July 19, 2018

July 19, 2018

Subscribe to Latest Legal News and Analysis

July 18, 2018

Subscribe to Latest Legal News and Analysis

July 17, 2018

Subscribe to Latest Legal News and Analysis

Federal Court Sends FTC Back to the Drawing Board in D-Link Complaint

On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three counts of a complaint filed by the Federal Trade Commission (FTC) in January of this year against computer hardware manufacturing giant D-Link Corporation for allegedly lax security practices. The FTC claimed that D-Link's failure to secure its system was an unfair practice and that the company's representations about the security of its devices and systems were deceptive, both in violation of Section 5 of the FTC Act. The court disagreed with the FTC on key legal points, dismissing three counts - including an allegation that D-Link's failure to take reasonable security steps was an unfair practice under the FTC Act - although the FTC was given a chance to amend its complaint to revise the counts the court dismissed. 

The agency's deception theory centered chiefly on D-Link's marketing claims that its devices were secure even though many contained software vulnerabilities and design flaws that put consumers at risk. The FTC's unfairness theory, was, however, central to the complaint.  It focused on D-Link's failure to "take reasonable steps to secure the software for their routers and IP cameras," which, the FTC contended, "caused, or are likely to cause, substantial injury to consumers." According to the FTC, D-Link's failure to secure its systems against malware meant that "thousands of Defendants' routers and cameras have been vulnerable to attacks that subject consumers' sensitive personal information and local networks to a significant risk of unauthorized access." The FTC sought a permanent injunction against D-Link on that basis.

The FTC Act defines "unfairness" as an act or practice that "causes or is likely to cause substantial injury to consumers." The FTC's 1980 Unfairness Policy further explains that acts or practices are unfair if they (1) injure consumers; (2) violate established public policy; or (3) are unethical or unscrupulous. Not every act that may cause potential consumer injury is considered unfair; the injury "must be substantial; ... not [] outweighed by any countervailing benefits to consumers or competition that the practice produces; and ... an injury that consumers themselves could not reasonably have avoided." See also FTC Act § 5(n).

The district court judge threw out the FTC's central claim of unfairness along with two complaints of misrepresentation. In dismissing count 1, the FTC's claim of unfair practices that caused injury to consumers, Judge James Donato agreed that the FTC has broad authority to respond to unfair acts and practices in commerce, even in the absence of specific statutory authority over data security, but concluded that "the FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way." He went on to note that "the absence of any concrete facts makes it just as possible that DLS's devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor." Thus, the FTC had not met its burden under FTC Act § 5(n) (which corresponds to the FTC's Unfairness Policy). In short, the evidence did not show that consumers suffered actual injury, and while proof of actual injury may not be required, to be actionable as an unfair practice, potential injury must be substantial, and the likelihood of injury occurring should be more than speculative.

The judge also dismissed counts 4 and 5 of the FTC's complaint, which alleged misrepresentations in promotional materials for IP cameras and graphic user interfaces. He found it implausible that a consumer would believe a camera is secure from digital attacks "just because the word 'SECURITY' is printed on the bottom corner of [a] brochure." These counts were insufficiently specific to give D-Link fair notice of its allegedly deceptive content.

The court granted the FTC leave to amend the dismissed counts. It allowed three of the FTC's six claims to go forward, which concerned D-Link's misrepresentations that its devices provided adequate data security, and that its routers and IP cameras were safe from unwanted intrusion. An amended complaint is due on October 20, 2017.

The court's rejection of one of the FTC's central theories of consumer harm in privacy and data security cases echoes comments from Acting FTC Chairman Maureen Ohlhausen, who voted against issuing the D-Link complaint as a commissioner. The scope and extent of consumer injury - real or potential - in data security cases is a topic likely to get much more attention in two upcoming FTC events worth watching. First, the FTC will be holding a workshop on informational injury to consumers in Washington, DC on December 12, 2017.  The workshop will address questions such as how to best characterize the "injuries consumers suffer when information about them is misused, ... how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries."

In addition, the FTC will be holding its third annual PrivacyCon on February 28, 2018, also in Washington, DC. PrivacyCon will focus on "the economics of privacy including how to quantify the harms that result from companies' failure to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices." Submissions for PrivacyCon must be made by November 17, 2017.

© 2018 Keller and Heckman LLP


About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.


Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.