FTC Lawsuit Against D-Link Highlights the Importance of Routine Review of Public Statements and Security Protocols

The Federal Trade Commission ("FTC") announced today that it has filed a lawsuit against D-Link alleging that it made deceptive claims about its products' security and engaged in unfair practices that placed consumers' privacy at risk.  The Complaint For Permanent Injunction and Other Equitable Relief was filed in the United States District Court Northern District of California San Francisco Division, naming the Taiwanese D-Link Corporation and its California subsidiary D-Link Systems, Inc. as defendants.  The FTC claims that D-Link failed "to take reasonable steps to secure the routers and Internet-protocol cameras they designed for, marketed, and sold to United States consumers."  In response to the charges, D-Link posted on its website a "FTC Complaint Q&As" in which it summarizes "D-Link Systems, Inc. is aware of the complaint filed by the Federal Trade Commission on January 5, 2017. D-Link Systems denies the unwarranted allegations outlined in the FTC complaint and will vigorously defend the action." The FTC in its complaint mentioned the key role that routers play as a hardware firewall for the local network and the fact that the cameras play a vital security role, monitoring private areas of the home and people's young children. The importance of those functions appear to have been key factors that lead the FTC to go after D-Link. The FTC stated that there was a lack of protection against widespread vulnerabilities and "well- known and easily preventable software security flaws."  Among the information cited to be at risk, according to the FTC, were financial account information and tax returns. The complaint alleges that in response to "highly publicized security flaws" D-link posted a Security Event Response Policy which the FTC says was a misrepresentation.  The Security Event Response Policy stated:

"D-Link prohibits at all times, including during product development by D-Link or its affiliates, any intentional product features or behaviors which allow unauthorized access to the device or network, including but not limited to undocumented account credentials, covert communication channels, ‘backdoors’ or undocumented traffic diversion. All such features and behaviors are considered serious and will be given the highest priority."

The complaint also cited instances where manuals and promotional brochures touted D-link devices' security with statements such as "the [router] is not only one of the fastest routers available, its [sic] also one of the safest" and that D-link made many of the same types of security promises in the interactive interfaces that people saw when they set up their products.

Companies that manufacture connected devices or software should take heed that this action is part of the FTC's focus on security and privacy issues with the internet of things.  The FTC, in its press release, specifically cited "numerous distributed denial-of-service (DdoS) attacks and privacy issues raised by connected toys," and referred companies to follow the FTC's Careful Connections: Building Security in the Internet of Things.

This complaint should also serve as a reminder that public statements regarding privacy and security, whether on websites, marketing, in-app or otherwise are promises to the public.  Breaking those promises could not only subject a company to FTC complaints, but also state Attorney Generals actions, and costly class action lawsuits.  In addition, the action highlights the importance of having (and maintaining) a reasonable security and privacy program.  These public promises and programs should be routinely reviewed and updated to make sure that the statements are truthful, and the programs are commercially reasonable.