The US Federal Trade Commission (FTC) filed a complaint against Tapplock, a manufacturer of smart locks, arguing that the company engaged in deceptive acts or practices in violation of Section 5 of the FTC Act by falsely representing; that its smart locks were secure and that it took reasonable precautions and followed industry best practices to protect consumer data. In addition, Tapplock did not have a security programme in place, which enabled security researchers to discover vulnerabilities in the design and function of their smart locks and to gain access to users' personal information. According to the FTC settlement ,Tapplock is: (a) banned from making deceptive statements about the security of a device or privacy of personal information; (b) obligated to implement a comprehensive security programme which includes employee training; (c) obligated to get biennial third-party assessments and to comply with its recommendations annually. In its announcement, the FTC also highlighted the following recommendations for other Internet of things (IoT) companies that wish to avoid similar mistakes: (a) implementing 'security by design' in their products, (b) encouraging a culture of security, (c) designing products with authentication in mind, (d) following industry best practices, (e) protecting interfaces between IoT products and other devices and services.