Guest Commentary
By Kurt Wimmer, a Partner, and Caleb Skeath, an Associate, with Covington & Burling LLP
The Federal Trade Commission (FTC) has commenced a new data security enforcement action, alleging that security weaknesses in D-Link’s routers and webcams violated Section 5 of the FTC Act. The complaint highlights many of the FTC’s data security best practices, as examined in Washington Legal Foundation’s recent Working Paper, but also highlights new data security issues that the FTC has not previously referenced in its data security enforcement actions. Unlike most FTC data security enforcement targets, D-Link has chosen to defend against the complaint instead of entering into a settlement agreement—and the FTC has decided to file its complaint against D-Link in federal court. This action sets the stage for the next in a recent line of cases challenging the FTC’s data security enforcement authority.
The Complaint against D-Link
The FTC’s complaint against D-Link, filed in the Northern District of California, alleges that D-Link violated Section 5 of the FTC Act by engaging in both “unfair” and “deceptive” acts or practices. As further explained in the WLF Working Paper, the FTC commonly alleges that companies have engaged in “unfair” data security practices by violating one or more of the data security best practices described by the FTC through its guidance and enforcement actions. An allegation that a company has engaged in “deceptive” data security practices, on the other hand, is usually based upon differences between the company’s data security practices and its public statements to consumers regarding data security.
According to the FTC’s complaint, D-Link engaged in “unfair” data security practices by failing to “take reasonable software testing and remediation measures” to protect against “well-known and easily preventable software security flaws” in its routers and webcams. The FTC’s complaint states that these flaws included hard-coded credentials and vulnerabilities to command injection attacks. In addition, the FTC alleged that D-Link failed to use free software to protect login credentials for its mobile application users and stored these credentials in plain text on the users’ mobile devices. The complaint alleges that these practices placed consumers at significant risk, citing press reports that D-Link’s routers and webcams “have been compromised by attackers.”
Roots in the FTC’s Traditional Unfairness Principles
Both the allegations brought against D-Link have their roots in the FTC’s prior data security enforcement actions. As highlighted in the WLF Working Paper, the FTC has repeatedly pursued enforcement actions against companies for failing to assess and test for commonly known vulnerabilities, often pointing to the ease with which these vulnerabilities could have been addressed as an indicia of the unreasonableness of the actions in question. In an effort to curtail the prevalence of these vulnerabilities, the FTC has specifically recommended that companies consult lists of commonly known vulnerabilities, such as the Open Web Application Security Project’s (OWASP) list of common vulnerabilities, during their development and testing processes. In its complaint against D-Link, the FTC once again cited to the OWASP list, noting that certain vulnerabilities allegedly present in D-Link’s products have been “among the most critical and widespread web application vulnerabilities” since 2007.
A New Allegation: Failure to Protect a Private Key
In addition to building on its prior enforcement actions, the FTC also alleged that D-Link failed to secure the confidentiality of the private key that D-Link uses to sign its software. According to the complaint, D-Link’s failure to properly secure the key resulted in the key’s exposure on a public website for approximately six months, placing consumers at “significant risk” of accidentally downloading malware that had been signed with D-Link’s private key and disguised as legitimate software. While the FTC has previously pursued enforcement actions for failing to restrict access to sensitive data on a “least privilege” basis, as discussed in the WLF Working Paper, it has never before cited a company for failing to safeguard its private key.
An Additional Deception Claim
Finally, the complaint alleged that D-Link engaged in deceptive practices by failing to uphold the commitments it made to consumers in public statements regarding its data security practices. Specifically, the FTC cited promotional materials for D-Link’s routers and webcams that discussed the products’ security capabilities, including the availability of encryption, as well as user interfaces for these products that referenced security. The FTC’s complaint also noted that after the disclosure of security vulnerabilities in its products in 2013, D-Link posted a “Security Event Response Policy” on its website, stating in part that it prohibits “intentional product features or behaviors which allow unauthorized access” such as undocumented account credentials. Based on these public statements, the FTC alleged that D-Link misrepresented whether it took “reasonable steps to secure [its] products from unauthorized access” and whether its products were “secure from unauthorized access and control.”
Next Steps in the Litigation
D-Link took the first step in contesting the FTC’s enforcement action by filing a motion to dismiss the FTC’s complaint. D-Link’s motion to dismiss argues that the FTC’s complaint fails to identify any currently deficient data security practices or actual harm to consumers, and also argues that the FTC’s data security enforcement violates due process by failing to provide timely notice of the applicable data security standards. Last week, the FTC responded, opposing D-Link’s motion to dismiss on the grounds that it has sufficiently alleged unfair cybersecurity practices under Section 5. The FTC also noted that the United States Court of Appeals for the Third Circuit, the only federal appeals court to consider a due process challenge to the FTC’s data security enforcement authority, rejected this argument. (Decisions by the Third Circuit, which supervises federal courts in Pennsylvania, New Jersey, Delaware and the Virgin Islands, are not binding on California federal courts, but of course may be found to be persuasive.)
It remains to be seen whether D-Link can succeed in contesting the FTC’s regulatory authority over data security, an area where prior litigants have not been successful. The Third Circuit rejected similar due process claims in FTC v. Wyndham Worldwide Corp., holding that FTC’s prior guidance and enforcement actions counseled against specific data security practices and therefore provided sufficient prior notice. Unless a litigant succeeds in a constitutional challenge to the FTC’s enforcement authority in this area, companies would be well advised to maintain familiarity with the FTC’s data security enforcement actions—including new elements added to the mix by the D-Link litigation—to reduce the risk of becoming the subject of one themselves.