September 5, 2017
Carson City, NV – Today, Nevada Attorney General Adam Paul Laxalt, along with 31 other states, announced a $3.5 million settlement with technology company Lenovo Inc. The settlement aims to resolve allegations that the company violated state consumer protection laws by pre-installing software on laptop computers sold to Nevada consumers that made their personal information vulnerable to hackers.
In August 2014, Lenovo began selling certain laptop computers pre-loaded with advertisement software called VisualDiscovery, a software created by Superfish, Inc. VisualDiscovery allowed a user to hover over a digital image and see the same or similar products on other websites operated by Superfish retail partners. However, the states alleged that the software also collected users’ sensitive personal information, including communications with encrypted websites, and transmitted this information to Superfish, Inc. The VisualDiscovery software is also alleged to have created a security vulnerability that made consumers’ information susceptible to certain hackers.
Lenovo Inc. is accused of failing to provide consumers with an easy or efficient means of opting out of or disabling the software. The investigating states claimed that Lenovo Inc.’s failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability, and its inadequate opt-out procedure violated state consumer protection laws.
“Safeguarding consumer’s cyber security and private data from illegal intrusions is a priority for my Bureau of Consumer Protection,” said Laxalt. “This settlement holds manufacturers accountable for not disclosing facts to their consumers, and my office will continue to take action against companies that put the personal information of Nevada’s consumers at risk.”
In addition to the monetary payment, the settlement requires Lenovo Inc. to change its consumer disclosures about pre-installed advertising software, to require a consumer's affirmative consent to using the software on their device, and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software. Lenovo Inc. must also implement a software security compliance program and obtain assessments on a regular basis from a qualified, independent, third-party professional who will evaluate the effectiveness and compliance with the security compliance program. As a result of this settlement, the State of Nevada will receive $63,897.04.
In addition to Nevada, other states participating in this settlement include: Arizona, Arkansas, California, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Minnesota, Missouri, Nebraska, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont and Washington.
Senior Deputy Attorney General Lucas Tucker and Deputy Attorney General Laura Tucker of the Attorney General’s Bureau of Consumer Protection represented Nevada in this matter.
A copy of the complaint is attached.