FTC's Lenovo Settlement Puts Spotlight on Third-Party 'Man in the Middle' Software
With its third data security-related settlement in as many weeks, the Federal Trade Commission laid blame Tuesday on a "man in the middle"—a software program, designed to interfere with how browsers interact with websites, that left sensitive consumer information vulnerable. The FTC joined with 32 state attorneys general—including California, New Jersey, Pennsylvania, New York and Connecticut—in faulting Lenovo Inc., a leading computer manufacturer.
September 05, 2017 at 01:15 PM
8 minute read
With its third data security-related settlement in as many weeks, the Federal Trade Commission laid blame Tuesday on a “man in the middle”—a software program, designed to interfere with how browsers interact with websites, that left sensitive consumer information vulnerable.
The FTC joined with 32 state attorneys general—including California, New Jersey, Pennsylvania, New York and Connecticut—in faulting Lenovo Inc., a leading computer manufacturer, for pre-installing such software on laptops beginning in August 2014. According to the FTC settlement, the pre-installed program—called “VisualDiscovery”—was developed by the California-based company Superfish Inc. to deliver pop-up ads for retail partners' products whenever a consumer cursor hovered over a similar-looking product.
To make those pop-up ads possible, VisualDiscovery meddled in the interaction between browsers and websites, the FTC said. This “man-in-the-middle” role, as the FTC characterized it, allowed the software to access all of the sensitive data consumers transmitted over the internet, including financial information, log-in credentials and Social Security numbers.
Lenovo, represented by Perkins Coie partners Janis Claire Kestenbaum in Washington and Rebecca Engrav in Seattle, agreed to pay $3.5 million to settle the state attorneys general claims. Kestenbaum and Engrav did not immediately respond to a request for comment Tuesday.
Lenovo said the company stopped preloading computers with VisualDiscovery in early 2015 after learning of issues with the software. “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-and-a-half years,” the company said in a statement.
VisualDiscovery had access to that information without consumers' knowledge or consent, and shortcomings in the software's security measures made sensitive electronic communications with financial institutions and medical providers vulnerable to hackers, according to the FTC.
In a conference call Tuesday, Acting FTC Chairwoman Maureen Ohlhausen described the software program as the “online equivalent” of someone stealing mail without the intended recipient's knowledge, opening it and then reading it before putting it back in the mailbox. Ohlhausen criticized Lenovo for failing to review the software for potential risks or require the third-party provider to take reasonable cybersecurity measures.
The settlement requires Lenovo to obtain consumers' consent before installing similar software. For the next 20 years, the company will also be required to maintain a software cybersecurity program subject to third-party audits. Lenovo must submit a compliance report next year to the FTC.
“Certainly this case sends a very important message that everybody in the chain really needs to pay attention,” Ohlhausen said.
New Jersey Attorney General Christopher Porrino said Tuesday the Lenovo settlement “sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated—or present on the machine at all.”
Tuesday's settlement came as part of a late summer string of FTC enforcement actions over allegations of lax data security. On Aug. 15, the ride-hailing giant Uber Technologies Inc. agreed to 20 years of compliance monitoring to resolve allegations that it failed to secure sensitive information stored in the cloud and misrepresented its efforts to restrict employees' access to consumer data.
Two weeks later, the FTC reached a settlement with TaxSlayer, a Georgia-based online tax preparer service, over claims that the company cybersecurity shortcomings allowed hackers to access nearly 9,000 accounts between October and December 2015 and then use the information to receive fraudulent tax refunds.
With its third data security-related settlement in as many weeks, the Federal Trade Commission laid blame Tuesday on a “man in the middle”—a software program, designed to interfere with how browsers interact with websites, that left sensitive consumer information vulnerable.
The FTC joined with 32 state attorneys general—including California, New Jersey, Pennsylvania,
To make those pop-up ads possible, VisualDiscovery meddled in the interaction between browsers and websites, the FTC said. This “man-in-the-middle” role, as the FTC characterized it, allowed the software to access all of the sensitive data consumers transmitted over the internet, including financial information, log-in credentials and Social Security numbers.
Lenovo, represented by
Lenovo said the company stopped preloading computers with VisualDiscovery in early 2015 after learning of issues with the software. “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-and-a-half years,” the company said in a statement.
VisualDiscovery had access to that information without consumers' knowledge or consent, and shortcomings in the software's security measures made sensitive electronic communications with financial institutions and medical providers vulnerable to hackers, according to the FTC.
In a conference call Tuesday, Acting FTC Chairwoman Maureen Ohlhausen described the software program as the “online equivalent” of someone stealing mail without the intended recipient's knowledge, opening it and then reading it before putting it back in the mailbox. Ohlhausen criticized Lenovo for failing to review the software for potential risks or require the third-party provider to take reasonable cybersecurity measures.
The settlement requires Lenovo to obtain consumers' consent before installing similar software. For the next 20 years, the company will also be required to maintain a software cybersecurity program subject to third-party audits. Lenovo must submit a compliance report next year to the FTC.
“Certainly this case sends a very important message that everybody in the chain really needs to pay attention,” Ohlhausen said.
New Jersey Attorney General Christopher Porrino said Tuesday the Lenovo settlement “sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated—or present on the machine at all.”
Tuesday's settlement came as part of a late summer string of FTC enforcement actions over allegations of lax data security. On Aug. 15, the ride-hailing giant Uber Technologies Inc. agreed to 20 years of compliance monitoring to resolve allegations that it failed to secure sensitive information stored in the cloud and misrepresented its efforts to restrict employees' access to consumer data.
Two weeks later, the FTC reached a settlement with TaxSlayer, a Georgia-based online tax preparer service, over claims that the company cybersecurity shortcomings allowed hackers to access nearly 9,000 accounts between October and December 2015 and then use the information to receive fraudulent tax refunds.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Fines 4 Companies $7M for Downplaying Breaches Tied to Massive SolarWinds Hack
Confusion Over New SEC Cyber Rules Leading Firms to Overstate Attack Readiness
Judge Stresses Need for Judiciary's Attention to Cybersecurity During Election Season
Greenberg Traurig's Strategy to Recover $4M in Malicious Email Spoofing Attack
4 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250