WASHINGTON D.C. – Today, Cause of Action Institute (CoA Institute) announced the resolution its client, D-Link Systems, Inc., has reached with the Federal Trade Commission (FTC) regarding the FTC’s allegations about the security practices D-Link Systems used for its products. D-Link Systems is an industry leader in Internet of Things (IoT) and networking solutions.
CoA Institute Submits Comment to FTC, Recommends Multiple Reforms to Curb Agency Overreach and Abuse
Cause of Action Institute (“CoA Institute”) today submitted a public comment to the Federal Trade Commission (“FTC” or “Commission”) in advance of a series of hearings concerning the agency’s efforts to evaluate its law enforcement and policy agenda, improve investigative processes, and otherwise reform its implementation of the FTC Act.
CoA Institute’s recommendations are based on considerable experience dealing with the FTC. Our attorneys regularly practice before the Commission. At present, CoA Institute represents D-Link Systems, a networking equipment manufacturer, which is fighting vague and unsubstantiated allegations that it placed consumers “at risk,” despite any evidence of actual or likely substantial injury. CoA Institute also represents Vylah Tec, LLC, a family-run technical support company that has been targeted on suspicion of “deceptive” sales practices. The FTC has failed to uncover any concrete evidence of wrongdoing, yet the company remains subject to a punitive injunctive order. In the past, CoA Institute represented LabMD, Inc., a small cancer-detection company, against claims that it had unreasonable data-security practices. And CoA Institute has directly litigated against the FTC over matters related to the Freedom of Information Act.
As explained in the comment, CoA Institute’s track-record with the FTC gives it unique insight into how the agency can be improved in four general areas:
Reforming the FTC’s Enforcement Processes
When FTC staff believes there has been a violation of the law, the agency typically threatens a regulated entity with an enforcement proceeding and attempts to settle the matter by consent order. This is the outcome in most cases. But these consent orders tend to be vague; they provide little guidance about the standards with which other regulated companies are expected to comply. This opens the door to regulatory overreach. The FTC should provide specificity in its consent orders.
The FTC also should refine its use of ex parte injunctions, which are an extraordinary remedy. Without clearer guidance limiting the use of temporary restraining orders and asset freezes, the FTC may continue to raise due process concerns and impose unjustifiable hardships on regulated entities defending themselves in enforcement proceedings.
Concerns about due process likewise arise with respect to the FTC’s own rules of procedure, which differ in material ways from well-accepted rules of procedure and evidence in federal courts. The Commission’s rules provide its staff a decided advantage, particularly given the relatively boundless resources available to the agency. This is unfair and flouts the rule of law.
Finally, the FTC should eliminate its practice of seeking legal damages in excess of what the agency is statutorily authorized to pursue. Although the FTC may request equitable monetary damages, including restitution or disgorgement of ill-gotten gains, in practice the damages sought by the Commission are pecuniary and ultra vires. In short, they amount to the imposition of personal liability on defendants. This approach cannot be countenanced by the FTC Act.
Increasing FTC Transparency
Related to the reforms of the FTC’s enforcement regime are the changes that should be made to its disclosure practices. As mentioned, the FTC regularly relies on consent orders to settle matters before an actual enforcement proceeding is opened. The use of these negotiated orders, which are party-specific and, again, vague, fails to provide the requisite notice of legal standards to which regulated parties are expected to conform. The FTC should abandon efforts to treat consent orders as a “common law” body of precedent that shapes future obligations for regulated parties.
To the extent the FTC continues to use consent orders in this problematic way, however, it should aim to make the orders specific, with detailed analysis about the application of generally applicable standards. The Commission also should proactively disclose the closing letters and closing memoranda from matters where enforcement is not pursued. In these cases, the FTC has determined that a potential respondent is operating within legal bounds. The Commission itself admits that these documents are useful, but they are not uniformly disclosed to the public.
Developing a Proper Understanding of “Substantial Injury”
At the heart of Section 5 of the FTC Act is the concept of “substantial injury.” Without actual, or the threat of “likely,” substantial injury, the FTC can do nothing. But the exact scope of what is “likely” and “substantial” harm is unclear. The FTC does not define the terms precisely, and the body of consent orders that reflect settled matters provide little further detail. What is clear, however, is that the FTC prefers to maintain ambiguity to facilitate its overreach.
The Commission should do a better job considering the countervailing benefits to consumers or competition provided by allegedly unfair acts or practices, too. This can be done with rigorous cost-benefit analysis. The FTC often focus on amorphous concepts of harm while ignoring how regulated entities’ practices benefit the consumer or, more broadly, competition in the marketplace.
How Congress Should Amend the FTC Act
Although CoA Institute’s recommendations are principally directed to the FTC, Congress should play a key role in reforming the Commission’s enforcement processes. We propose that legislators amend the FTC Act to allow direct appeals to a U.S. Court of Appeals following an administrative law judge decision. This would replace the current process by which an appeal is first made to the full Commission. It would be better to permit respondents to seek appellate relief in an Article III venue, and bypass the full Commission, because the FTC has a remarkable track record of never losing its own administrative appeals. Regulatory agencies should not be allowed to wear the dual hats of prosecutor and judge.
Ryan P. Mulvey is Counsel at Cause of Action Institute
Click here to access the full comment or read below.
D-Link Systems Secures Significant Victory in Court Battle Against FTC
Judge dismisses ‘unfairness’ allegations citing complete lack of consumer harm
SAN FRANCISCO – A federal judge has dismissed three counts against D-Link Systems, Inc. from a complaint brought by the Federal Trade Commission (“FTC”) involving baseless charges regarding the company’s data security practices for its consumer routers and IP cameras. Cause of Action Institute (“CoA Institute”) represents D-Link Systems in its defense.
The Court dismissed the FTC’s Section 5 “unfairness” claim due to the “absence of any concrete facts” supporting the FTC’s allegations of potential consumer harm. The Order states:
The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices.
In March, Michael Pepson, counsel at CoA Institute, argued before the Court that the case should be dismissed due to, among other things, the lack of facts supporting the government’s claims. Pepson argued that the FTC’s complaint includes only vague, unsubstantiated allegations with no mention of an actual breach of any D-Link product, or any harm to a single consumer.
In response to the ruling, Pepson stated: “We are grateful to the Court for taking the time to hear the arguments, carefully study the questions presented, and issue a well-reasoned decision on D-Link Systems’ motion to dismiss. Cause of Action Institute remains proud to represent D-Link Systems in this litigation.”
For information regarding this press release, please contact Zachary Kurz, Director of Communications at CoA Institute: zachary.kurz@causeofaction.org
Court Orders Dismissal of D-Link Corp. from FTC Data Security Case
SAN FRANCISCO – U.S. District Judge James Donato has instructed the Federal Trade Commission (“FTC”) to dismiss Taiwan-based D-Link Corporation (“D-Link Corp.”) from a case brought by the FTC in the U.S. District Court for Northern District of California involving unfounded allegations as to security practices for routers and IP cameras. On April 3, 2017, D-Link Corp. filed a motion to dismiss the case because the Court lacked jurisdiction over the company. FTC’s dismissal of D-Link Corp. renders that motion moot. The case will now proceed with California-based D-Link Systems, Inc. as the sole Defendant.
Cause of Action Institute Assistant Vice President Patrick Massari: “The FTC sued a Taiwanese-based corporation without any factual predicate or consumer victims, real or imagined, exceeding the bounds of its regulatory authority. We are grateful for the Court’s directive and pleased with this resolution of issues raised by D-Link Corp.’s motion to dismiss. We look forward to continuing to vigorously defend this case on behalf of D-Link Systems, Inc.”
Background:
In early January, the FTC filed a complaint against D-Link Systems Inc. and D-Link Corp. The complaint makes vague and unsubstantiated allegations, without asserting a single data breach of any product sold in the U.S. by either company. Instead, the FTC’s complaint relies on unspecified press reports and mere speculation that consumers were placed “at risk,” but fails to allege, as it must, that consumers suffered or are likely to suffer actual or substantial injury. D-Link Systems continues to stand behind its products and maintains a robust range of procedures to address potential security vulnerabilities.
For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org
Cause of Action Institute Files Motion to Dismiss FTC’s Baseless Data Security Charges Against D-Link Systems Inc.
WASHINGTON – Cause of Action Institute (“CoA Institute”) on behalf of D-Link Systems, Inc. today filed in the U.S. District Court for Northern California a Motion to Dismiss the baseless charges brought by the Federal Trade Commission (“FTC”) regarding the company’s security practices for consumer routers and IP cameras.
In an eleventh-hour attempt to expand its own authority to regulate the Internet of Things (“IoT”) before the new administration took office, the FTC in early January filed a complaint against D-Link Systems. The complaint makes vague and unsubstantiated allegations, without asserting a single data breach of any product sold by D-Link Systems in the U.S. Instead, the FTC speculates that consumers were placed “at risk,” to be hacked, but fails to allege, as it must, that consumers suffered or are likely to suffer actual substantial injuries. D-Link Systems stands behind its products and maintains a robust range of procedures to address potential security vulnerabilities.
“This is a case of politicized government overreach without justification or any evidence of consumer injury,” said Patrick Massari, assistant vice president, CoA Institute. “In fact, to her credit, Acting Chairwoman Ohlhausen voted not to bring this case and has spoken out against the agency filing other lawsuits ‘on the eve of a new presidential administration’ that are based on a flawed legal theory and lack economic and evidentiary support.
“This case should be dismissed now. Congress did not delegate to FTC the authority to regulate data security for IoT companies, and therefore FTC’s putative regulation is beyond its legal power. Moreover, the FTC fails in its Complaint to plead the basic elements of proof necessary for a Section 5 ‘unfairness’ violation. The FTC’s action sets a dangerous precedent, whereby the federal government could subject liability to any company that makes an internet-connected product. The FTC’s lawsuit violates D-Link Systems’ due process rights, and will no doubt have a chilling effect on innovation. For these reasons we have urged the Court to dismiss this Complaint in its entirety.”
The FTC has no authority under Section 5(n) of the FTC Act to declare unlawful an act or practice “on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” As D-Link Systems Inc.’s Motion to Dismiss points out, the FTC’s Complaint pleads legal conclusions couched as hypothetical, speculative factual allegations. FTC’s “deception” allegations should also be dismissed for failure to meet the heightened pleading standards set by Federal Rule of Civil Procedure 9(b), which requires such claims to be pled with particularity.
Read the full Motion to Dismiss here Exhibits can be found here
About Cause of Action Institute: Cause of Action Institute is a 501(c)(3) non-profit working to enhance individual and economic liberty by limiting the power of the administrative state to make decisions that are contrary to freedom and prosperity by advocating for a transparent and accountable government free from abuse.
For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org