Maine Attorney General Janet Mills joins $3.5M multistate settlement with Lenovo

September 5, 2017

OFFICE OF THE ATTORNEY GENERAL

FOR IMMEDIATE RELEASE Date: September 5, 2017
CONTACT: Andrew Roth-Wells Telephone: (207) 626-8887

Maine Attorney General Janet Mills joins $3.5M multistate settlement with Lenovo

Lenovo is alleged to have installed hacker-vulnerable software on laptop computers sold to consumers

AUGUSTA ? Attorney General Janet Mills today announced that Maine has joined 31 other states in a settlement with technology company Lenovo Inc. to resolve allegations that the company violated state consumer protection laws by pre-installing software on laptop computers sold to Maine consumers that made consumers' personal information vulnerable to hackers. The settlement was negotiated and finalized in coordination with the Federal Trade Commission.

In August 2014, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed ad software called VisualDiscovery, created by the company Superfish, Inc. VisualDiscovery purportedly operated as a shopping assistant by delivering pop-up ads to consumers of similar looking products sold by Superfish retail partners whenever a customer's mouse hovered over the image of a product on a shopping web site. The states claimed that VisualDiscovery displayed a one-time pop-up window the first time consumers visited a shopping website and that unless consumers affirmatively opted out, VisualDiscovery would be enabled on their computers.

The states alleged that VisualDiscovery acted as a local proxy, or "man in the middle," that stood between the consumer's browser and all Internet web sites the user visited, including encrypted sites. This technique allowed the software to see a user's sensitive personal information transmitted on the Internet. Consumer information, including sensitive communications with encrypted web sites, would be collected and transmitted to Superfish, the states alleged.

The states alleged that Visual Discovery created a security vulnerability that made consumers' information susceptible to hackers in some situations. The states allege that Lenovo's failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability and its inadequate opt-out procedure violated state unfair trade practice laws.

Lenovo stopped shipping laptops with preinstalled VisualDiscovery in February 2015, though the states alleged that some laptops with the software were being sold by various retail outlets as late as June 2015.

?Almost everyone uses a computer at work, at school or at home,? said Mills. ?Consumers should not have to worry that the very computer they purchase may make them vulnerable to hacking, and no company should be selling products with hidden charges or difficult opt-out options.?

In addition to a small monetary payment, the settlement will require Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer's affirmative consent to using the software on their device and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.

Lenovo will also be required to implement and maintain a software security compliance program and to obtain regular assessments for the next 20 years from a qualified, independent, third-party professional to certify the effectiveness of the security compliance program.

The settlement will be final when approved by the court.

Please click here to view a copy of the complaint and the settlement document.

###

Supporting documents

Lenovo complaint

Lenovo settlement