D-link Systems: Possible Signs for the Future of Ftc Data Security Enforcement

• Publication year: 2018
• Author: by Ronald Cheng and Mallory Jensen

D-LINK SYSTEMS: POSSIBLE SIGNS FOR THE FUTURE OF FTC DATA SECURITY ENFORCEMENT

by Ronald Cheng and Mallory Jensen¹

I. INTRODUCTION

Enforcement actions by administrative regulators have been increasingly important for understanding the key requirements for data security compliance. In particular, the U.S. Federal Trade Commission (FTC or Commission) has asserted a major role, through its enforcement authority against unfair and deceptive practices under the Federal Trade Commission Act. Recently, as "Internet of Things" (IoT) products, such as security cameras, smart watches, and web-enabled refrigerators have proliferated in the marketplace, FTC enforcement action has adapted to address security issues that arise from the increased flow of data handled by these products.

Part of this trend is the FTC's civil action for injunctive relief against the Taiwanese IoT manufacturer, D-Link Corporation, and its U.S. subsidiary, D-Link Systems, Inc. (collectively "D-Link").² D-Link has fought the charges, and trial is pending for early next year in San Francisco federal court. This article describes the FTC's recent approach to data security enforcement, with examples from the D-Link case to illustrate those enforcement practices.

II. THE FTC AND DATA SECURITY

The Federal Trade Commission Act empowers the Commission to prevent "unfair or deceptive acts or practices."³ In the area of data privacy, the FTC typically has investigated whether the privacy policy and other representations to the public by manufacturers and service providers fail to account for security deficiencies. The FTC has brought civil complaints in federal courts, which to a great degree have been resolved through consent decrees. Areas that have been the subject of FTC actions include safeguards for customer personal information, protections against outside attacks and other compromise, remote access, and supervision of service providers.

From its experience, the FTC has issued "Start with Security,"⁴ a summary of "lessons learned" that have been distilled from over 50 enforcement actions, organized by the following topics:

1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who's trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.

[Page 13]

"Start with Security" illustrates each of these topics with examples from specific enforcement actions. For instance, one principle under the heading of "Apply Sound Security Practices" is the advice to "[t]rain your engineers in secure coding." The FTC notes that in several cases, including one against a telecom company, the FTC had alleged that the companies failed to train employees in secure coding practices, leading to "questionable design decisions, including the introduction of vulnerabilities into the software." In particular, the FTC notes that the telecom company "failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices," making it possible for malicious third party apps to communicate with the logging apps so that consumers' data was at risk.

To illustrate the principle that service providers include appropriate security standards in contracts, the FTC cites the case of a company that hired service providers to transcribe audio files containing sensitive health information, but did not require those third parties to take reasonable security measures, with the result that the files were exposed on the internet. And in discussing the FTC's recommendation that companies must keep safety standards in place when data is en route, the pamphlet cites another FTC case in which unencrypted backup tapes, a laptop, and an external hard drive, all of which contained sensitive information, were stolen from an employee's car, when the company should have had a policy limiting employees' ability to transport such material.

The FTC has updated and expanded the summary provided in the "Start with Security" pamphlet through a series of blog entries, "Stick with Security," which has entries on the same topics.⁵ The "Stick with Security" series is also illustrated by examples from the FTC's enforcement actions, though company names are not used.

Although the FTC is careful in these publications not to provide any insider or nonpublic information about these cases, or to make any statements that would prejudice its position in active cases, these commentaries are nonetheless useful indicators of the direction of the FTC's interest in specific types of companies and privacy violations—that is, how it is interpreting what is "unfair" and "deceptive" in the area of data security and what kinds of companies and violations might be targets. In particular, companies that handle large amounts of consumer data and that make any representations about the security of that data, then arguably—at least in the FTC's view—do not live up to the strength of those representations, will have cause for concern.

[Page 14]

III. THE D-LINK LITIGATION

In early 2017, the FTC filed a complaint in federal court against the D-Link parent company and a U.S. subsidiary.⁶ D-Link manufactures internet routers and Internet-Protocol (IP) cameras and sells those devices in the U.S.

The FTC alleged in its complaint that D-Link failed to conduct software testing and take corrective measures to protect against various security flaws that exposed these products to outside attackers. The FTC's complaint also alleged that D-Link failed to protect adequately the private key for its software—which resulted in exposure of the key on a public website for about six months—and failed to use publicly available software to secure mobile app login credentials.

The FTC claimed that as a result these goods were subject to attacks and were vulnerable to being conscripted into "botnets," or networks of malware-infected computers. Separately, a compromised router could lead to consumers being redirected to malicious websites and thereby providing sensitive information. Conversely, an attacker could obtain sensitive documents stored on devices accessible through the compromised router. Similarly, a compromised IP camera could give an attacker the ability to monitor surreptitiously consumers and their families.⁷

As part of its complaint, the FTC asserted that D-Link made false representations about product security, including after reports of security flaws. These representations included claims that the products incorporated the latest wireless security features and were protected by advanced network security.

The FTC sought injunctive relief against D-Link, with charges based on D-Link's allegedly unfair acts in not securing device software and its allegedly deceptive acts in representing that the devices—including the Graphical User Interface (GUI) through which customers used them—were adequately secured from unauthorized access.

A. D-Link's Challenge to Suit Against the Taiwanese Parent

D-Link first contended, in a motion to dismiss for lack of jurisdiction, that the FTC lacked jurisdiction over the parent corporation located in Taiwan. The parent asserted that it had structured its operations to separate itself from its U.S. operations, which were operated by D-Link Systems, Inc. The parent asserted that it acted only to coordinate between that U.S. subsidiary and third-party vendors based in Asia that manufactured and tested its products.

[Page 15]

The FTC in turn asserted that the parent had satisfied the requirements for exercise of personal jurisdiction. A federal court may exercise jurisdiction over a foreign defendant where:

(1) the defendant either "purposefully direct[s]" its activities or "purposefully avails" itself of the benefits afforded by the forum's laws; (2) the claim "arises out of or relates to the defendant's forum-related activities; and (3) the exercise of jurisdiction [] comport[s] with fair

...