Schneiderman: "Companies must thoroughly test their consumer electronics for security vulnerabilities in order to ensure that New Yorkers’ personal information is properly protected."
New York, NY - September 7, 2017 - Attorney General Schneiderman today announced that New York has joined with 31 other states in a settlement with technology company Lenovo (United States) Inc. to resolve allegations that the company violated state consumer protection laws by pre-installing software on laptop computers sold to New York consumers that made consumers' personal information vulnerable to hackers.
“Companies must thoroughly test their consumer electronics for security vulnerabilities in order to ensure that New Yorkers’ personal information is properly protected,” said Attorney General Schneiderman. “No consumer should have to worry that a software glitch will make them vulnerable to hackers, and this settlement will reform Lenovo’s policies and procedures to prevent this breakdown from occurring in the future.”
In August 2014, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed ad software called VisualDiscovery, which was created by the company Superfish, Inc. VisualDiscovery operated as a shopping assistant by delivering pop-up ads to consumers of similar looking products sold by Superfish retail partners whenever a customer's mouse hovered over the image of a product on a shopping Web site.
VisualDiscovery operated by acting as a local proxy, or “man in the middle,” that stood between the consumer's browser and all internet web sites that the user visited, including sites using encryption. This technique allowed the software to see all of a user's sensitive personal information that was transmitted on the internet. Consumer information, including sensitive communications with encrypted web sites, would be collected and transmitted to Superfish, the states allege.
Visual Discovery created a security vulnerability that made consumers' information susceptible to hackers in certain situations. The states allege that Lenovo's failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability and its inadequate opt-out procedure violated state consumer protection laws.
Lenovo stopped shipping laptops with VisualDiscovery preinstalled in February 2015, though the states allege that some laptops with the software were still being sold by various retail outlets as late as June 2015.
New York will receive $154,544 from the settlement funds.
In addition to the monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer's affirmative consent to using the software on their device, and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.
Lenovo is also required to implement and maintain a software security compliance program and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the effectiveness and compliance with the security compliance program.
The settlement now must be approved in New York State Supreme Court.
New York was represented by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.