Lessons From The FTC's First Enforcement Action Against An IoT Company

On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link's inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers' privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC's allegation of consumer injury is limited to the statement that due to the lack of security, consumers "are likely to suffer substantial injury" and that, unless stopped by an injunction, D-Link is "likely to injure consumers and harm the public interest."

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC's Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC's jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.

The D-Link lawsuit is the FTC's first enforcement action against an Internet of Things (IoT) company. Since the suit was filed, D-Link made it clear that it was not going down without a fight. D-Link Corp., the foreign parent of D-Link Systems, moved for dismissal for lack of personal jurisdiction. And D-Link Systems moved for dismissal on the merits, arguing that the "unfairness" liability under Section 5 of the FTC Act cannot be based on "risks," and that the FTC failed to plead "actual or likely substantial" injury to consumers, by failing to allege an identifiable data breach or actual physical or monetary harm to an identifiable person. Judge James Donato was not moved by this argument, saying that the FTC's function is to prevent consumer harm, rather than merely respond to harm that has already occurred. "You don't have to wait for the house to burn down for the FTC to run in and say the fire alarms don't work," Judge Donato said.

As we continue to follow the developments in the D-Link's suit, a few immediate actionable takeaways for IoT companies come to mind.

• If your organization is an IoT company, you would do well to undertake a risk assessment of security your technologies offer to consumers. Do not wait until your "house burns down," and repeat this assessment periodically. As part of this assessment, you should familiarize yourself with the FTC's guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology and market. In particular, the FTC recommends that IoT companies do the following:
  • Privacy by design. Build security into devices at the outset, rather than as an afterthought in the design process.
  • Employee training. Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
  • Vendor management. When hiring outside service providers, ensure that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers.
  • Multiple protections for the same risk. When a security risk is identified, consider a "defense-in-depth" strategy whereby multiple layers of security may be used to defend against a particular risk.
  • Access control. Consider measures to keep unauthorized users from accessing a consumer's device, data, or personal information stored on the network.
  • Patch up timely. Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
• Take reasonable steps to test your software and implement remediate measures against security flaws, such as "hard-coded" user credentials, "backdoors," and undocumented traffic diversion that allow hackers to gain control of consumers' devices.
• Maintain the confidentiality and security of user information, such as users' login credentials, and of the private decryption key used to sign software.
• Provide clear privacy notices to consumers and give them choices about how their information will be used, particularly when the data collection and sharing may be beyond consumers' reasonable expectations.
• Ensure that your organization's security practices match your organization's public statements regarding the security of your products and services. For instance, if your user agreement states that your IoT devices come with "the latest wireless security features," they, in fact, need to come with verifiable and provable "latest wireless security features." Going after mismatched security statements and practices is one of FTC's favorite enforcement tactics.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.