In January of this year, the Federal Trade Commission (FTC) brought suit against Taiwan-based D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc, in Los Angeles Federal Court, for failing to properly secure its consumer routers and computer cameras. According to the FTC, the devices were billed as containing “advanced network security” but actually left thousands of devices vulnerable to hacking and compromise. The results of this FTC suit could create a de facto security compliance regime for all purveyors in the ever-growing “internet of things.”
The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC Complaint, however, never actually alleged that any of D-Link’s devices were hacked or compromised. In other words, the FTC seeks to hold D-Link responsible for exposing consumers to hacking, not because consumers were in fact hacked.
The FTC has brought similar complaints against other “internet of things” manufacturers, namely TRENDnet and ASUSTek, who both settled their claims with the agency. D-Link, however, has decided to fight. The company has moved to dismiss the Complaint, saying the FTC “can point to no case” wherein a court has found unfairness under the FTC Act absent actual harm to consumers. That argument met with little sympathy from the presiding judge, who told D-Link’s counsel at oral argument, “You don’t have to wait for the house to burn down for the FTC to run in and say the fire alarms don’t work.”
A finding of liability in this case could set a baseline for what security measures are “reasonable” for manufacturers of internet-connected devices. Creating mechanisms to match or exceed that baseline and to conduct routine reviews of public statements about security will be key to avoiding FTC scrutiny, state Attorney General enforcement actions, and large class action suits.