On September 5, 2017, the Federal Trade Commission (“FTC”) announced that Lenovo, the personal computer manufacturer, settled charges brought by the FTC and 32 state attorneys general that Lenovo had harmed consumers by selling computers preinstalled with an ad-injecting software known as VisualDiscovery. VisualDiscovery was developed by a software company called Superfish, Inc. (“Superfish”).

Background

According to the complaint, when Lenovo users shopped for products online, VisualDiscovery would display pop-up ads with the image of similar-looking products offered by Superfish’s retail partners. In addition, by substituting its own certificates for those of websites that users visited, VisualDiscovery was able to operate as a “man-in-the-middle” between the Lenovo user’s browser and any websites the user visited. This gave VisualDiscovery visibility into all information that a user transmitted – including financial information and Social Security Numbers on encrypted websites. VisualDiscovery also was configured to send certain user information – such as IP address, URLs of websites visited, and unique identifiers assigned by Superfish – to Superfish servers. VisualDiscovery’s substitution of its own digital certificates made Lenovo users vulnerable to hackers, who could easily exploit the configuration to access users’ sensitive information.

Before entering into an agreement to pre-install Superfish’s software, Lenovo had required Superfish to make modifications that would allow VisualDiscovery to operate on any web browser that a Lenovo user chose to download. These modifications required Superfish to replace websites’ digital certificates with VisualDiscovery’s own certificates, creating the vulnerabilities that exposed users’ information. Despite prior warnings from Superfish that the modifications could create security issues, Lenovo approved them.

Lenovo did not disclose the presence of VisualDiscovery to consumers, and consumers were unlikely to discover the software, because it was designed to be virtually invisible to users. A pop-up screen appeared the first time that users visited a shopping website, but the opt-out link was not sufficiently visible to users, who then would inadvertently opt in by merely closing the pop up box. Moreover, neither the pop-up window nor VisualDiscovery’s privacy policy or End User License Agreement disclosed that VisualDiscovery would operate as a man-in-the-middle. And in any event, there was no mechanism by which users could prevent VisualDiscovery from operating as such.

After the United States Computer Emergency Readiness Team (US-CERT) at the U.S. Department of Homeland Security issued an alert about VisualDiscovery’s security flaws, Lenovo stopped shipping the laptops that were preinstalled with the software.

FTC and State Attorneys General Charges against Lenovo for Violations of Consumer Protection Laws

The FTC brought charges against Lenovo alleging unfair and deceptive acts and practices under Section 5 of the FTC Act. Specifically, the FTC charged Lenovo with one count of deception for failing to disclose to consumers that VisualDiscovery would operate as a man-in-the-middle. It also charged Lenovo with two counts of unfairness: (1) Lenovo pre-installed the software without providing adequate notice or obtaining informed consent from users, and (2) Lenovo failed to take reasonable measures “to assess and address security risks created by [the] software.” The FTC alleged under each unfairness count that the software caused or could have caused substantial injury to consumers, and according to Acting Chairman Maureen Ohlhausen, the FTC was particularly concerned because by replacing the digital certificates of websites with the software’s own certificates, “the software compromised online security protections [i.e., the digital certificates] that consumers rely on.”

With respect to Lenovo’s failure to take reasonable security measures, the FTC noted that Lenovo had failed to “adopt and implement written data security standards, policies, procedures or practices that applied to third-party software preinstalled on its laptops”; “adequately assess the data security risks of third-party software prior to pre-installation”; “request or review any information about Superfish’s data security policies, procedures and practices”; “require Superfish by contract to adopt and implement reasonable data security measures to protect Lenovo users’ personal information”; “assess VisualDiscovery’s compliance with reasonable data security standards”; and “provide adequate data security training for those employees responsible for testing third-party software.”

Under the settlement, Lenovo agreed not to misrepresent any features of software pre-installed on its computers, obtain affirmative consent from consumers before installing this type of software, and implement a comprehensive software security program for software pre-loaded on its laptops, which will be subject to audit for 20 years by a third party.

State attorneys general from 32 states, who also brought charges against Lenovo on behalf of consumers under state consumer protection laws, negotiated their settlement with Lenovo in coordination with the FTC. Lenovo agreed to pay $3.5 million to settle the charges under state laws.

Takeaway: Vendor Management is Critical

Vendors are a weak link, and this case shows that companies will be held accountable for security vulnerabilities that their vendors create, or that companies inadvertently ask their vendors to create by requesting modifications to the vendors’ products and services. It is critical that companies develop and implement a vendor management program to ensure that companies understand the security issues related to the products and services that their vendors offer, and that vendors have in place adequate security safeguards to protect the privacy and security of consumers’ information. A vendor management program should, among other things, involve (1) a risk assessment of the vendor’s security policies, practices, and procedures; (2) conducting due diligence of the security measures the vendor has implemented for its products and services; (3) auditing the vendor’s compliance with its security policies, practices, and procedures; (4) limiting the vendor’s access to systems, networks, and data; and (5) including the following provisions in vendor contracts: requirements to use “reasonable and appropriate” security safeguards that meet industry standards; requirements regarding the use of subcontractors; procedures for reporting data incidents; adequate indemnification; adequate insurance protection.