The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders. The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.
By filing this lawsuit, the FTC has doubled down on attacks to its authority under Section 5(n) of the FTC Act—raising a similar issue in the agency’s contentious and long-standing litigation with another company, LabMD, Inc.
In its D-Link complaint – filed in Federal district court in San Francisco – the FTC makes detailed allegations about why D-Link failed to exercise reasonable care. The FTC alleges, for example, that D-Link publicized its private key on a public website for six months. A private key proves that a software update is legitimate and, if the key is disclosed, an attacker could use the key to trick computers into running malware. The FTC also alleges that D-Link’s software suffered from a flaw known as “command injection,” which could enable remote attackers to take over consumers’ routers.
The FTC describes a litany of harm that may befall thousands of consumers because of the alleged vulnerabilities in D-Link’s products. The FTC asserts that an attacker could use a compromised router to direct consumers seeking a legitimate financial website to a spoofed website where consumers could unwittingly provide their financial information. An attacker could use the vulnerabilities in D-Link’s IP camera, the agency charges, to monitor consumers’ activities or target them for theft.
But as D-Link was quick to point out, the FTC does not allege that consumers have actually suffered any harm or even that D-Links’ devices had been breached. According to D-Link, “the FTC speculates that consumers were placed ‘at risk’ to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries.”
D-Link’s press release refers to Section 5(n) of the FTC Act, 15 U.S.C. § 45(n), which states that the FTC will have no authority to declare unlawful an act on the grounds that it is unfair unless, inter alia, the act “causes or is likely to cause substantial injury to consumers . . .” The FTC’s authority under Section 5(n) has recently generated controversy for the agency as this statutory provision is at the heart of its litigation against LabMD.
As we have previously reported, (click here, here, here, and here to read more), the LabMD matter began when a cybersecurity firm, Tiversa, Inc., “discovered” a LabMD internal report containing patient information on a peer-to-peer file-sharing program. The FTC initiated an investigation into LabMD in 2010 and filed an administrative complaint against the company in 2013. After a full-blown administrative trial, the FTC’s Chief Administrative Law Judge (“ALJ”) dismissed the FTC’s case under Section 5(n), finding that there was no proof of actual harm to any consumers, and hence, did not satisfy the requisite standard that it was “likely to cause substantial injury….”
But the Commission reversed the ALJ’s decision, concluding that the ALJ had used the wrong legal standard under Section 5(n). The Commission reasoned that, to determine whether a practice may be “likely to cause substantial injury,” one must look to “the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur.” (emphasis added). According to the Commission, a practice may be “likely to cause substantial consumer injury” if the magnitude of potential harm is large even if the probability of the injury occurring is low. The Commission also concluded that, even in the absence of economic or physical harm, the substantial injury requirement was satisfied because of the risk of embarrassment or reputational harm.
LabMD appealed the Commission’s ruling to the U.S. Court of Appeals for the Eleventh Circuit. While the appeals briefing is still underway, the Eleventh Circuit has already signaled its skepticism toward the Commission’s position. In granting LabMD’s motion for a stay of enforcement of the Commission’s Order pending appeal, the court said that the FTC’s reading of Section 5(n) may not be reasonable. The court also questioned the FTC’s interpretation of Section 5(n)’s “likely to cause” standard, noting that the FTC’s interpretation allowed for a finding that consumer injury is “likely,” even though the probability of such an injury occurring is low. The court explained that it is not clear if a reasonable interpretation of Section 5(n) should include “intangible harms like those that the FTC found in this case.”
With its D-Link complaint, the FTC is pushing against the boundaries of what “causes or is likely to cause substantial injury to consumers” under Section 5(n). As was the case with the LabMD matter, the FTC is going forward with its lawsuit without alleging a single instance of actual harm to consumers. Absent new evidence, to sustain its case, the FTC must show that D-Link’s lax security measures are “likely to cause substantial injury”— the exact showing that is under attack in the Eleventh Circuit.
It is possible that the FTC filed suit precisely because its authority under Section 5(n) is being disputed in the Eleventh Circuit. Whereas the FTC brought an administrative action against LabMD which allowed LabMD to control the circuit court that would hear its appeal, the FTC sued D-Link in the Northern District of California. This means that the Ninth Circuit will hear any appeal in the D-Link matter. Could the FTC have filed suit in federal court to set up a potential circuit split on the scope of its authority under Section 5(n)?
By the way, we are not the only ones who see parallels between the D-Link lawsuit and the LabMD matter. D-Link recently announced that it has retained Cause of Action Institute to represent it in the FTC’s lawsuit. Cause of Action Institute represented LabMD before the ALJ and the Commission.