ATTORNEY GENERAL MADIGAN & 31 OTHER ATTORNEYS GENERAL REACH SETTLEMENT WITH LENOVO
Software on Laptop Computers Made Consumers Vulnerable to Hackers
Chicago – Attorney General Lisa Madigan and 31 other attorneys general today announced a $3.5 million settlement with North Carolina-based technology company Lenovo to resolve allegations that the company violated state consumer protection laws by pre-installing software on laptop computers that compromised consumers’ personal information online. The settlement was negotiated and finalized in coordination with the Federal Trade Commission.
In a complaint filed with the settlement, Madigan and the other attorneys general alleged that starting in August 2014, Lenovo began selling some of its laptop computers with pre-installed VisualDiscovery ad software, which was created by the advertiser SuperFish. Unless consumers affirmatively opted out of the installing the software, VisualDiscovery software was enabled on their computers. The software was not removable and caused computers to run more slowly.
Madigan and the attorneys general alleged that VisualDiscovery acted as an intermediary between the consumer’s browser and all websites they visited, which enabled the software to access a user’s sensitive personal information, such as passwords, Social Security numbers and financial and medical information – without the consumer’s knowledge or consent. Madigan and the attorneys general alleged that consumer information, including sensitive communications with encrypted websites, was collected and transmitted to SuperFish.
“Consumers have a right to know what software has been installed on their computers,” Madigan said. “This settlement will ensure Lenovo will be more transparent with its customers about how their personal information can be affected.”
The states further alleged that VisualDiscovery made consumers’ information vulnerable to hackers. In order to enable the pop-up ads to appear on encrypted websites, the complaint says VisualDiscovery software replaced websites’ digital certificates – which essentially send a signal to a user’s browser ensuring the authenticity of a website – with VisualDiscovery’s insecure digital certificates. As a result, consumers’ browsers did not notify the user that they might be visiting a spoofed or insecure website, which made consumers vulnerable to hackers who could access any personal information transmitted online. Lenovo’s failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software could compromise personal information and its inadequate opt-out procedure violated state consumer protection laws.
Consumers can obtain more information about affected products and model numbers, as well as information for removing the software by visiting its website.
Lenovo stopped shipping laptops with VisualDiscovery pre-installed in February 2015, though the states allege that some laptops with the software were still being sold by various retail outlets as late as June 2015. Starting in February 2015, Lenovo made a tool available to remove the VisualDiscovery software from the laptops.
Under the settlement, Lenovo must not use pre-installed advertising software without first disclosing it to consumers and obtaining their consent. Lenovo is also required to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.
Lenovo is also required to implement and maintain a software security compliance program, and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the effectiveness and compliance with the security compliance program. Additionally, as part of the settlement, Illinois will receive more than $253,200.
The settlement is not final unless and until it is approved by the court.
The settlement applies to Lenovo Notebook products. For a complete list of affected products and instructions for removing SuperFish, please visit Lenovo’s website.
Bureau Chief Elizabeth Blackston and Consumer Privacy Counsel Matthew Van Hise handled the settlement for Madigan’s Consumer Protection Division.