(Boise) – Attorney General Lawrence Wasden today announced that Idaho has joined with 31 other states in a settlement with technology company Lenovo. The settlement resolves allegations that the company violated state consumer protection laws by pre-installing software on laptop computers sold to Idaho consumers that made users’ personal information vulnerable to hackers. The settlement was negotiated and finalized in coordination with the Federal Trade Commission.
Lenovo is paying the states $3.5 million to resolve the allegations. The State of Idaho will receive $57,739.
“I welcome this settlement as another reminder to companies to conduct themselves on the up and up,” Wasden says. “The terms of the settlement are fair and will protect Idaho consumers in similar situations in the future.”
Between August 2014 and February 2015, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed advertising software called VisualDiscovery, a product created by the company Superfish. VisualDiscovery purportedly operated as an unsolicited shopping assistant. When a user’s mouse hovered over an image on a shopping website, Superfish would deliver pop-up ads of similar products.
The states allege that VisualDiscovery operated by acting as a local proxy, or “man in the middle,” that stood between the consumer’s browser and all websites the user visited, including encrypted sites. This technique allowed the software to see all of a user’s sensitive personal information that was transmitted over the internet. The states also allege the software collected consumer information and sent it to Superfish. Unless consumers affirmatively opted out, VisualDiscovery remained enabled on their computers.
Additionally, the states allege that VisualDiscovery created a security vulnerability that made consumers’ information susceptible to hackers. Further, the states allege that Lenovo’s failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability, and its inadequate opt-out procedure all violated state consumer protection laws.
In addition to the monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer’s affirmative consent to using the software on their device, and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.
Lenovo is also required to implement and maintain a software security compliance program and must obtain regular assessments for the next 20 years from a qualified, independent, third-party professional.
The settlement is not final until it is approved in Ada County District Court.