Back in the Fight: Advocacy Group Joins Another FTC Data Security Power Challenge



Cause of Action Institute, a non-profit government accountability organization with a track record of fighting Federal Trade Commission enforcement actions, recently agreed to defend a company against FTC allegations of lax router data security. Cause of Action recently handed off representation of now defunct testing lab LabMD Inc. in what is now a federal appeals court fight over the FTC’s authority to enforce data security standards.

The commission filed a complaint against Taiwan-based D-Link Corp. and its U.S. subsidiary D-Link Systems Inc., alleging that D-Link falsely promoted the security of its routers as “easy to secure” and that they provided “advanced network security.” The complaint asserted that the company violated Section 5 of the FTC Act by unfairly treating consumers through lax data security and also by misrepresenting to consumers the security of its products. The company immediately denied the allegations, and D-Link Systems President William Brown told Bloomberg BNA that the security of D-Link’s products and the protection customers’ private data “is always our top priority.”

Cause of Action Institute announced Jan. 10 that it will represent D-Link Systems in the FTC’s lawsuit. “It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm,” Cause of Action Institute Assistant Vice President Patrick Massari said in a statement.

LabMD has challenged the FTC’s authority and enforcement standards in a federal appeals court, and according to Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York and chair of the firm’s privacy and data security group, “however decided by the Eleventh Circuit, the LabMD case will have sweeping implications for every organization under the FTC’s watch.” 

Companies challenging the FTC’s authority, including LabMD and D-Link, are exceptions. Since the FTC first began enforcing privacy and data security, virtually all targeted companies have elected not to challenge the FTC's enforcement authority, instead entering no-fault consent orders with the commission.

There have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp. and Snapchat Inc. are among the companies that have settled with the agency.

Another exception is Hotelier Wyndham Worldwide Corp., which challenged the FTC's data security authority under the unfairness prong of Section 5 to take enforcement action against companies over allegedly lax data security practices. Wyndham ended up settling with the FTC in 2015 after the U.S. Court of Appeals for the Third Circuit ruled the agency didn't have to provide a specific reasonable data security standard.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.