Tapplock, Inc.; Analysis To Aid Public Comment, 19947-19949 [2020-07499]

Download as PDF Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation in the development of this proposal. Board of Governors of the Federal Reserve System, April 3, 2020. Yao-Chin Chao, Assistant Secretary of the Board. Board of Governors of the Federal Reserve System, April 3, 2020. Michele Taylor Fennell, Assistant Secretary of the Board. [FR Doc. 2020–07415 Filed 4–8–20; 8:45 am] [FR Doc. 2020–07455 Filed 4–8–20; 8:45 am] FEDERAL RESERVE SYSTEM FEDERAL RESERVE SYSTEM The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, if any, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). Comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors, Ann E. Misback, Secretary of the Board, 20th Street and Constitution Avenue NW, Washington, DC 20551–0001, not later than May 8, 2020. A. Federal Reserve Bank of Dallas (Robert L. Triplett III, Senior Vice President) 2200 North Pearl Street, Dallas, Texas 75201–2272: 1. Dry Lake Financial, LLC, Spur, Texas; to become a bank holding company by acquiring up to 51 percent of the voting shares of Espuela Bank Shares, Inc., and thereby indirectly acquire voting shares of Spur Security Bank, both of Spur, Texas. VerDate Sep<11>2014 16:28 Apr 08, 2020 Jkt 250001 [File No. 192 3011] Tapplock, Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed consent agreement; request for comment. ACTION: Formations of, Acquisitions by, and Mergers of Bank Holding Companies The notificants listed below have applied under the Change in Bank Control Act (Act) (12 U.S.C. 1817(j)) and § 225.41 of the Board’s Regulation Y (12 CFR 225.41) to acquire shares of a bank or bank holding company. The factors that are considered in acting on the applications are set forth in paragraph 7 of the Act (12 U.S.C. 1817(j)(7)). The applications listed below, as well as other related filings required by the Board, if any, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in paragraph 7 of the Act. Comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors, Ann E. Misback, Secretary of the Board, 20th Street and Constitution Avenue NW, Washington, DC 20551–0001, not later than April 23, 2020. A. Federal Reserve Bank of Kansas City (Dennis Denney, Assistant Vice President) 1 Memorial Drive, Kansas City, Missouri 64198–0001: 1. Jeffrey L. Dickey, Weatherford, Oklahoma; Brian R. Dickey, Oklahoma City, Oklahoma; Ranee E. Bugh, Tulsa, Oklahoma; and the David R. Dickey Family Financial Services Trust, Thomas, Oklahoma, Jeffrey L. Dickey, Brian R. Dickey, and Ranee E. Bugh, as co-trustees; as members of the David Dickey Family Group, to retain voting shares of First Thomas Ban Corp. and thereby indirectly retain voting shares of First Bank of Thomas, both of Thomas, Oklahoma. FEDERAL TRADE COMMISSION AGENCY: BILLING CODE 6210–01–P Change in Bank Control Notices; Acquisitions of Shares of a Bank or Bank Holding Company khammond on DSKJM1Z7X2PROD with NOTICES BILLING CODE 6210–01–P 19947 Board of Governors of the Federal Reserve System, April 3, 2020. Yao-Chin Chao, Assistant Secretary of the Board. [FR Doc. 2020–07416 Filed 4–8–20; 8:45 am] BILLING CODE 6210–01–P PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. SUMMARY: Comments must be received on or before May 11, 2020. ADDRESSES: Interested parties may file comments online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Tapplock, Inc.; File No. 192 3011’’ on your comment, and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Jared Ho (202–326–3463), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC website (for March 30, 2020), at this web DATES: E:\FR\FM\09APN1.SGM 09APN1 khammond on DSKJM1Z7X2PROD with NOTICES 19948 Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices address: https://www.ftc.gov/newsevents/commission-actions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before May 11, 2020. Write ‘‘Tapplock, Inc.; File No. 192 3011’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https:// www.regulations.gov website. Due to the public health emergency in response to the COVID–19 outbreak and the agency’s heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https:// www.regulations.gov website. If you prefer to file your comment on paper, write ‘‘Tapplock, Inc.; File No. 192 3011’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, VerDate Sep<11>2014 16:28 Apr 08, 2020 Jkt 250001 patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at http:// www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before May 11, 2020. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission (‘‘Commission’’) has accepted, subject to final approval, an agreement containing a consent order from Tapplock, Inc. (‘‘Tapplock’’ or ‘‘Respondent’’). The proposed consent order (‘‘proposed order’’) has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. Tapplock is a Canadian Internet of Things (‘‘IoT’’) company that, among other things, sells internet-connected, fingerprint-enabled padlocks (‘‘smart locks’’) to U.S. consumers. The company advertises to U.S. consumers through its website, www.tapplock.com, PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 and has previously advertised through the online crowd-funding website Indiegogo.com. Respondent’s smart locks interact with a companion mobile application (‘‘app’’) that U.S. users are able to download onto their mobile devices. This app logs usernames, email addresses, profile photos, location history, and the precise geolocation of a user’s smart lock, and it allows users to lock and unlock their smart locks when they are within Bluetooth range. In June 2018, security researchers identified critical physical and electronic vulnerabilities with Respondent’s smart locks. With respect to physical security, some of Respondent’s smart locks could be opened within a matter of seconds, simply by unscrewing the back panel. With respect to electronic security, one vulnerability in Respondent’s API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because Respondent failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock. The Commission’s proposed twocount complaint alleges that Respondent violated Section 5(a) of the Federal Trade Commission Act. The first count alleges that Respondent misrepresented to consumers that their smart locks were secure. Contrary to this claim, as described above, Respondent’s locks were not secure. The second count alleges that Respondent deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers. Contrary to this claim, the proposed complaint alleges that Respondent failed to take reasonable precautions and follow industry best practices. For example, the proposed complaint alleges that Respondent: (1) Failed to identify reasonably foreseeable risks to the security of its smart locks or the security of customers’ personal accounts, such as through vulnerability or penetration testing, and assess the sufficiency of any safeguards in place to control those risks; (2) failed to employ sufficient measures to detect and E:\FR\FM\09APN1.SGM 09APN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices prevent users from bypassing the authentication procedures in Respondent’s API to gain access to other users’ accounts; (3) failed to adopt and implement written data security standards, policies, procedures, or practices; and (4) failed to implement adequate privacy and security guidance or training for its employees responsible for designing, testing, overseeing, and approving software specifications and requirements. The proposed order contains provisions designed to prevent Respondent from engaging in the same or similar acts or practices in the future. Part I of the proposed order prohibits Respondent from misrepresenting the extent to which it maintains and protects: (1) The security of a Covered Device; or (2) the privacy, security, confidentiality, or integrity of Personal Information. Part II of the proposed order requires Respondent to establish and implement, and thereafter maintain, a comprehensive security program (‘‘Security Program’’) that that protects: (1) The security of Covered Devices; and (2) the security, confidentiality, and integrity of Personal Information. Part III of the proposed order requires Respondent to obtain initial and biennial data security assessments for twenty years. Part IV of the proposed order requires Respondent to disclose all material facts to the assessor and prohibits Respondent from misrepresenting any fact material to the assessments required by Part II. Part V of the proposed order requires Respondent to submit an annual certification from a senior corporate manager (or senior officer responsible for its information security program) that Respondent has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Parts VI through IX of the proposed order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondent to provide information or documents necessary for the Commission to monitor compliance. Part X states that the proposed order will remain in effect for 20 years, with certain exceptions. The purpose of this analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint or proposed order, or to modify in any way the proposed order’s terms. VerDate Sep<11>2014 16:28 Apr 08, 2020 Jkt 250001 By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2020–07499 Filed 4–8–20; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention Public Health Service Act, Delegation of Authority Notice is hereby given that the Director, Centers for Disease Control and Prevention (CDC), has delegated to the Deputy Director for Infectious Diseases (DDID); the Director, Influenza Division, National Center for Immunization and Respiratory Diseases (NCIRD); and the COVID–19 Incident Manager, NCIRD, CDC, without authority to redelegate, the authority vested in the Director, CDC, under sections 361(a), (b), (c), and (d) and 362, Title III, of the Public Health Service Act (Control of Communicable Diseases) (42 U.S.C. 264 and 265 et seq.), as amended, to issue and sign quarantine, isolation and conditional release orders. This redelegation shall terminate upon completion of the agency-wide activation in response to the 2019 novel Coronavirus outbreak. This delegation became effective on March 25, 2020. Robert McGowan, Chief of Staff, CDC. [FR Doc. 2020–07459 Filed 4–8–20; 8:45 am] BILLING CODE 4160–18–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Administration for Children and Families [CFDA Number: 93.612] Notice for Public Comment on Administration for Native Americans’ Program Policies and Procedures Relating to Social and Economic Development Strategies—Growing Organizations Administration for Native Americans (ANA), Administration for Children and Families (ACF), Department of Health and Human Services (HHS). ACTION: Notice for public comment. AGENCY: Pursuant to Section 814 of the Native American Programs Act of 1974 (NAPA), as amended, ANA is required SUMMARY: PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 19949 to provide members of the public an opportunity to comment on proposed changes in interpretive rules and general statements of policy and to give notice of the proposed changes no less than 30 days before such changes become effective. In accordance with notice requirements of NAPA, ANA herein describes proposed interpretive rules and general statements of policy that relate to ANA’s new funding opportunity announcement (FOA) in Fiscal Year (FY) 2020, Social and Economic Development Strategies— Growing Organizations (SEDS–GO), (HHS–2020–ACF–ANA–NN–1837). DATES: Comments are due by May 11, 2020. If ANA does not receive any significant comments within the 30-day comment period, ANA will proceed with the proposed changes in the respective published FOA. The FOA will serve as the final notice of these proposed changes. ADDRESSES: Comments may be submitted to Jean Hovland, Commissioner, Administration for Native Americans, 330 C Street SW, Washington, DC 20201 or via email: ANAComments@acf.hhs.gov. FOR FURTHER INFORMATION CONTACT: Carmelia Strickland, Director, Division of Program Operations, Administration for Native Americans, 330 C Street SW, Washington, DC 20201. Telephone: (877) 922–9262; Email: ANAComments@acf.hhs.gov. SUPPLEMENTARY INFORMATION: Section 814 of NAPA, as amended, (42 U.S.C. 2992b–1) incorporates provisions of the Administrative Procedure Act that require ANA to provide notice of its proposed interpretive rules and statements of policy and to seek public comment on such proposals. This notice serves to fulfill the statutory notice and public comment requirement. ANA voluntarily includes rules of practice and procedures in this notice in an effort to be transparent. The proposed interpretive rules, statements of policy, and rules of ANA practice and procedure will appear in the FY 2020 SEDS–GO FOA. Synopses and application forms will be available on https://www.grants.gov. A. Interpretive rules, statements of policy, procedures, and practice. The proposals below reflect ANA’s proposed changes in rules, policy, or procedure, which will take effect in the FY 2020 SEDS–GO FOA. 1. New FOA In FY 2020, ANA will introduce a new FOA as a special initiative under the Social and Economic Development Strategies program to support growing E:\FR\FM\09APN1.SGM 09APN1

Agencies

[Federal Register Volume 85, Number 69 (Thursday, April 9, 2020)]
[Notices]
[Pages 19947-19949]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07499]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3011]


Tapplock, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES:  Comments must be received on or before May 11, 2020.

ADDRESSES: Interested parties may file comments online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Tapplock, Inc.; File 
No. 192 3011'' on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based 
form. If you prefer to file your comment on paper, mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Jared Ho (202-326-3463), Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC website (for March 30, 2020), at this web

[[Page 19948]]

address: https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before May 11, 2020. 
Write ``Tapplock, Inc.; File No. 192 3011'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the https://www.regulations.gov website.
    Due to the public health emergency in response to the COVID-19 
outbreak and the agency's heightened security screening, postal mail 
addressed to the Commission will be subject to delay. We strongly 
encourage you to submit your comments online through the https://www.regulations.gov website.
    If you prefer to file your comment on paper, write ``Tapplock, 
Inc.; File No. 192 3011'' on your comment and on the envelope, and mail 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), 
Washington, DC 20580; or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC website--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC website, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC website at http://www.ftc.gov to read this Notice and 
the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before May 11, 2020. For information on the Commission's 
privacy policy, including routine uses permitted by the Privacy Act, 
see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from 
Tapplock, Inc. (``Tapplock'' or ``Respondent'').
    The proposed consent order (``proposed order'') has been placed on 
the public record for thirty (30) days for receipt of comments by 
interested persons. Comments received during this period will become 
part of the public record. After thirty (30) days, the Commission again 
will review the agreement and the comments received, and will decide 
whether it should withdraw from the agreement or make final the 
agreement's proposed order.
    Tapplock is a Canadian Internet of Things (``IoT'') company that, 
among other things, sells internet-connected, fingerprint-enabled 
padlocks (``smart locks'') to U.S. consumers. The company advertises to 
U.S. consumers through its website, www.tapplock.com, and has 
previously advertised through the online crowd-funding website 
Indiegogo.com. Respondent's smart locks interact with a companion 
mobile application (``app'') that U.S. users are able to download onto 
their mobile devices. This app logs usernames, email addresses, profile 
photos, location history, and the precise geolocation of a user's smart 
lock, and it allows users to lock and unlock their smart locks when 
they are within Bluetooth range.
    In June 2018, security researchers identified critical physical and 
electronic vulnerabilities with Respondent's smart locks. With respect 
to physical security, some of Respondent's smart locks could be opened 
within a matter of seconds, simply by unscrewing the back panel. With 
respect to electronic security, one vulnerability in Respondent's API 
could have been exploited to bypass the account authentication process 
in order to gain full access to the accounts of all Tapplock users and 
their personal information, including usernames, email addresses, 
profile photos, location history, and precise geolocation of smart 
locks. Because Respondent failed to encrypt the Bluetooth communication 
between the lock and the app, a second vulnerability could have allowed 
a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, 
a third vulnerability prevented users from effectively revoking access 
to their smart lock once they had provided other users access to that 
lock.
    The Commission's proposed two-count complaint alleges that 
Respondent violated Section 5(a) of the Federal Trade Commission Act. 
The first count alleges that Respondent misrepresented to consumers 
that their smart locks were secure. Contrary to this claim, as 
described above, Respondent's locks were not secure.
    The second count alleges that Respondent deceived consumers about 
its data security practices by falsely representing that it took 
reasonable precautions and followed industry best practices to protect 
the personal information provided by consumers. Contrary to this claim, 
the proposed complaint alleges that Respondent failed to take 
reasonable precautions and follow industry best practices. For example, 
the proposed complaint alleges that Respondent: (1) Failed to identify 
reasonably foreseeable risks to the security of its smart locks or the 
security of customers' personal accounts, such as through vulnerability 
or penetration testing, and assess the sufficiency of any safeguards in 
place to control those risks; (2) failed to employ sufficient measures 
to detect and

[[Page 19949]]

prevent users from bypassing the authentication procedures in 
Respondent's API to gain access to other users' accounts; (3) failed to 
adopt and implement written data security standards, policies, 
procedures, or practices; and (4) failed to implement adequate privacy 
and security guidance or training for its employees responsible for 
designing, testing, overseeing, and approving software specifications 
and requirements.
    The proposed order contains provisions designed to prevent 
Respondent from engaging in the same or similar acts or practices in 
the future. Part I of the proposed order prohibits Respondent from 
misrepresenting the extent to which it maintains and protects: (1) The 
security of a Covered Device; or (2) the privacy, security, 
confidentiality, or integrity of Personal Information.
    Part II of the proposed order requires Respondent to establish and 
implement, and thereafter maintain, a comprehensive security program 
(``Security Program'') that that protects: (1) The security of Covered 
Devices; and (2) the security, confidentiality, and integrity of 
Personal Information.
    Part III of the proposed order requires Respondent to obtain 
initial and biennial data security assessments for twenty years.
    Part IV of the proposed order requires Respondent to disclose all 
material facts to the assessor and prohibits Respondent from 
misrepresenting any fact material to the assessments required by Part 
II.
    Part V of the proposed order requires Respondent to submit an 
annual certification from a senior corporate manager (or senior officer 
responsible for its information security program) that Respondent has 
implemented the requirements of the Order and is not aware of any 
material noncompliance that has not been corrected or disclosed to the 
Commission.
    Parts VI through IX of the proposed order are reporting and 
compliance provisions, which include recordkeeping requirements and 
provisions requiring Respondent to provide information or documents 
necessary for the Commission to monitor compliance. Part X states that 
the proposed order will remain in effect for 20 years, with certain 
exceptions.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-07499 Filed 4-8-20; 8:45 am]
 BILLING CODE 6750-01-P