In 2017, the FTC filed a complaint against D-Link Systems, Inc. (D-Link) alleging that the Taiwan-based computer networking equipment manufacturer had taken inadequate security measures which left its wireless routers and Internet-connected cameras vulnerable to hackers. In early July, D-Link agreed to a settlement that includes a requirement that it implement a comprehensive software security program, and obtain biennial, independent third assessments of its software security program for 10 years.
The D-Link settlement is noteworthy for two reasons. First, it highlights the challenges the FTC has faced when litigating data security cases based on an unfairness theory. Second, it provides specific guidance to manufacturers and sellers of connected devices that includes implementing security planning, threat modeling, and testing for vulnerabilities before releasing products as well as ongoing monitoring to address security flaws.
The 2017 complaint alleged that D-Link violated Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The unfairness count alleged that D-Link’s failure to take reasonable steps to secure the software for its routers and Internet-connected cameras caused or was likely to cause substantial injury to consumers. The remaining deception counts focused on D-Link’s claims that the routers were “easy to secure” and that the packaging for Internet-connected cameras listed security claims.
In September 2017, the district court judge dismissed three of the counts, including the unfairness count, but rejected D-Link’s argument that the FTC lacked authority to regulate data security as an unfair practice under Section 5 of the FTC Act. While the court suggested that the unfairness count could have survived a motion to dismiss had it been tied to the representations outlined in the deception counts, the FTC did not amend its complaint.
The FTC’s settlement requires that D-Link continue with or establish, implement and maintain a Comprehensive Software Security Program (Security Program) to provide protection for its covered devices (Internet-connected cameras and routers) for 20 years. The settlement details the requirements of the Security Program that includes, among other things, that the Security Program be documented in writing and provided annually to the board of directors or other governing body. It further details both pre-release and ongoing obligations including communicating with consumers and others when D-Link will stop providing security updates. Specifically, D-Link must provide notice to consumers who registered their device with the company at least 60 days prior to ceasing security updates for a covered device as well as posting a clear and conspicuous notice on the product information page that the covered device will no longer receive firmware updates. In addition, the settlement outlines required safeguards that include biennial security training for personnel and vendors responsible for developing, implementing, or reviewing covered device software. Further, D-Link is required to select and retain service providers capable of maintaining security practices consistent with the Security Program and contractually require service providers to implement and maintain safeguards consistent with the Program.
The settlement also requires that D-Link obtain an initial and biennial security assessments for ten years from qualified third parties. As with similar provisions in other recent data security settlements, no finding of any assessment shall rely solely on assertions or attestations by management. Of interest, D-Link has the option to have the assessor certify compliance with the International Electrotechnical Commission’s (IEC) standard for the secure product development lifecycle. If D-Link obtains the IEC certification, it will meet the requirement of a comprehensive software security program.
The settlement with D-Link is consistent with the FTC’s recent data security settlements.