California Court Weighs in on the FTC’s Data Security Enforcement Authority
Kade N. Olsen and Craig A. Newman report on a court opinion in the D-Link case – a case that addresses some of the issues also raised in LabMD vs. FTC:
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
As we previewed earlier this year, the FTC filed suit against D-Link Systems, Inc. (“D-Link”), a company that manufactures and sells home networking devices. According to the FTC, D-Link failed to protect its products from “widely known risks of unauthorized access” by not providing “easily preventable” measures against “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the private key D-Link used with consumers to validate software updates, and not deploying “free software, available since at least 2008, to secure users’ mobile app login credentials.” These practices, the FTC maintained, were both (1) “deceptive” and (2)“unfair” under Section 5 of the FTC Act, 15 U.S.C. § 45.
Read more on Patterson Belknap Data Security Law Blog. Here’s the part that may give LabMD a smile or a “That’s what we think, too” nod:
But, the court ultimately found “merit” in D-Link’s argument that the FTC had failed to plead sufficiently that consumers had been injured. As followers of our LabMD coverage will recall, Section 5(n) of the FTC Act provides that the Commission cannot declare an act “unfair” unless, inter alia, that act “causes or is likely to cause substantial injury to consumers.”
The district court explained that the FTC did “not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive data was accessed or exposed.” It was not enough, Judge Donato held, that the FTC claimed that D-Link “put consumers at ‘risk.’” Without “concrete facts” of a “single incident where a consumer’s financial, medical or sensitive data has been accessed, exposed or misused in any way,” the unfairness claim depended on “wholly conclusory allegations” of “potential injury.”