On January 5, the Federal Trade Commission filed a complaint against D-Link Corporation, a Taiwanese corporation, and D-Link Systems, Inc., a California corporation and a subsidiary of D-Link Corporation. D-Link sells Internet of Things (“IoT”) devices and software to support such devices. Specifically, D-Link sells routers which transfer data packets along a network and which typically provide a first line of defense against intrusion to other consumer IoT devices such as computers, smartphones, and Internet-connected appliances. D-Link also sells Internet protocol cameras that allow consumers to remotely monitor their property. The FTC complaint serves as yet another warning to IoT device companies that the Commission is watching and taking note of their security practices.
The six-count complaint alleges D-Link violated the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices, by failing to adequately secure software for D-Link routers and IP cameras, and misrepresenting through their security event response policy, router and IP camera promotional material, and router graphical user interface that the software was secure. Section 5 of the FTC Act defines unfair acts or practices as those which cause or are likely to cause substantial injury to consumers that are reasonably unavoidable and which are not outweighed by countervailing benefits to consumers or competition. The Act defines deceptive acts or practices as those where a material representation, omission, or practice misleads, or is likely to mislead, a consumer whose interpretation of the representation, omission, or practice is reasonable.
The crux of the FTC’s complaint relates to D-Link’s misrepresentations regarding the security of its routers, Internet-protocol cameras, and related software and services, leading to consumers’ deception. Specifically, D-Link published a Security Event Response Policy on their website which claimed to prohibit “intentional product features or behaviors which allow unauthorized access to the device or network” from being included in D-Link products. It also made inaccurate promotional claims regarding its products in user manuals and marketing materials, including the “latest wireless security features to help prevent unauthorized access,” offering the ability to “quickly establish a secure connection,” “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking,” and “Push Button Security” at consumers’ fingertips. The FTC alleges that these statements are deceptive acts or practices since they are not true reflections of the actual security features in D-Link’s products and services.
According to the FTC, D-Link failed to take reasonable measures to protect the security of consumers’ personal information against certain well-known vulnerabilities. The FTC cited the Open Web Application Security Project as identifying these vulnerabilities as early as 2007. Specifically, it alleges that D-Link did not take reasonable steps to: (1) test its software or remediate security flaws in its routers and IP cameras (user credentials were hard-coded into the software); (2) maintain the confidentiality of D-Link’s digital signature (D-Link’s digital signature was posted on its website for six months); and (3) secure user credentials (credentials were available in readable text on a user’s mobile phone). These security failures, according to the FTC, put thousands of consumers’ personal information and networks at risk for unauthorized access – an unfair act or practice.
This complaint comes less than a year after the FTC settled with another IoT company, ASUSTek Computer, Inc., in February 2016. Read our blog post here. The FTC similarly alleged that ASUS had engaged in unfair and deceptive acts or practices by marketing their routers and cloud services as “secure” while knowing about and failing to fix serious vulnerabilities.
The FTC’s complaints against D-Link and ASUS serve as reminders that inconsistencies between manufacturers’ practices and promises made to consumers in agreements or marketing collateral presents the easiest target for the FTC in a deception claim. All companies that make promotional statements, including in user manuals and marketing materials, that their services are secure from vulnerabilities need to carefully consider the language used. Just as importantly, it is critical for attorneys and compliance personnel reviewing these materials to understand the technology and persistent information security risks. Companies should take steps to ensure that security and privacy statements made in marketing materials and privacy policies accurately reflect their actual business practices and recognize any risks consumers may face by engaging in a relationship with that company.
The FTC’s complaints should also serve as a reminder that security practices extend well beyond a company’s policies and procedures – companies must take reasonable steps to prevent security vulnerabilities during the design phase of their connected products (by employing “security by design”) and follow through with fixing emerging security vulnerabilities after consumers have purchased connected products. The FTC suggested in the ASUS complaint that the vulnerabilities in ASUS products and software could have been prevented during the design phase with input validation, anti-cross-site forgery tokens (preventing malicious takeover of the router’s security settings), session time-outs, and prohibiting weak default login credentials. Later, once ASUS had received reports regarding potential security flaws, ASUS should have analyzed the information and taken steps to help consumers address the flaws.
Notably, with the issuance of these two complaints in combination with other guidance the FTC has provided on the security of IoT devices, it is clear that certain information security standards are emerging. The FTC released a Staff Report in February 2015 on the Internet of Things: Privacy & Security in a Connected World, which sets forth the staff’s views on data security, data minimization, and the importance of giving consumers notice and choice. Aside from the fundamentals in product design and fixing vulnerabilities as discussed above, the FTC suggests that IoT companies should make security part of the corporate culture and allocate resources according to a risk-based approach.
The D-Link complaint also comes just one day after the FTC announced its challenge to American consumers to develop a tool to combat security flaws in IoT devices caused by out-of-date software. Contestants must submit proposals by May 22, 2017, and the grand prize winner may win $25,000.
D-Link has stated that it will “vigorously defend itself against the unwarranted and baseless charges” asserted by the FTC, noting that the complaint does not allege an actual breach. D-Link contends that it “maintains a robust range of procedures to address potential security issues.” Stopping short of alleging actual substantial injuries, D-Link offers that the FTC is only speculating that consumers were put at risk by its products. In fact, the non-profit Cause of Action Institute has filed a motion to dismiss on D-Link’s behalf, challenging the FTC’s risk-based approach and arguing that Article 5 of the FTC Act requires a harm-based analysis.
The Cyber Security, Information Governance & Privacy team at Troutman Sanders is well-positioned to help companies develop procedures for effectively handling security issues. Because of our team’s technical background, we are uniquely positioned to understand companies’ IoT technology concerns and to address any risks from a legal perspective. We routinely advise businesses on security and privacy best practices with respect to connected devices, which help to avoid acts or practices that may be considered unfair or deceptive.