Earlier this week, D-Link Systems, Inc. (“D-Link”), responded to the Federal Trade Commission (“FTC”) complaint challenging D-Link’s security practices for its routers and Internet Protocol (“IP”) cameras, calling the claim “unsubstantiated and vague”.
The FTC’s complaint, filed on January 5, 2017, in the U.S. District Court for the Northern District of California, alleges that the California-based D-Link and its Taiwanese parent’s purported failure to protect its routers, cameras and software products from “widely known and reasonably foreseeable risks” and “easily preventable software security flaws” constituted and “unfair” trade practice in violation of the FTC Act.
The complaint highlights a number of supposed security flaws, including “hard-coded” login credentials and command injection flaws which would allow remote attackers to gain unauthorized access and control of the device. The complaint also lodges five counts of misrepresentation, alleging that the Company misrepresented the security of its devices in its marketing material, putting “thousands” of customers’ data at risk.
More notably, as D-Link’s response to the complaint points out, the complaint does not allege any actual breach of a D-Link device but only cites potential harm to consumers. This is not the first time that the FTC has filed a complaint alleging data security oversight in the absence of real harm. In 2013, the FTC filed a complaint against LabMD alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.
In response to the FTC’s July ruling saying that the company’s data security practices were unreasonable, LabMD argued that the agency overstepped its authority and that there was no” substantial injury” because there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm. Ultimately, the FTC rejected LabMD’s position, although the matter now has moved to the courts for final resolution. (PHPrivacy has written about the LabMD proceedings, here.)
Further, this case marks the FTC’s third high-profile action against a device manufacturer over security measures and consumer privacy protections, highlighting a growing trend by the FTC to secure the “Internet of Things” or (“IoT”). In 2013, the FTC settled with security camera manufacturer TRENDnet over allegations that its security cameras allowed hackers to webcast live feeds from customers’ homes. According to the agency, the settlement with TRENDnet represented its first effort to target the maker of an everyday product with interconnectivity to the Internet and mobile devices. Just last year, the FTC similarly settled with hardware maker Asus over alleged vulnerabilities in its routers and cloud services.
“It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm,” said Cause of Action Institute Assistant Vice President Patrick Massari, who is representing D-Link against the FTC. “If the FTC can bring a lawsuit on the potential of a data security breach, nearly every company will be subject [to] unconstrained and unexplored data security liability. Such limitless liability coupled with [the] FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things,” Massari added.
With the change in Administration just days away, it remains unclear as to whether the FTC, under President Trump, will continue bringing actions predicated on security practices that appear to be objectively unfair but where there is no evidence of real harm. Stay tuned.