Tapplock, Inc.; Analysis To Aid Public Comment, 19947-19949 [2020-07499]
Download as PDF
<![CDATA[
Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices
Office of the Comptroller of the
Currency and the Federal Deposit
Insurance Corporation in the
development of this proposal.
Board of Governors of the Federal Reserve
System, April 3, 2020.
Yao-Chin Chao,
Assistant Secretary of the Board.
Board of Governors of the Federal Reserve
System, April 3, 2020.
Michele Taylor Fennell,
Assistant Secretary of the Board.
[FR Doc. 2020–07415 Filed 4–8–20; 8:45 am]
[FR Doc. 2020–07455 Filed 4–8–20; 8:45 am]
FEDERAL RESERVE SYSTEM
FEDERAL RESERVE SYSTEM
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank indicated. The
applications will also be available for
inspection at the offices of the Board of
Governors. Interested persons may
express their views in writing on the
standards enumerated in the BHC Act
(12 U.S.C. 1842(c)).
Comments regarding each of these
applications must be received at the
Reserve Bank indicated or the offices of
the Board of Governors, Ann E.
Misback, Secretary of the Board, 20th
Street and Constitution Avenue NW,
Washington, DC 20551–0001, not later
than May 8, 2020.
A. Federal Reserve Bank of Dallas
(Robert L. Triplett III, Senior Vice
President) 2200 North Pearl Street,
Dallas, Texas 75201–2272:
1. Dry Lake Financial, LLC, Spur,
Texas; to become a bank holding
company by acquiring up to 51 percent
of the voting shares of Espuela Bank
Shares, Inc., and thereby indirectly
acquire voting shares of Spur Security
Bank, both of Spur, Texas.
VerDate Sep<11>2014
16:28 Apr 08, 2020
Jkt 250001
[File No. 192 3011]
Tapplock, Inc.; Analysis To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement;
request for comment.
ACTION:
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
The notificants listed below have
applied under the Change in Bank
Control Act (Act) (12 U.S.C. 1817(j)) and
§ 225.41 of the Board’s Regulation Y (12
CFR 225.41) to acquire shares of a bank
or bank holding company. The factors
that are considered in acting on the
applications are set forth in paragraph 7
of the Act (12 U.S.C. 1817(j)(7)).
The applications listed below, as well
as other related filings required by the
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank indicated. The
applications will also be available for
inspection at the offices of the Board of
Governors. Interested persons may
express their views in writing on the
standards enumerated in paragraph 7 of
the Act.
Comments regarding each of these
applications must be received at the
Reserve Bank indicated or the offices of
the Board of Governors, Ann E.
Misback, Secretary of the Board, 20th
Street and Constitution Avenue NW,
Washington, DC 20551–0001, not later
than April 23, 2020.
A. Federal Reserve Bank of Kansas
City (Dennis Denney, Assistant Vice
President) 1 Memorial Drive, Kansas
City, Missouri 64198–0001:
1. Jeffrey L. Dickey, Weatherford,
Oklahoma; Brian R. Dickey, Oklahoma
City, Oklahoma; Ranee E. Bugh, Tulsa,
Oklahoma; and the David R. Dickey
Family Financial Services Trust,
Thomas, Oklahoma, Jeffrey L. Dickey,
Brian R. Dickey, and Ranee E. Bugh, as
co-trustees; as members of the David
Dickey Family Group, to retain voting
shares of First Thomas Ban Corp. and
thereby indirectly retain voting shares of
First Bank of Thomas, both of Thomas,
Oklahoma.
FEDERAL TRADE COMMISSION
AGENCY:
BILLING CODE 6210–01–P
Change in Bank Control Notices;
Acquisitions of Shares of a Bank or
Bank Holding Company
khammond on DSKJM1Z7X2PROD with NOTICES
BILLING CODE 6210–01–P
19947
Board of Governors of the Federal Reserve
System, April 3, 2020.
Yao-Chin Chao,
Assistant Secretary of the Board.
[FR Doc. 2020–07416 Filed 4–8–20; 8:45 am]
BILLING CODE 6210–01–P
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
SUMMARY:
Comments must be received on
or before May 11, 2020.
ADDRESSES: Interested parties may file
comments online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Tapplock, Inc.; File No.
192 3011’’ on your comment, and file
your comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Jared Ho (202–326–3463), Bureau of
Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
website (for March 30, 2020), at this web
DATES:
E:\FR\FM\09APN1.SGM
09APN1
khammond on DSKJM1Z7X2PROD with NOTICES
19948
Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices
address: https://www.ftc.gov/newsevents/commission-actions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before May 11, 2020. Write ‘‘Tapplock,
Inc.; File No. 192 3011’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the https://
www.regulations.gov website.
Due to the public health emergency in
response to the COVID–19 outbreak and
the agency’s heightened security
screening, postal mail addressed to the
Commission will be subject to delay. We
strongly encourage you to submit your
comments online through the https://
www.regulations.gov website.
If you prefer to file your comment on
paper, write ‘‘Tapplock, Inc.; File No.
192 3011’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580; or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
VerDate Sep<11>2014
16:28 Apr 08, 2020
Jkt 250001
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before May 11, 2020. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from Tapplock, Inc.
(‘‘Tapplock’’ or ‘‘Respondent’’).
The proposed consent order
(‘‘proposed order’’) has been placed on
the public record for thirty (30) days for
receipt of comments by interested
persons. Comments received during this
period will become part of the public
record. After thirty (30) days, the
Commission again will review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement or make
final the agreement’s proposed order.
Tapplock is a Canadian Internet of
Things (‘‘IoT’’) company that, among
other things, sells internet-connected,
fingerprint-enabled padlocks (‘‘smart
locks’’) to U.S. consumers. The
company advertises to U.S. consumers
through its website, www.tapplock.com,
PO 00000
Frm 00029
Fmt 4703
Sfmt 4703
and has previously advertised through
the online crowd-funding website
Indiegogo.com. Respondent’s smart
locks interact with a companion mobile
application (‘‘app’’) that U.S. users are
able to download onto their mobile
devices. This app logs usernames, email
addresses, profile photos, location
history, and the precise geolocation of a
user’s smart lock, and it allows users to
lock and unlock their smart locks when
they are within Bluetooth range.
In June 2018, security researchers
identified critical physical and
electronic vulnerabilities with
Respondent’s smart locks. With respect
to physical security, some of
Respondent’s smart locks could be
opened within a matter of seconds,
simply by unscrewing the back panel.
With respect to electronic security, one
vulnerability in Respondent’s API could
have been exploited to bypass the
account authentication process in order
to gain full access to the accounts of all
Tapplock users and their personal
information, including usernames,
email addresses, profile photos, location
history, and precise geolocation of smart
locks. Because Respondent failed to
encrypt the Bluetooth communication
between the lock and the app, a second
vulnerability could have allowed a bad
actor to lock and unlock any nearby
Tapplock smart lock. Finally, a third
vulnerability prevented users from
effectively revoking access to their smart
lock once they had provided other users
access to that lock.
The Commission’s proposed twocount complaint alleges that
Respondent violated Section 5(a) of the
Federal Trade Commission Act. The
first count alleges that Respondent
misrepresented to consumers that their
smart locks were secure. Contrary to this
claim, as described above, Respondent’s
locks were not secure.
The second count alleges that
Respondent deceived consumers about
its data security practices by falsely
representing that it took reasonable
precautions and followed industry best
practices to protect the personal
information provided by consumers.
Contrary to this claim, the proposed
complaint alleges that Respondent
failed to take reasonable precautions
and follow industry best practices. For
example, the proposed complaint
alleges that Respondent: (1) Failed to
identify reasonably foreseeable risks to
the security of its smart locks or the
security of customers’ personal
accounts, such as through vulnerability
or penetration testing, and assess the
sufficiency of any safeguards in place to
control those risks; (2) failed to employ
sufficient measures to detect and
E:\FR\FM\09APN1.SGM
09APN1
khammond on DSKJM1Z7X2PROD with NOTICES
Federal Register / Vol. 85, No. 69 / Thursday, April 9, 2020 / Notices
prevent users from bypassing the
authentication procedures in
Respondent’s API to gain access to other
users’ accounts; (3) failed to adopt and
implement written data security
standards, policies, procedures, or
practices; and (4) failed to implement
adequate privacy and security guidance
or training for its employees responsible
for designing, testing, overseeing, and
approving software specifications and
requirements.
The proposed order contains
provisions designed to prevent
Respondent from engaging in the same
or similar acts or practices in the future.
Part I of the proposed order prohibits
Respondent from misrepresenting the
extent to which it maintains and
protects: (1) The security of a Covered
Device; or (2) the privacy, security,
confidentiality, or integrity of Personal
Information.
Part II of the proposed order requires
Respondent to establish and implement,
and thereafter maintain, a
comprehensive security program
(‘‘Security Program’’) that that protects:
(1) The security of Covered Devices; and
(2) the security, confidentiality, and
integrity of Personal Information.
Part III of the proposed order requires
Respondent to obtain initial and
biennial data security assessments for
twenty years.
Part IV of the proposed order requires
Respondent to disclose all material facts
to the assessor and prohibits
Respondent from misrepresenting any
fact material to the assessments required
by Part II.
Part V of the proposed order requires
Respondent to submit an annual
certification from a senior corporate
manager (or senior officer responsible
for its information security program)
that Respondent has implemented the
requirements of the Order and is not
aware of any material noncompliance
that has not been corrected or disclosed
to the Commission.
Parts VI through IX of the proposed
order are reporting and compliance
provisions, which include
recordkeeping requirements and
provisions requiring Respondent to
provide information or documents
necessary for the Commission to
monitor compliance. Part X states that
the proposed order will remain in effect
for 20 years, with certain exceptions.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify in any
way the proposed order’s terms.
VerDate Sep<11>2014
16:28 Apr 08, 2020
Jkt 250001
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020–07499 Filed 4–8–20; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
Public Health Service Act, Delegation
of Authority
Notice is hereby given that the
Director, Centers for Disease Control
and Prevention (CDC), has delegated to
the Deputy Director for Infectious
Diseases (DDID); the Director, Influenza
Division, National Center for
Immunization and Respiratory Diseases
(NCIRD); and the COVID–19 Incident
Manager, NCIRD, CDC, without
authority to redelegate, the authority
vested in the Director, CDC, under
sections 361(a), (b), (c), and (d) and 362,
Title III, of the Public Health Service
Act (Control of Communicable Diseases)
(42 U.S.C. 264 and 265 et seq.), as
amended, to issue and sign quarantine,
isolation and conditional release orders.
This redelegation shall terminate
upon completion of the agency-wide
activation in response to the 2019 novel
Coronavirus outbreak.
This delegation became effective on
March 25, 2020.
Robert McGowan,
Chief of Staff, CDC.
[FR Doc. 2020–07459 Filed 4–8–20; 8:45 am]
BILLING CODE 4160–18–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
[CFDA Number: 93.612]
Notice for Public Comment on
Administration for Native Americans’
Program Policies and Procedures
Relating to Social and Economic
Development Strategies—Growing
Organizations
Administration for Native
Americans (ANA), Administration for
Children and Families (ACF),
Department of Health and Human
Services (HHS).
ACTION: Notice for public comment.
AGENCY:
Pursuant to Section 814 of the
Native American Programs Act of 1974
(NAPA), as amended, ANA is required
SUMMARY:
PO 00000
Frm 00030
Fmt 4703
Sfmt 4703
19949
to provide members of the public an
opportunity to comment on proposed
changes in interpretive rules and
general statements of policy and to give
notice of the proposed changes no less
than 30 days before such changes
become effective. In accordance with
notice requirements of NAPA, ANA
herein describes proposed interpretive
rules and general statements of policy
that relate to ANA’s new funding
opportunity announcement (FOA) in
Fiscal Year (FY) 2020, Social and
Economic Development Strategies—
Growing Organizations (SEDS–GO),
(HHS–2020–ACF–ANA–NN–1837).
DATES: Comments are due by May 11,
2020. If ANA does not receive any
significant comments within the 30-day
comment period, ANA will proceed
with the proposed changes in the
respective published FOA. The FOA
will serve as the final notice of these
proposed changes.
ADDRESSES: Comments may be
submitted to Jean Hovland,
Commissioner, Administration for
Native Americans, 330 C Street SW,
Washington, DC 20201 or via email:
ANAComments@acf.hhs.gov.
FOR FURTHER INFORMATION CONTACT:
Carmelia Strickland, Director, Division
of Program Operations, Administration
for Native Americans, 330 C Street SW,
Washington, DC 20201. Telephone:
(877) 922–9262; Email:
ANAComments@acf.hhs.gov.
SUPPLEMENTARY INFORMATION: Section
814 of NAPA, as amended, (42 U.S.C.
2992b–1) incorporates provisions of the
Administrative Procedure Act that
require ANA to provide notice of its
proposed interpretive rules and
statements of policy and to seek public
comment on such proposals. This notice
serves to fulfill the statutory notice and
public comment requirement. ANA
voluntarily includes rules of practice
and procedures in this notice in an
effort to be transparent. The proposed
interpretive rules, statements of policy,
and rules of ANA practice and
procedure will appear in the FY 2020
SEDS–GO FOA.
Synopses and application forms will
be available on https://www.grants.gov.
A. Interpretive rules, statements of
policy, procedures, and practice. The
proposals below reflect ANA’s proposed
changes in rules, policy, or procedure,
which will take effect in the FY 2020
SEDS–GO FOA.
1. New FOA
In FY 2020, ANA will introduce a
new FOA as a special initiative under
the Social and Economic Development
Strategies program to support growing
E:\FR\FM\09APN1.SGM
09APN1
]]>Agencies
[Federal Register Volume 85, Number 69 (Thursday, April 9, 2020)]
[Notices]
[Pages 19947-19949]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07499]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3011]
Tapplock, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before May 11, 2020.
ADDRESSES: Interested parties may file comments online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Tapplock, Inc.; File
No. 192 3011'' on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024.
FOR FURTHER INFORMATION CONTACT: Jared Ho (202-326-3463), Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC website (for March 30, 2020), at this web
[[Page 19948]]
address: https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before May 11, 2020.
Write ``Tapplock, Inc.; File No. 192 3011'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the https://www.regulations.gov website.
Due to the public health emergency in response to the COVID-19
outbreak and the agency's heightened security screening, postal mail
addressed to the Commission will be subject to delay. We strongly
encourage you to submit your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``Tapplock,
Inc.; File No. 192 3011'' on your comment and on the envelope, and mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D),
Washington, DC 20580; or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC website--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC website,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before May 11, 2020. For information on the Commission's
privacy policy, including routine uses permitted by the Privacy Act,
see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from
Tapplock, Inc. (``Tapplock'' or ``Respondent'').
The proposed consent order (``proposed order'') has been placed on
the public record for thirty (30) days for receipt of comments by
interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission again
will review the agreement and the comments received, and will decide
whether it should withdraw from the agreement or make final the
agreement's proposed order.
Tapplock is a Canadian Internet of Things (``IoT'') company that,
among other things, sells internet-connected, fingerprint-enabled
padlocks (``smart locks'') to U.S. consumers. The company advertises to
U.S. consumers through its website, www.tapplock.com, and has
previously advertised through the online crowd-funding website
Indiegogo.com. Respondent's smart locks interact with a companion
mobile application (``app'') that U.S. users are able to download onto
their mobile devices. This app logs usernames, email addresses, profile
photos, location history, and the precise geolocation of a user's smart
lock, and it allows users to lock and unlock their smart locks when
they are within Bluetooth range.
In June 2018, security researchers identified critical physical and
electronic vulnerabilities with Respondent's smart locks. With respect
to physical security, some of Respondent's smart locks could be opened
within a matter of seconds, simply by unscrewing the back panel. With
respect to electronic security, one vulnerability in Respondent's API
could have been exploited to bypass the account authentication process
in order to gain full access to the accounts of all Tapplock users and
their personal information, including usernames, email addresses,
profile photos, location history, and precise geolocation of smart
locks. Because Respondent failed to encrypt the Bluetooth communication
between the lock and the app, a second vulnerability could have allowed
a bad actor to lock and unlock any nearby Tapplock smart lock. Finally,
a third vulnerability prevented users from effectively revoking access
to their smart lock once they had provided other users access to that
lock.
The Commission's proposed two-count complaint alleges that
Respondent violated Section 5(a) of the Federal Trade Commission Act.
The first count alleges that Respondent misrepresented to consumers
that their smart locks were secure. Contrary to this claim, as
described above, Respondent's locks were not secure.
The second count alleges that Respondent deceived consumers about
its data security practices by falsely representing that it took
reasonable precautions and followed industry best practices to protect
the personal information provided by consumers. Contrary to this claim,
the proposed complaint alleges that Respondent failed to take
reasonable precautions and follow industry best practices. For example,
the proposed complaint alleges that Respondent: (1) Failed to identify
reasonably foreseeable risks to the security of its smart locks or the
security of customers' personal accounts, such as through vulnerability
or penetration testing, and assess the sufficiency of any safeguards in
place to control those risks; (2) failed to employ sufficient measures
to detect and
[[Page 19949]]
prevent users from bypassing the authentication procedures in
Respondent's API to gain access to other users' accounts; (3) failed to
adopt and implement written data security standards, policies,
procedures, or practices; and (4) failed to implement adequate privacy
and security guidance or training for its employees responsible for
designing, testing, overseeing, and approving software specifications
and requirements.
The proposed order contains provisions designed to prevent
Respondent from engaging in the same or similar acts or practices in
the future. Part I of the proposed order prohibits Respondent from
misrepresenting the extent to which it maintains and protects: (1) The
security of a Covered Device; or (2) the privacy, security,
confidentiality, or integrity of Personal Information.
Part II of the proposed order requires Respondent to establish and
implement, and thereafter maintain, a comprehensive security program
(``Security Program'') that that protects: (1) The security of Covered
Devices; and (2) the security, confidentiality, and integrity of
Personal Information.
Part III of the proposed order requires Respondent to obtain
initial and biennial data security assessments for twenty years.
Part IV of the proposed order requires Respondent to disclose all
material facts to the assessor and prohibits Respondent from
misrepresenting any fact material to the assessments required by Part
II.
Part V of the proposed order requires Respondent to submit an
annual certification from a senior corporate manager (or senior officer
responsible for its information security program) that Respondent has
implemented the requirements of the Order and is not aware of any
material noncompliance that has not been corrected or disclosed to the
Commission.
Parts VI through IX of the proposed order are reporting and
compliance provisions, which include recordkeeping requirements and
provisions requiring Respondent to provide information or documents
necessary for the Commission to monitor compliance. Part X states that
the proposed order will remain in effect for 20 years, with certain
exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-07499 Filed 4-8-20; 8:45 am]
BILLING CODE 6750-01-P
