept. 5 that the settlement “sends a very important message” to companies that “everyone in the chain really needs to pay attention” to data security. Companies, including industry-wide manufacturers, software companies, and any company that collects consumer data, “need to pay attention to” collection, use, and promises made regarding the data, she said.
Ohlhausen said that the Lenovo settlement, along with recent pacts in the last 30 days involving Uber Inc. and TaxSlayer LLC, illustrates the FTC’s continued consumer privacy enforcement focus, especially with regards to sensitive data. The goal of these no-fault settlements is to “educate businesses on privacy and security issues,” she said.
Connecticut Attorney General George Jepsen (D), whose state led the multistate investigation, said in a Sept. 5 statement that “consumers have a reasonable expectation that their personal information will be protected when they purchase” new computers. Lenovo’s installed software “compromised consumer privacy and” the company failed to tell consumers that their data was being shared with a third party, he said.
Beijing-based Lenovo, which operates in the U.S. out of Morrisville, N.C., derived 30.3 percent or $13.1 billion of its $43 billion fiscal year 2016 revenue from North America, according to Bloomberg data. The rest of Lenovo’s fiscal 2016 revenue is mostly derived from China, which makes up 27.4 percent, or $11.79 billion, the data show.
A Lenovo spokeswoman told Bloomberg BNA Sept. 5 that the company “disagrees with the allegations,” but is “pleased to bring this matter to a close.” Lenovo has since stopped loading the ad software and worked with antivirus companies “to disable and remove this software from existing PCs,” the spokeswoman said. The company views “product security, privacy, and quality” as a top priority, the spokeswoman said.
The federal settlement stems from an FTC investigation into Lenovo over claims that the company, beginning in August 2014, started to sell computers with pop-up ad software “that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities,” the agency said.
Lenovo installed ad software called VisualDiscovery, developed by Palo Alto, Calif.-based Superfish Inc., that was able to access sensitive customer data including “login credentials, Social Security numbers, medical information, and financial and payment information,” the FTC said. Superfish allegedly used “an insecure method” where it replaced website digital certificates with its own, which could have allowed users to access “potentially spoofed or malicious websites” without warning, the commission said.
Ohlhausen said Sept. 5 that Lenovo acted deceptively when it didn’t tell consumers how the software would work, unfairly installed the ad software without permission, and didn’t reasonably take measures to address the security risk of the installed software. Specifically, Lenovo failed to contract data security measures with their third-party vendor Superfish and failed to test the software on its own, she said.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)