May 21, 2019

May 20, 2019

Subscribe to Latest Legal News and Analysis

FTC Files to Protect Consumers’ Security in the Internet of Things

As more consumer devices connect to the Internet, regulators take a more aggressive stance requiring security promises be met.

On January 5, 2017, the FTC filed a complaint against computer networking equipment manufacturer, D-Link Corporation, alleging that the company failed to take reasonable steps to secure routers and Internet-protocol cameras from “widely known and reasonably foreseeable risks of unauthorized access,” leaving consumers vulnerable to data privacy and security risks. 

The D-Link case is the FTC’s third case in the Internet of Things (IOT) space.  The first was in 2014 against TRENDnet, Inc., a computer networking devices retailer, and the second was in 2016 against ASUSTek Computer, Inc., a computer hardware manufacturer.  According to the FTC, D-Link put consumers at a significant risk of harm because D-Link failed to take steps “to address well-known and easily preventable security flaws,” including flaws “ranked among the most critical and widespread web application vulnerabilities since at least 2007” by the Open Web Application Security Project.  In response to the FTC’s complaint, D-Link denied the allegations and promised to “vigorously defend the action.” 

The absence of security measures promised to consumers in product brochures and other public statements regarding privacy is problematic for the FTC.  Like in the TRENDnet and the ASUS cases, in the D-Link case, the FTC alleged D-Link misrepresented its security practices to consumers.  Several exhibits to the FTC’s complaint show the security representations D-Link made to customers of its various products.  These include a Security Event Response Policy, and statements like “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.”  According to the FTC, D-Link told its customers that their equipment is secure, and the FTC expects that D-Link will honor its representations to its customers by taking the necessary steps to secure its products against hackers. 

IOT companies need to remain vigilant and use resources such as the Open Web Application Project, the NIST and the FTC’s published guidance to learn about the latest security practices in the industry.  IOT companies likely will not be safe from regulatory scrutiny if they do not remain current with the latest security practices.

 

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910
Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306