On September 19, 2017, Judge Donato of the Northern District of California ruled on Defendant D-Link System Inc.’s (D-Link) Motion to Dismiss, which challenged claims by the Federal Trade Commission (FTC) that D-Link’s conduct constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.

The FTC’s complaint alleges that D-Link failed to implement adequate data security with respect to router and IP cameras it marketed and sold to the public. According to the FTC’s complaint, D-Link’s router and IP cameras were susceptible to well-known exploits and other vulnerabilities that left consumers at risk of compromise by hackers. The FTC alleged that these practices were both deceptive (contrary to D-Link’s representations about the security of their products) and unfair (caused or were likely to cause substantial injury to consumers).

The court made a number of key holdings in the decision. The following two are particularly notable:

First, the court ruled that Counts II through VI of the FTC’s complaint, which alleged “deceptive” trade practices by D-Link, would be held to the heightened pleading standard under Rule 9(b) of the Federal Rules of Civil Procedure. Rule 9(b) is generally reserved for fraud claims, but the court explained that in the Ninth Circuit, “consumer claims rooted in allegations of false or misleading statements about a product sound in fraud and must meet Rule 9(b)’s requirements.” As a result, in order to survive the Rule 9(b) pleading standard, the FTC’s allegations supporting Counts II through VI were required to contain “the who, what, when, where and how of the misconduct charged

Despite the heightened pleading standard, Count II of the FTC’s Complaint against D-Link survived because the FTC had alleged “specific statements [D-Link] made at specific times between December 2013 and September 2015” about the security of its products, which the FTC alleged were deceptive. Counts III and VI survived under similar reasoning. However, Counts IV and V failed to meet the heightened pleading standard and were dismissed because the allegedly deceptive statements on which the Counts relied either were undated in the allegations or could not plausibly have misled a reasonable consumer. For example, the court noted that a brochure for a surveillance camera which contained the word “SECURITY” in the bottom corner could not reasonably have misled a consumer to believe that the camera was secure from digital attackers.

Second, the court ruled that the FTC had failed to adequately plead its cause of action for unfairness (Count I) even under the lesser Rule 8 pleading standard which applied. The court explained that the first element of an unfairness claim — that the conduct at issue causes or is likely to cause substantial injury to consumers — was not adequately pled because the FTC’s complaint did not note a single instance in which a consumer’s D-Link device had been compromised. The court stated, “The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices.” The FTC had countered with the view that the allegedly inadequate security of D-Link devices made consumer harm substantially likely, regardless of whether an instance of actual harm had been pled. But the court nevertheless ruled against the FTC, stating that the “absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor.”

A final note: the court, like others before it, rejected D-Link’s ultra vires argument that the FTC lacked the authority to bring data security cases in the first place. As the argument goes, Section 5 of the FTC Act does not mention the words data security, and if Congress had wanted the FTC to regulate this area, it would have said so. The court did not bite, concluding that “the fact that data security is not expressly enumerated as within the FTC’s enforcement powers is of no moment to the exercise of its statutory authority.”

Ultimately, the court granted in part, and denied in part, D-Link’s motion. So, while D-Link succeeded in batting down some of the FTC’s claims, the case will proceed. In addition, the FTC has the opportunity to amend its pleadings, and may try to revive the claims previously dismissed. Whether and how the FTC responds will say a lot about the FTC’s approach to data security cases going forward. In particular, the court opened the door for the FTC to reshape its claim for unfair trade practices by alleging that substantial injury to consumers indeed resulted from consumers having purchased a product with unreasonable security, despite D-Link’s representations about the adequacy of the security of the products. The court reserved for another day which pleading standard would apply to such a cause of action — where the unfairness count (judged under the Rule 8 standard) piggy-backs on the deception count (judged under the heightened Rule 9(b) pleading standard).