D-Link Ducks Some FTC Internet of Things Data Security Claims

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The FTC will have to refile some internet of things data security allegations against D-Link Corp. after a federal judge trimmed unfairness claims stemming from the company’s alleged lax router security ( FTC v. D-Link Sys., Inc. , 2017 BL 330844, N.D. Cal., No. 17-cv-00039, motion to dismiss granted in part 9/19/17 ).

Companies that face Federal Trade Commission data security allegations in federal court may find some hope in the ruling. If the FTC doesn’t tie alleged data security violations to actual consumer injury, then claims against companies may fail at early stages in court proceedings.

Alex M. Pearce, privacy and data security attorney at Ellis & Winters LLP in Raleigh, N.C., told Bloomberg BNA Sept. 20 that the decision may be a “blow to the FTC’s position that it need not allege ‘actual injury’ to bring an unfairness claim.”

However, the court laid out how the FTC may fix its unfairness claims under “overpayment theories of injury—whereby the allegation is that consumers purchased a product that failed to deliver security as advertised,” Pearce, who is also a certified privacy professional, said. This theory, which is becoming more of a “trend” in data breach and data security litigation, shows “that companies need to be very careful” when making data security promises “in connection with the sale of their products and offerings,” he said.

Judge James Donato of the U.S. District Court for the Northern District of California Sept. 19 pared down the FTC’s unfairness claims against D-Link because the agency didn’t “allege any actual consumer injury” either through monetary losses or a data security incident. Specifically, the FTC’s allegations only raise a “mere possibility of injury at best,” Donato wrote. The court, however, allowed claims relating to D-Link’s alleged misleading statements to consumers on its data security policies and practices to continue.

If the FTC had “tied the unfairness claim to the presentations underlying the deception claims, it might have had a more colorable injury element,” the court said.

The judge also tossed FTC claims related to advertisements made by D-Link with respect to its internet protocol cameras, because the “FTC has not alleged facts showing that” the advertisements “are likely to mislead consumers.”

Security Flaws

The FTC sued D-Link Jan. 5 for allegedly misrepresenting the security of its routers and internet-connected cameras in violation of Section 5 of the FTC Act. Specifically, D-Link promoted that its devices provided advanced security and encryption features, the FTC alleged.

The agency also alleged that the company’s product had well-known security flaws, and that the company’s software could allow hackers to take control of the routers. Because of these claimed flaws, “consumer sensitive personal information and local networks are at significant risk,” the FTC said in the complaint.

D-Link is known for routers and internet-connected cameras that are widely available across the U.S and competes with NETGEAR Inc., Cisco Systems Inc., and Juniper Networks Inc, according to Bloomberg data. The Taipei, Taiwan-based D-Link pulled in $711.3 million in fiscal year 2016 revenue, the data show.

Patrick Massari, assistant vice president at the Cause of Action Institute, which represents D-Link, told Bloomberg BNA Sept. 20 that the FTC’s claims are “wholly unsubstantiated,” and the agency’s “complaint fails to identify any actual data breach and consumer injury.” D-Link “firmly believes that its processes and procedures related to security are ahead of industry competitors,” he said.

Juliana Gruenwald, senior public affairs specialist for the FTC, told Bloomberg BNA Sept. 20 that the agency declined to comment “at this point” on the litigation.

Data Security Enforcement Authority

Although the court granted the company’s motion to dismiss some claims, it upheld the FTC’s overall data security enforcement authority under Section 5 of the FTC Act. Under Section 5, the FTC has the power to bring privacy and data security enforcement actions to address unfair or deceptive practices.

The court rejected D-Link’s argument that the FTC lacked data security enforcement authority under Section 5. Congress made this authority open-ended and flexible, the court said in rejecting the challenge.

The decision is “a mixed bag for the FTC” because even if “some claims were dismissed,” the decision reaffirms the agency’s authority to regulate privacy and data security, Pearce said. The court also confirmed that the FTC can regulate privacy and data security “through ad hoc enforcement rather than by adopting specific rules or standards,” he said.

The court gave the FTC until Oct. 20 to amend its complaint.

The FTC was represented by agency attorneys. Vinson & Elkins LLP and the Cause of Action Institute represented D-Link.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the opinion is available at http://src.bna.com/sJK.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security