D-Link Challenges FTC’s Continued Pursuit of “Unfair” Security Practices Absent Evidence of Harm; Calls Allegations “Unsubstantiated and Vague”
By Ashley Pyon
Earlier this week, D-Link Systems, Inc. (“D-Link”),
The FTC’s complaint, filed on January 5, 2017, in the U.S. District Court for the Northern District of California, alleges that the California-based D-Link and its Taiwanese parent’s purported failure to protect its routers, cameras and software products from “widely known and reasonably foreseeable risks” and “easily preventable software security flaws” constituted and “unfair” trade practice in violation of the FTC Act.
The complaint highlights a number of supposed security flaws, including “hard-coded” login credentials and command injection flaws which would allow remote attackers to gain unauthorized access and control of the device. The complaint also lodges five counts of misrepresentation, alleging that the Company misrepresented the security of its devices in its marketing material, putting “thousands” of customers’ data at risk.
More notably, as D-Link’s response to the complaint points out, the complaint does not allege any actual breach of a D-Link device but only cites potential harm to consumers. This is not the first time that the FTC has filed a complaint alleging data security oversight in the absence of real harm. In 2013, the FTC filed a
In response to the FTC’s July ruling saying that the company’s data security practices were unreasonable, LabMD argued that the agency overstepped its authority and that there was no” substantial injury” because there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm. Ultimately, the FTC rejected LabMD’s position, although the matter now has moved to the courts for final resolution. (PHPrivacy has written about the LabMD proceedings,
Further, this case marks the FTC’s third high-profile action against a device manufacturer over security measures and consumer privacy protections, highlighting a growing trend by the FTC to secure the “Internet of Things” or (“IoT”). In 2013, the FTC settled with security camera manufacturer TRENDnet over allegations that its security cameras allowed hackers to webcast live feeds from customers’ homes.
“It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm,” said
With the change in Administration just days away, it remains unclear as to whether the FTC, under President Trump, will continue bringing actions predicated on security practices that appear to be objectively unfair but where there is no evidence of real harm. Stay tuned.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.