A District Court in Northern California has recently dismissed multiple “unfairness” claims against a company that manufactures and sells home networking devices on the grounds that the FTC failed to tie alleged data security violations to actual consumer injury.  The ruling potentially weakens the Federal Trade Commission’s position that it is not required to allege actual injury in order to bring an “unfairness” claim.

As alleged by the FTC, the defendant failed to protect its products from “widely known risks of unauthorized access” by not providing “easily preventable” measures against “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the private key it used to validate software updates, and not deploying “free software, available since at least 2008, to secure users’ mobile app login credentials.”

According to the Commission, these practices were both deceptive and unfair under Section 5 of the FTC Act.

While a number of the agency’s deception claims were not dismissed because the court held that the FTC had sufficiently alleged that defendant misrepresented the adequacy of security provided, that its routers were secure from unauthorized access and that its IP cameras were safe from unauthorized control, the Commission’s “unfairness” claims were all dismissed.

Recent data security cases have seen arguments, such as: (i) the FTC may not assert authority over general data security practices; (ii) lack of fair notice due to the absence of clear standards for fair data security practices; and (iii) the failure of the Commission to allege that “unfair” practices were ongoing.  They have all failed.

Here, however, the court agreed with the defendant’s argument that the FTC had failed to sufficiently plead that consumers had been injured.  The court explained that the FTC did “not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive data was accessed or exposed.”

As per the FTC Act, the Commission cannot deem an act “unfair” unless, without limitation, that act “causes or is likely to cause substantial injury to consumers.”

Although the court granted the defendant’s motion to dismiss some claims, it upheld the FTC’s overall data security enforcement authority under the FTC Act.

The FTC has been granted leave to amend its complaint.  It is anticipated that the Commission will attempt to plead substantial injury by way of representations underlying the deception claims.

A copy of the FTC Complaint and the Order can be seen, here and here.

(FTC v. D-Link Sys., Inc., 2017 BL 330844, N.D. Cal., No. 17-cv-00039, motion to dismiss granted in part 9/19/17).

Takeaway:  It is not enough for the FTC to merely claim that consumer information was put “at risk.”  Wholly conclusory allegations of potential injury will not suffice.  Rather, concrete facts of a single incident where a consumer’s financial, medical or sensitive data has been accessed, exposed or misused are required to be alleged in order to support an “unfairness” claim.

Companies must take extreme care when making data security promises in connection with the sale of their products and offerings.  Contact an FTC defense lawyer if you are interested in implementing preventative compliance measures, or if your company is the subject of a local, state or federal regulatory investigation or enforcement action.

Follow the author on Twitter.

Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.  

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777