Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The FTC will have to refile some internet of things data security allegations against D-Link Corp. after a federal judge trimmed unfairness claims stemming from the company’s alleged lax router security ( FTC v. D-Link Sys., Inc. , 2017 BL 330844, N.D. Cal., No. 17-cv-00039, motion to dismiss granted in part 9/19/17 ).
Companies that face Federal Trade Commission data security allegations in federal court may find some hope in the ruling. If the FTC doesn’t tie alleged data security violations to actual consumer injury, then claims against companies may fail at early stages in court proceedings.
Alex M. Pearce, privacy and data security attorney at Ellis & Winters LLP in Raleigh, N.C., told Bloomberg BNA Sept. 20 that the decision may be a “blow to the FTC’s position that it need not allege ‘actual injury’ to bring an unfairness claim.”
However, the court laid out how the FTC may fix its unfairness claims under “overpayment theories of injury—whereby the allegation is that consumers purchased a product that failed to deliver security as advertised,” Pearce, who is also a certified privacy professional, said. This theory, which is becoming more of a “trend” in data breach and data security litigation, shows “that companies need to be very careful” when making data security promises “in connection with the sale of their products and offerings,” he said.
Judge James Donato of the U.S. District Court for the Northern District of California Sept. 19 pared down the FTC’s unfairness claims against D-Link because the agency didn’t “allege any actual consumer injury” either through monetary losses or a data security incident. Specifically, the FTC’s allegations only raise a “mere possibility of injury at best,” Donato wrote. The court, however, allowed claims relating to D-Link’s alleged misleading statements to consumers on its data security policies and practices to continue.
If the FTC had “tied the unfairness claim to the presentations underlying the deception claims, it might have had a more colorable injury element,” the court said.
The judge also tossed FTC claims related to advertisements made by D-Link with respect to its internet protocol cameras, because the “FTC has not alleged facts showing that” the advertisements “are likely to mislead consumers.”
The FTC sued D-Link Jan. 5 for allegedly misrepresenting the security of its routers and internet-connected cameras in violation of Section 5 of the FTC Act. Specifically, D-Link promoted that its devices provided advanced security and encryption features, the FTC alleged.
The agency also alleged that the company’s product had well-known security flaws, and that the company’s software could allow hackers to take control of the routers. Because of these claimed flaws, “consumer sensitive personal information and local networks are at significant risk,” the FTC said in the complaint.
D-Link is known for routers and internet-connected cameras that are widely available across the U.S and competes with NETGEAR Inc., Cisco Systems Inc., and Juniper Networks Inc, according to Bloomberg data. The Taipei, Taiwan-based D-Link pulled in $711.3 million in fiscal year 2016 revenue, the data show.
Patrick Massari, assistant vice president at the Cause of Action Institute, which represents D-Link, told Bloomberg BNA Sept. 20 that the FTC’s claims are “wholly unsubstantiated,” and the agency’s “complaint fails to identify any actual data breach and consumer injury.” D-Link “firmly believes that its processes and procedures related to security are ahead of industry competitors,” he said.
Juliana Gruenwald, senior public affairs specialist for the FTC, told Bloomberg BNA Sept. 20 that the agency declined to comment “at this point” on the litigation.
Although the court granted the company’s motion to dismiss some claims, it upheld the FTC’s overall data security enforcement authority under Section 5 of the FTC Act. Under Section 5, the FTC has the power to bring privacy and data security enforcement actions to address unfair or deceptive practices.
The court rejected D-Link’s argument that the FTC lacked data security enforcement authority under Section 5. Congress made this authority open-ended and flexible, the court said in rejecting the challenge.
The decision is “a mixed bag for the FTC” because even if “some claims were dismissed,” the decision reaffirms the agency’s authority to regulate privacy and data security, Pearce said. The court also confirmed that the FTC can regulate privacy and data security “through ad hoc enforcement rather than by adopting specific rules or standards,” he said.
The court gave the FTC until Oct. 20 to amend its complaint.
The FTC was represented by agency attorneys. Vinson & Elkins LLP and the Cause of Action Institute represented D-Link.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Full text of the opinion is available at http://src.bna.com/sJK.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)