FTC's D-Link case exposes companies to new regulatory, litigation risk in data security

20 January 2017. By Mike Swift and Amy Miller. 

The Federal Trade Commission's recent lawsuit against D-Link Systems reflects a significant departure from earlier "Internet of Things" enforcement actions: Unlike previous IoT cases, the enforcer did not allege a data security breach had occurred.

In doing so, the agency has likely pushed open a door, already ajar, emboldening plaintiffs' attorneys to sue makers of IoT devices, tech companies, and even law firms, before there is a known data breach of their computer networks, accusing them of failing to live up to their data security claims.

While D-Link claimed it offered "advanced network security," the FTC alleges in a lawsuit in federal court in California that the company failed to take reasonable steps to secure its routers and Internet-connected cameras. Rather, D-Link hard-coded vulnerabilities into its products, using easily guessed default login credentials like the username "guest" and the password "guest" in its cameras, the FTC said.

Those back doors, including the exposure for months of a software key that could have allowed hackers to install malware on D-Link devices, left the company's products vulnerable to exploitation by networks of computers infected by malicious software, or "botnets," the FTC said.

But unlike earlier Internet of Things enforcement actions the FTC brought against baby monitor-maker TrendNet and computer-maker ASUS, there was no allegation that buyers of D-Link's products had been harmed — only the potential that they would be harmed in the future.

Recent high-profile hacks are pushing the FTC to be more preemptive and address data security lapses before there's an actual breach or hack, experts agree.

A distributed denial of service attack in October showed the world just how vulnerable IoT devices can be, shutting down major online services including Twitter, Amazon and Netflix for several hours.

Meanwhile, the hacking of the Democratic National Committee's e-mails, which US intelligence officials attribute to the Russian government's desire to undermine the US presidential election, is forcing government officials, including the incoming Trump administration, to focus increasingly on cybersecurity.

And plaintiffs' attorneys have taken note. The FTC's complaint against D-Link is expected to usher in a wave of data security litigation over allegedly lax security practices, even if there hasn't been an actual security breach.

Such lawsuits are already being filed, but most are sealed to prevent hackers from exploiting security vulnerabilities spelled out in court documents. One such lawsuit, unsealed only this month by a federal judge in Illinois, alleged that the Chicago law firm Johnson & Bell did not live up to its promises to keep its clients' data secure.

"Those cases have started to gain some traction, and I think many more are going to be filed," said Jay Edelson, the founder and CEO of Edelson LLC, which brought that case.

Typically, class action litigation is filed after a large data breach becomes known, such as the dozens of lawsuits filed after Yahoo acknowledged this fall that two hacks in 2013 and 2014 had exposed more than one billion accounts.

Plaintiffs in those cases have the difficult job of convincing judges that they've been harmed by the breaches and therefore have Article III standing to sue. District court judges across the country have dismissed numerous data security lawsuits because the plaintiffs didn't allege they'd suffered concrete harm, particularly if the service plaintiffs used was free, such as Yahoo e-mail.

It's difficult for plaintiffs' attorneys to draw a clear line of causation between a data breach and harm to consumers because of the way stolen personal data is trafficked in the dark corners of the Internet.

But when consumers have paid for a service or product, harm has been much easier to prove. Plaintiffs' attorneys suing over data breaches are having success in court using a legal argument called "benefit of the bargain." Their argument is that consumers were harmed because they paid for something — data security — that they didn't get.

Plaintiffs suing the social network LinkedIn over a 2012 data breach argued that they'd relied on LinkedIn's promises of strong data security when they decided to pay for a premium service over a free one, a theory that a federal judge in Silicon Valley blessed in a 2014 ruling. LinkedIn ultimately paid $1.25 million in 2015 to settle allegations that it had inadequate security measures.

Unlike private litigation, however, the FTC doesn't have to prove harm to bring an enforcement action under Section 5 of the FTC Act. It just has to prove that D-Link's security claims were unfair and deceptive.

D-Link says the FTC's allegations are "vague and unsubstantiated" and that it will fight them.

Earlier actions by the FTC were filed after breaches with significant impact on consumers. In the agency's 2014 ASUS case, hackers exploited vulnerable routers and gained unauthorized access to more than 12,900 consumers' connected storage devices, the FTC said.

In the TrendNet case, a hacker found a security flaw in the company's webcam software and created public feeds from nearly 700 TrendNet cameras, with intimate views of "babies asleep in their cribs, young children playing, and adults going about their daily lives."

But now any company that stores data is facing potentially ominous regulatory and litigation risks, and privacy and data-security lawyers are watching the D-Link case closely.

"A mere vulnerability can create liability for a company," said Alfred J. Saikali, a privacy and data security litigator with Shook Hardy Bacon in Miami. "It's going to be really interesting to see how this pans out."

Whether the case and the agency's more preemptive approach to data security enforcement will survive under a new administration is unclear. Republican commissioner Maureen Ohlhausen voted against filing a complaint against D-Link, but was overruled by the Democratic majority. The agency could decide to drop the suit after Republicans take control.

Former FTC Commissioner Julie Brill said it's impossible to know which way the new Republican majority will go. "We'll probably know shortly," she said.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.