Purpose:
Teach about the FTC oversight of Lenovo Compromising private data of its users and how it led to long-term consequences.
Welcome Message:
My name is Steve Hart, and I am a contributing journalist for Compliance Mitigation. I am a Partner at Conformity 360, a compliance consulting firm, serving as the resident subject matter-expert in buy-side Compliance. Prior to joining Conformity360, I was Chief Compliance Officer (“CCO”) for the prestigious firm Allen & Company, and prior to that, served as the Global Chief Administrative Officer for Compliance at BlackRock, the world’s largest asset management company. I hold an Investment Adviser Core Certification, an M.S. in Banking and Financial Services from Boston University and a B.A. in Political Science from the University of Pennsylvania.
Having worked as the CCO for Registered Investment Advisers (“RIAs”) with the Securities and Exchange Commission (“SEC”), I have been through numerous regulatory audits and examinations. Experience gives me insight into how the regulatory bodies conduct investigations and attempts to obtain enforcement actions, often including jail and prison sentences.
Objectives:
After completing this case study, the participants will be able to:
- Understand the type of work done by the Bureau of Consumer Protection.
- Understand why the Federal Trade Commission (“FTC”) protects consumers’ data and privacy.
- Understand why the FTC works to promote competition and to protect and educate consumers.
- Understand what prompts the FTC to bring enforcement actions against retailers.
- Identify risky behavior to avoid as a retailer subject to FTC oversight.
Intended Audience:
Companies and people who sell retail products and services.
Common Terms:
Bureau of Consumer Protection, Privacy Security, Data Security, Digital Certificate, Third-Party Software
Current State:
The FTC’s Bureau of Consumer Protection deters unfair, deceptive and fraudulent business practices by collecting reports from consumers, conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.
As our nation’s premier agency in charge of consumer protection, the FTC monitors and investigates reports about ongoing scams and businesses that fail to make good on their promises. In 2019, those reports exceeded 3.2 million. The FTC shares relevant reports with law enforcement partners and uses them to investigate fraud and eliminate unfair business practices. Each year, the FTC also releases a report with information about the number and type of reports it receives (https://www.fool.com/the-ascent/research/identity-theft-credit-card-fraud-statistics/).
Future State:
The FTC is granted a broad mandate and great authority to police anticompetitive practices. The FTC also administers a wide variety of other consumer protection laws, including the Telemarketing Sales Rule, the Pay-Per-Call Rule and the Equal Credit Opportunity Act. Its administrative authority extends to adopting industry-wide trade regulation rules.
The FTC’s lawless bullying of companies and actions that drive retailers out of business points to future enforcement actions. Standardless regulatory overreach forces the closure of a successful small businesses even though the FTC often does not present adequate evidence of consumer harm, nor does the FTC publish corresponding data security standards with which it says a company should have complied. The FTC’s rationale for enforcement blurs standards that are often vague and unintelligible that no court could intelligently enforce them.
“Scores of companies have knuckled under to the FTC’s insistence on ‘consent’ orders to buy peace. Vague, standardless enforcement actions dictated by unelected bureaucrats should not be enforced in Courts of law. Recent FTC enforcement actions are a stark reminder of the costs required to fight a federal agency that is willing to spend millions of taxpayer dollars over years of investigation and litigation, all in the pursuit of wrong.
Situation:
One of the world’s largest computer manufacturers begins selling computers with pre-loaded software that includes pop-up ads and secretly accesses users’ confidential information ranging from user names and passwords to personal banking information. The FTC receives numerous complaints and takes action against the company.
Background:
Lenovo Group Limited, founded in 1984 as a multinational technology company. incorporated in Hong Kong, it has global headquarters in Beijing, China, and operational headquarters in Morrisville, North Carolina, US. It operates in over 60 countries and sells products in around 180 countries throughout the world. The company designs, develops, manufactures and sells personal computers, tablets, smartphones, work stations, servers, supercomputers, electronic storage devices, IT management software, and smart televisions, and is the world’s largest personal computer vendor by unit sales as of October 2020.
Beginning in 2014, Lenovo sold consumer laptops in the United States that came with a preinstalled software program called VisualDiscovery. That software interfered with how a user’s browser interacted with websites and created serious security vulnerabilities while delivering pop-up advertising. To deliver the ads, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited. Without the consumer’s knowledge or consent, this technique gave VisualDiscovery access all of a consumer’s sensitive personal information.
The practice of pre-loading software receiving attention from regulators has some serious precedent. In fact, Microsoft, one of the world’s largest companies was sued for something similar in 1998, accused of using its monopolistic power in the software industry to force computer makers to sell their products with Microsoft software pre-installed. Microsoft eventually settled with the US government, after 6 years of expensive and distracting litigation, agreeing to terminate its egregious practices.
The FTC received complaints from numerous consumers as over 750,000 computers delivered into the United States began to interfere with consumer use and violate their privacy.
Analysis:
The FTC has been in existence for over 100 years. The agency was born from anti-competitive practices and antitrust concerns at the turn of the 20th century, which morphed into general consumer protection throughout the years. It remains the only federal agency with both (i) consumer protection and (ii) competition jurisdiction in broad sectors of the economy. The FTC actively advances consumers’ interests by sharing its expertise with federal and state legislatures and agencies, and international government partners. It also develops policy and research tools to create practical educational programs for consumers and businesses around the globe.
In a complaint filed in 2015, the FTC alleged that Lenovo compromised consumers’ privacy and data security when it preloaded software with pop-up ads that accessed consumers’ sensitive information without adequate notice or consent. The agency asserted that, “This conduct is even more serious because the software compromises online security protections on which consumers rely.” Thus, began over two years of expensive litigation.
When companies tell consumers that they will safeguard their personal information, the FTC responsibilities include making sure that companies live up these promises. The FTC regularly brings legal actions against organizations that violate consumers’ privacy rights, or mislead them by failing to maintain security for sensitive consumer information, or cause substantial consumer injury. In many of these cases, the FTC has charged the defendants with violating “Section 5 of the FTC Act,” which includes barring the sale of products and services. It may also refer particularly problematic violations to the Department of Justice, putting individuals and companies at risk for criminal prosecution
Security vulnerabilities in the Lenovo case, highlighted consumers’ exposure to undisclosed risks resulting from software pre-loaded by the company. These vulnerabilities enabled potential attackers to intercept consumers’ electronic communications, including those with financial institutions and medical providers, by simply cracking the pre-installed password.
Lenovo ended up voluntarily removing the offending software due to a wave of customer complaints. The case subsequently settled in 2017 subjecting Lenovo to a $3.5 million fine and the obligation to submit to audited security checks of its software for the next 20 years. The settlement also prohibited Lenovo from ever misrepresenting any features of preloaded software again.
Recommendations:
When it comes to the privacy of consumers’ personal information, transparency is the best policy. According to the complaint, Lenovo gets in trouble not because it pre-installed the software but because it did not tell consumers or get their consent. Lenovo never clearly explains to consumers how the software is interacting behind the scenes, and behind the screens. For that reason, the FTC order required Lenovo to have a mechanism for consumers to revoke express consent by opting out or disabling covered software.
Computer manufacturers, and all companies, must fully explore all the implications of including third-party add-ons. The FTC complaint alleges that Lenovo’s failure to take reasonable measures to assess and address the security risks created by its installation of third-party software was an unfair practice. Firms must do due diligence on third-party. They should run such potential deals through internal corporate review and test those add-ons themselves to ensure they do not cause problems for the company itself, documenting the entire process. Provisions should be included in its contract with the vendor to address security as well. Management must also run such proposals by the company’s compliance department to ensure they do not inadvertently violate the laws of a country. This can be particularly important for a large multi-national operating in many countries.
Sources:
- https://www.ftc.gov/enforcement/cases-proceedings/152-3134/lenovo-inc
- https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/privacy-security-enforcement
- https://www.ftc.gov/datasecurity
- https://www.ftc.gov/consumer-protection/privacy-and-security
- https://www.ftc.gov/about-ftc