Consumers and businesses aren’t the only sources of potential privacy and data-security litigation. Today’s post looks at another important source: the Federal Trade Commission and state consumer-protection regulators.
In many cases, government enforcers don’t have express authority to sue for “privacy” or “data security” violations. Instead, the FTC often sues based on its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. State enforcers invoke their authority under Section 5’s state-law analogues, like N.C. Gen. Stat. §75-1.1. The enforcers argue that the failure to protect consumers’ sensitive data constitutes an “unfair” business practice.
A new decision from a federal court in California, called FTC v. D-Link Systems, explores the limits of this theory. This post discusses two specific issues from D-Link:
- Can the FTC use its “unfairness” authority under Section 5 to regulate companies’ data security practices?
- Can an “unfairness” claim lie under Section 5 without an allegation that consumers suffered either (a) monetary loss or (b) actual disclosure of their sensitive personal data?
The Best Possible Security?
D-Link Systems sold routers and internet-connected security cameras and video baby monitors. D-Link’s marketing materials and user manuals touted the products’ security features. The materials said that the products included “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”
Not so, according to the FTC. The Commission claimed the software for D-Link’s products had clear security flaws—flaws that allowed attackers to access the devices over the Internet and to observe consumers through their cameras, or to steal sensitive information stored on a consumer’s home network.
The FTC sued D-Link, alleging (among other claims) that D-Link’s failure “to take reasonable steps to secure the software” for their routers and cameras amounted to an “unfair” act or practice that violated Section 5. Notably, the FTC did not allege that any consumer had actually been spied on or had their data stolen—just that those harms could result from the security flaws in D-Link’s products.
No Harm, No Foul?
D-Link moved to dismiss the unfairness claim on two broad grounds.
First, D-Link generally objected to the FTC’s use of its unfairness authority to regulate data security. According to D-Link, “Section 5 says nothing about data security,” and “[i]f Congress wanted the FTC to regulate data security for the entire economy, it would have clearly said so.” Even if Section 5 gave the FTC the authority to regulate data security, D-Link argued, the FTC had not given D-Link fair notice—through the formal adoption of clear standards—of “what data-security practices for routers and IP cameras the FTC believes Section 5 to prohibit or to require.”
Second, D-Link argued, the FTC had failed to adequately allege that D-Link’s practices in this case caused or were likely to cause substantial injury to consumers—a necessary element of an unfairness claim under Section 5. The statute, said D-Link, required the FTC to allege actual physical or monetary harm to identifiable consumers.
It Means What We Say It Means
The court rejected out of hand D-Link’s general challenge to the FTC’s unfairness authority. It explained that “unfairness” was “by its very nature, a flexible concept with evolving content.” That data security was not expressly enumerated in Section 5 thus did not affect the FTC’s ability to exercise its authority to regulate companies’ data security practices. In that regard, the court cited approvingly to FTC v. Wyndham Worldwide Corp., a Third Circuit case from 2015 that rejected the same argument.
The court also rejected D-Link’s “fair notice” argument. Even though adopting specific data-security standards might in theory be “an optimal way” for the FTC to proceed, said the court, the law did not require this as a precondition for bringing an enforcement action. Rather, the FTC had discretion to proceed through individual, ad hoc litigation. And in the court’s view, that approach was especially appropriate in the realm of data security: “data security is a new and rapidly developing facet of our daily lives, and to require the FTC in all cases to adopt rules or standards before responding to data security issues faced by consumers” would be impractical.
What’s the Harm?
The court agreed with D-Link, however, that the FTC had not adequately pleaded the “injury” element of its unfairness claim. According to the court, the FTC’s failure to allege facts showing that consumers suffered a monetary loss, or had their sensitive personal data accessed or exposed, was fatal to the FTC’s claim. The absence of such facts, despite the FTC undertaking a thorough investigation, indicated that it was just as possible that D-Link’s devices were not likely to substantially harm consumers.
The court therefore dismissed the unfairness claim, but then gave the FTC leave to amend—and a roadmap on how to avoid dismissal the second time around.
According to the court, rather than relying on the risk of future harm to consumers from a compromised device, the FTC might instead frame the “injury” to consumers as an overpayment for the devices themselves. The court explained that a consumer’s purchase of a device that was not reasonably secure—let alone as secure as advertised—would be “in the ballpark” of a substantial injury, particularly if that injury were suffered by a large group of consumers.
Lessons for Companies
D-Link contains some important lessons for companies.
First, the decision confirms that the FTC can use its unfairness authority under Section 5 to regulate data security, and that it can use ad hoc enforcement actions rather than formally-adopted rules and standards. Absent such rules or standards, companies would be well-advised to stay abreast of the informal guidance that the FTC makes available on its website and Business Blog, and of the actions that it brings against other companies.
Second, the court’s invitation for the FTC to amend its unfairness claim to focus on consumers’ purchase of devices they expected to be secure may lead regulators, just like consumers, to use “overpayment” theories to avoid dismissal of data-security lawsuits.