On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three counts of a complaint filed by the Federal Trade Commission (FTC) in January of this year against computer hardware manufacturing giant D-Link Corporation for allegedly lax security practices. The FTC claimed that D-Link's failure to secure its system was an unfair practice and that the company's representations about the security of its devices and systems were deceptive, both in violation of Section 5 of the FTC Act. The court disagreed with the FTC on key legal points, dismissing three counts - including an allegation that D-Link's failure to take reasonable security steps was an unfair practice under the FTC Act - although the FTC was given a chance to amend its complaint to revise the counts the court dismissed.
The agency's deception theory centered chiefly on D-Link's marketing claims that its devices were secure even though many contained software vulnerabilities and design flaws that put consumers at risk. The FTC's unfairness theory, was, however, central to the complaint. It focused on D-Link's failure to "take reasonable steps to secure the software for their routers and IP cameras," which, the FTC contended, "caused, or are likely to cause, substantial injury to consumers." According to the FTC, D-Link's failure to secure its systems against malware meant that "thousands of Defendants' routers and cameras have been vulnerable to attacks that subject consumers' sensitive personal information and local networks to a significant risk of unauthorized access." The FTC sought a permanent injunction against D-Link on that basis.
The FTC Act defines "unfairness" as an act or practice that "causes or is likely to cause substantial injury to consumers." The FTC's 1980 Unfairness Policy further explains that acts or practices are unfair if they (1) injure consumers; (2) violate established public policy; or (3) are unethical or unscrupulous. Not every act that may cause potential consumer injury is considered unfair; the injury "must be substantial; ... not [] outweighed by any countervailing benefits to consumers or competition that the practice produces; and ... an injury that consumers themselves could not reasonably have avoided." See also FTC Act § 5(n).
The district court judge threw out the FTC's central claim of unfairness along with two complaints of misrepresentation. In dismissing count 1, the FTC's claim of unfair practices that caused injury to consumers, Judge James Donato agreed that the FTC has broad authority to respond to unfair acts and practices in commerce, even in the absence of specific statutory authority over data security, but concluded that "the FTC does not identify a single incident where a consumer's financial, medical or other sensitive personal information has been accessed, exposed or misused in any way." He went on to note that "the absence of any concrete facts makes it just as possible that DLS's devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor." Thus, the FTC had not met its burden under FTC Act § 5(n) (which corresponds to the FTC's Unfairness Policy). In short, the evidence did not show that consumers suffered actual injury, and while proof of actual injury may not be required, to be actionable as an unfair practice, potential injury must be substantial, and the likelihood of injury occurring should be more than speculative.
The judge also dismissed counts 4 and 5 of the FTC's complaint, which alleged misrepresentations in promotional materials for IP cameras and graphic user interfaces. He found it implausible that a consumer would believe a camera is secure from digital attacks "just because the word 'SECURITY' is printed on the bottom corner of [a] brochure." These counts were insufficiently specific to give D-Link fair notice of its allegedly deceptive content.
The court granted the FTC leave to amend the dismissed counts. It allowed three of the FTC's six claims to go forward, which concerned D-Link's misrepresentations that its devices provided adequate data security, and that its routers and IP cameras were safe from unwanted intrusion. An amended complaint is due on October 20, 2017.
The court's rejection of one of the FTC's central theories of consumer harm in privacy and data security cases echoes comments from Acting FTC Chairman Maureen Ohlhausen, who voted against issuing the D-Link complaint as a commissioner. The scope and extent of consumer injury - real or potential - in data security cases is a topic likely to get much more attention in two upcoming FTC events worth watching. First, the FTC will be holding a workshop on informational injury to consumers in Washington, DC on December 12, 2017. The workshop will address questions such as how to best characterize the "injuries consumers suffer when information about them is misused, ... how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries."
In addition, the FTC will be holding its third annual PrivacyCon on February 28, 2018, also in Washington, DC. PrivacyCon will focus on "the economics of privacy including how to quantify the harms that result from companies' failure to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices." Submissions for PrivacyCon must be made by November 17, 2017.