Lenovo Settles FTC, State Ad Software Security, Privacy Claims

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Chinese laptop-maker Lenovo Group Ltd Sept. 5 agreed to no-fault settlements with the FTC and 32 states over charges it installed ad software that compromised customers’ web security and invaded users’ privacy.

The settlements demonstrate the power of dual federal and state data security and privacy regulator enforcement actions to force both remedial and monetary consequences for companies.

Lenovo agreed as part of its Federal Trade Commission settlement not to misrepresent any feature of installed software related to consumer internet browsing-based advertising and to get affirmative user consent before installing such software on computers. The company also must implement and maintain a comprehensive data security software program for adware it loads on its computers, and submit to FTC oversight for the next 20 years.

Lenovo agreed to pay 32 state attorneys general $3.5 million under the separate state agreement. Lenovo also must change consumer disclosures related to installed ad software, get consumer consent and provide an opt-out mechanism before loading similar software, and disable or remove the ad software. Lenovo must submit to biennial audits, for 20 years, of a new comprehensive security compliance program under its settlement with the states.

The FTC settlement didn’t include civil monetary penalties because the agency lacks the authority to levy them directly under its general consumer protection powers. The FTC may seek civil fines if a company fails to abide by a consent agreement, such as the one Lenovo made with the commission, or other settlement order.

Acting FTC Chairman Maureen K. Ohlhausen told reporters Sept. 5 that the settlement “sends a very important message” to companies that “everyone in the chain really needs to pay attention” to data security. Companies, including industry-wide manufacturers, software companies, and any company that collects consumer data, “need to pay attention to” collection, use, and promises made regarding the data, she said.

Data Security, Privacy Education

Ohlhausen said that the Lenovo settlement, along with recent pacts in the last 30 days involving Uber Inc. and TaxSlayer LLC, illustrates the FTC’s continued consumer privacy enforcement focus, especially with regards to sensitive data. The goal of these no-fault settlements is to “educate businesses on privacy and security issues,” she said.

Connecticut Attorney General George Jepsen (D), whose state led the multistate investigation, said in a Sept. 5 statement that “consumers have a reasonable expectation that their personal information will be protected when they purchase” new computers. Lenovo’s installed software “compromised consumer privacy and” the company failed to tell consumers that their data was being shared with a third party, he said.

Beijing-based Lenovo, which operates in the U.S. out of Morrisville, N.C., derived 30.3 percent or $13.1 billion of its $43 billion fiscal year 2016 revenue from North America, according to Bloomberg data. The rest of Lenovo’s fiscal 2016 revenue is mostly derived from China, which makes up 27.4 percent, or $11.79 billion, the data show.

A Lenovo spokeswoman told Bloomberg BNA Sept. 5 that the company “disagrees with the allegations,” but is “pleased to bring this matter to a close.” Lenovo has since stopped loading the ad software and worked with antivirus companies “to disable and remove this software from existing PCs,” the spokeswoman said. The company views “product security, privacy, and quality” as a top priority, the spokeswoman said.

Serious Security Vulnerability

The federal settlement stems from an FTC investigation into Lenovo over claims that the company, beginning in August 2014, started to sell computers with pop-up ad software “that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities,” the agency said.

Lenovo installed ad software called VisualDiscovery, developed by Palo Alto, Calif.-based Superfish Inc., that was able to access sensitive customer data including “login credentials, Social Security numbers, medical information, and financial and payment information,” the FTC said. Superfish allegedly used “an insecure method” where it replaced website digital certificates with its own, which could have allowed users to access “potentially spoofed or malicious websites” without warning, the commission said.

Ohlhausen said Sept. 5 that Lenovo acted deceptively when it didn’t tell consumers how the software would work, unfairly installed the ad software without permission, and didn’t reasonably take measures to address the security risk of the installed software. Specifically, Lenovo failed to contract data security measures with their third-party vendor Superfish and failed to test the software on its own, she said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The FTC settlement is available at http://src.bna.com/sem.

The settlement with the 32 state attorneys general is available at http://src.bna.com/seA.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security