Iowa Part of $3.5M Multistate Settlement with Lenovo over Installation of Hacker-Vulnerable Software on Laptop PCs.
The settlement requires the PC maker to reform its pre-installed adware disclosures, and change how consumers consent to adware and can opt-out
Lenovo has agreed to a $3.5 million settlement with 32 states, including more than $65,000 to Iowa, over allegations the company violated state consumer protection laws by pre-installing software on laptop computers that made consumers’ personal information vulnerable to hackers.
Iowa District Court Judge Jeffrey Farrell approved the agreement through a consent decree filed Tuesday in Polk County District Court.
In August 2014, Lenovo began selling certain laptop PCs that contained pre-installed ad software called VisualDiscovery. The now-defunct California-based advertising company Superfish Inc. created the adware.
VisualDiscovery disclosed itself to consumers through a one-time pop-up window the first time consumers visited a shopping website. Unless consumers affirmatively opted out, VisualDiscovery would be enabled on their computers.
VisualDiscovery purportedly operated as a shopping assistant. After consumers viewed objects on shopping websites, the software displayed pop-up ads for similar-looking products sold by Superfish retail partners.
The states allege that VisualDiscovery operated by acting as a “man in the middle,” called a local proxy, which stood between the consumer’s browser and all internet websites that the user visited—including encrypted sites. This technique allowed the software to see all of a user’s sensitive personal information that the user uploaded to the internet. The states allege Superfish collected consumer information, including sensitive communications with encrypted websites.
The states allege that VisualDiscovery created a security vulnerability that made consumers’ information susceptible to hackers in certain situations. The states allege that Lenovo’s failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability, and its inadequate opt-out procedure, violated state consumer protection laws.
Lenovo stopped shipping laptops with VisualDiscovery preinstalled in February 2015, though the states allege that some laptops with the software were still being sold by various retail outlets as late as June 2015.
In addition to the monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer’s affirmative consent to using the software on their device and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.
Lenovo is also required to implement and maintain a software security compliance program and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the effectiveness and compliance with the security compliance program.
The settlement was negotiated and finalized in coordination with the Federal Trade Commission. The payment to Iowa will go to the state’s consumer education and litigation fund.