More Challenges to FTC’s Data Security Authority

In 2017, in a matter that has been highly-publicized for its potential impact upon data security-related liability, the Federal Trade Commission initiated legal action against D-Link for the latter’s alleged failure to implement reasonable precautions to secure its routers and Internet-protocol cameras from. The court dismissed a number of the FTC’s causes of action, including an “unfairness” allegation based, in large part, upon the failure of the FTC to set forth any concrete harm.

The court, however, disagreed with the defendant’s argument that the agency lacked statutory authority to regulate data security under the “unfairness” prong of Section 5 of the FTC Act. In fact, the court stated that the unfairness claim might survive dismissal if factually tied to a deception claim.

In September 2018, the parties each filed motions for summary judgment. The FTC argued that there exists no issue of fact that D-Link failed to take reasonable precautions to protect against foreseeable security vulnerabilities. In its own motion, D-Link argued that the FTC’s deception-based claims were speculative, and that no evidence of consumer harm exists.

The forthcoming decision should be a significant one as it pertains to the FTC’s authority to regulate data security.

Takeaway: Reasonable security measures should always be implemented. Such procedures should be reasonable in light of the nature of the business, sensitivity and volume of consumer information handled, and costs to reduce vulnerabilities. Of course, companies must be sure to adhere to the privacy and data security-related representations made to consumers.