California Court Weighs in on the FTC’s Data Security Enforcement Authority
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
As we previewed earlier this year, the FTC filed suit against D-Link Systems, Inc. (“D-Link”), a company that manufactures and sells home networking devices. According to the FTC, D-Link failed to protect its products from “widely known risks of unauthorized access” by not providing “easily preventable” measures against “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the private key D-Link used with consumers to validate software updates, and not deploying “free software, available since at least 2008, to secure users’ mobile app login credentials.” These practices, the FTC maintained, were both (1) “deceptive” and (2)“unfair” under Section 5 of the FTC Act, 15 U.S.C. § 45.
Several of the Commission’s “deception” claims survived D-Link’s motion to dismiss. The court concluded that the FTC had sufficiently alleged that the company had misrepresented (1) that its devices provided adequate data security, (2) that its routers were secure from unauthorized access, and (3) that its IP cameras were safe from unauthorized control. Though, the district court also held that the FTC’s claims relating to specific promotional materials for D-Link’s IP cameras and graphic user interfaces were not sufficiently pled.
The FTC’s “unfairness” claims against D-Link, however, were all dismissed. The district court first gave short shrift to D-Link’s assertions that the FTC may not “assert authority over general data security practices,” that D-Link lacked fair notice because the “FTC has not promulgated clear” standards “for fair practices in data security,” and that the FTC had not alleged D-Link’s unfair practices were ongoing. These are all arguments that have been made in other data security cases and dismissed by the courts.
But, the court ultimately found “merit” in D-Link’s argument that the FTC had failed to plead sufficiently that consumers had been injured. As followers of our LabMD coverage will recall, Section 5(n) of the FTC Act provides that the Commission cannot declare an act “unfair” unless, inter alia, that act “causes or is likely to cause substantial injury to consumers.”
The district court explained that the FTC did “not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive data was accessed or exposed.” It was not enough, Judge Donato held, that the FTC claimed that D-Link “put consumers at ‘risk.’” Without “concrete facts” of a “single incident where a consumer’s financial, medical or sensitive data has been accessed, exposed or misused in any way,” the unfairness claim depended on “wholly conclusory allegations” of “potential injury.”
But all is not lost for the Commission. The district court granted the FTC leave to amend its complaint, and suggested that the FTC could plead a “colorable injury” by tying the unfairness claims to the “representations underlying the deception claims.” That is, a “consumer’s purchase of a device that fails to be reasonably secure—let alone as secure as advertised”—would “likely be in the ballpark of a ‘substantial injury.’”
The FTC’s amended complaint is due on October 20, 2017, and we will continue monitoring this case.