On September 5, 2017, the Federal Trade Commission (“FTC”) announced that it had agreed to enter into a settlement with Lenovo Inc., which allegedly preloaded some of its computers with invasive software that compromised consumers’ privacy and security protections. The settlement with Lenovo—one of the world’s largest computer manufacturers—requires Lenovo to pay $3.5 million to state regulators, implement new internal programs and be subject to reporting requirements and compliance oversight for 20 years. Looking closely at the underlying violations and terms of the settlement, the Lenovo case offers several lessons for companies seeking to avoid the increasingly numerous regulatory pitfalls in the areas of privacy and cybersecurity.