A Canadian company has settled Federal Trade Commission allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.

The settlement requires Tapplock, Inc. to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that its smart locks were “Bold. Sturdy. Secure,” according to the FTC’s complaint. The company’s smart locks interact with a companion mobile app that allows users to lock and unlock their locks when they are within Bluetooth range.

The Tapplock app collects personal information including usernames, email addresses, profile photos, and the precise location of users’ smart locks. In addition to touting the security of its locks, Tapplock also claimed in its privacy policy that it took “reasonable precautions” to secure the data it collected.

The FTC, however, alleged that contrary to its representations to consumers, the company’s locks were not secure and that Tapplock failed to take reasonable precautions or follow industry best practices to protect the consumer data it collected.

Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and precise location of the lock.

The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.

In addition to the security program provision, the proposed settlement prohibits Tapplock from misrepresenting its privacy and security practices. Tapplock also is required to obtain third-party assessments of its information security program every two years. In addition, the Commission has authority to approve the assessor for each two-year assessment period.

The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. The FTC published a description of the consent agreement package in the Federal Register. The agreement will be subject to public comment until May 11, 2020 after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments are in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.