Rutledge Reaches Settlement with Laptop Manufacturer Lenovo
September 6, 2017
Arkansas to receive over $82,500
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge has joined with 31 other states in a settlement with laptop manufacturer Lenovo Inc. to resolve allegations that the company violated consumer protection laws by pre-installing software on computers sold to consumers, making personal information vulnerable to hackers.
“By failing to properly disclose information to Arkansans about the potential security vulnerability on its laptops and its inadequate procedure to opt-out of a software program, Lenovo violated the law,” said Attorney General Rutledge. “Through this settlement, Lenovo is required to implement new security measures and proper disclosure procedures that will be assessed biennially.”
Arkansas is set to receive $82,567 from this settlement.
In August 2014, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed ad software called VisualDiscovery, which was created by the company Superfish Inc. VisualDiscovery purportedly operated as a shopping assistant by delivering pop-up ads to consumers of similar looking products sold by Superfish retail partners whenever a customer's mouse hovered over the image of a product on a shopping website. Rutledge and her colleagues claimed that VisualDiscovery displayed a one-time pop-up window the first time consumers visited a shopping website. Unless consumers affirmatively opted out, VisualDiscovery would be enabled on their computers.
VisualDiscovery operated by acting as a local proxy that stood between the consumer's browser and all internet websites that the user visited, including encrypted sites. This technique allowed the software to see all of a user's sensitive personal information that was transmitted online. Consumer information, including sensitive communications with encrypted Web sites, was collected and transmitted to Superfish.
The states also alleged that VisualDiscovery created a security vulnerability that made consumers' information susceptible to hackers in certain situations.
Lenovo stopped shipping laptops with VisualDiscovery preinstalled in February 2015, though some laptops with the software were still being sold by various retail outlets as late as June 2015.
In addition to the monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer's affirmative consent to using the software on their device and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.
Lenovo is also required to implement and maintain a software security compliance program and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the effectiveness and compliance with the security compliance program.