On Tuesday, August 6, 2019, the U.S. District Court for the Northern District of California entered a consent order between the Federal Trade Commission (“FTC”) and D-Link Systems, Inc., a U.S. company that is a global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers, resolving an FTC lawsuit alleging that D-Link Systems’ security practices violated Section 5 of the FTC Act. The D-Link Systems order marks the close of the first ever litigated FTC action over the application of Section 5 to the security practices used for Internet of Things (“IoT”) devices. This result is good for D-Link Systems, and good for the FTC.
Court Approves Consent Agreement in Federal Trade Commission v. D-Link Systems
WASHINGTON D.C. (August 6, 2019) – Today, the U.S. District Court for the Northern District of California entered a consent order between the Federal Trade Commission (“FTC”) and D-Link Systems, Inc. Cause of Action Institute has represented D-Link Systems throughout this matter. This joint resolution resolves the FTC’s allegations about the security practices D-Link Systems used for its products. D-Link Systems is an industry leader in Internet of Things (“IoT”) and networking solutions.
CoA Institute Submits Comment to FTC, Recommends Multiple Reforms to Curb Agency Overreach and Abuse
Cause of Action Institute (“CoA Institute”) today submitted a public comment to the Federal Trade Commission (“FTC” or “Commission”) in advance of a series of hearings concerning the agency’s efforts to evaluate its law enforcement and policy agenda, improve investigative processes, and otherwise reform its implementation of the FTC Act.
CoA Institute’s recommendations are based on considerable experience dealing with the FTC. Our attorneys regularly practice before the Commission. At present, CoA Institute represents D-Link Systems, a networking equipment manufacturer, which is fighting vague and unsubstantiated allegations that it placed consumers “at risk,” despite any evidence of actual or likely substantial injury. CoA Institute also represents Vylah Tec, LLC, a family-run technical support company that has been targeted on suspicion of “deceptive” sales practices. The FTC has failed to uncover any concrete evidence of wrongdoing, yet the company remains subject to a punitive injunctive order. In the past, CoA Institute represented LabMD, Inc., a small cancer-detection company, against claims that it had unreasonable data-security practices. And CoA Institute has directly litigated against the FTC over matters related to the Freedom of Information Act.
As explained in the comment, CoA Institute’s track-record with the FTC gives it unique insight into how the agency can be improved in four general areas:
Reforming the FTC’s Enforcement Processes
When FTC staff believes there has been a violation of the law, the agency typically threatens a regulated entity with an enforcement proceeding and attempts to settle the matter by consent order. This is the outcome in most cases. But these consent orders tend to be vague; they provide little guidance about the standards with which other regulated companies are expected to comply. This opens the door to regulatory overreach. The FTC should provide specificity in its consent orders.
The FTC also should refine its use of ex parte injunctions, which are an extraordinary remedy. Without clearer guidance limiting the use of temporary restraining orders and asset freezes, the FTC may continue to raise due process concerns and impose unjustifiable hardships on regulated entities defending themselves in enforcement proceedings.
Concerns about due process likewise arise with respect to the FTC’s own rules of procedure, which differ in material ways from well-accepted rules of procedure and evidence in federal courts. The Commission’s rules provide its staff a decided advantage, particularly given the relatively boundless resources available to the agency. This is unfair and flouts the rule of law.
Finally, the FTC should eliminate its practice of seeking legal damages in excess of what the agency is statutorily authorized to pursue. Although the FTC may request equitable monetary damages, including restitution or disgorgement of ill-gotten gains, in practice the damages sought by the Commission are pecuniary and ultra vires. In short, they amount to the imposition of personal liability on defendants. This approach cannot be countenanced by the FTC Act.
Increasing FTC Transparency
Related to the reforms of the FTC’s enforcement regime are the changes that should be made to its disclosure practices. As mentioned, the FTC regularly relies on consent orders to settle matters before an actual enforcement proceeding is opened. The use of these negotiated orders, which are party-specific and, again, vague, fails to provide the requisite notice of legal standards to which regulated parties are expected to conform. The FTC should abandon efforts to treat consent orders as a “common law” body of precedent that shapes future obligations for regulated parties.
To the extent the FTC continues to use consent orders in this problematic way, however, it should aim to make the orders specific, with detailed analysis about the application of generally applicable standards. The Commission also should proactively disclose the closing letters and closing memoranda from matters where enforcement is not pursued. In these cases, the FTC has determined that a potential respondent is operating within legal bounds. The Commission itself admits that these documents are useful, but they are not uniformly disclosed to the public.
Developing a Proper Understanding of “Substantial Injury”
At the heart of Section 5 of the FTC Act is the concept of “substantial injury.” Without actual, or the threat of “likely,” substantial injury, the FTC can do nothing. But the exact scope of what is “likely” and “substantial” harm is unclear. The FTC does not define the terms precisely, and the body of consent orders that reflect settled matters provide little further detail. What is clear, however, is that the FTC prefers to maintain ambiguity to facilitate its overreach.
The Commission should do a better job considering the countervailing benefits to consumers or competition provided by allegedly unfair acts or practices, too. This can be done with rigorous cost-benefit analysis. The FTC often focus on amorphous concepts of harm while ignoring how regulated entities’ practices benefit the consumer or, more broadly, competition in the marketplace.
How Congress Should Amend the FTC Act
Although CoA Institute’s recommendations are principally directed to the FTC, Congress should play a key role in reforming the Commission’s enforcement processes. We propose that legislators amend the FTC Act to allow direct appeals to a U.S. Court of Appeals following an administrative law judge decision. This would replace the current process by which an appeal is first made to the full Commission. It would be better to permit respondents to seek appellate relief in an Article III venue, and bypass the full Commission, because the FTC has a remarkable track record of never losing its own administrative appeals. Regulatory agencies should not be allowed to wear the dual hats of prosecutor and judge.
Ryan P. Mulvey is Counsel at Cause of Action Institute
Click here to access the full comment or read below.
Court Orders Dismissal of D-Link Corp. from FTC Data Security Case
SAN FRANCISCO – U.S. District Judge James Donato has instructed the Federal Trade Commission (“FTC”) to dismiss Taiwan-based D-Link Corporation (“D-Link Corp.”) from a case brought by the FTC in the U.S. District Court for Northern District of California involving unfounded allegations as to security practices for routers and IP cameras. On April 3, 2017, D-Link Corp. filed a motion to dismiss the case because the Court lacked jurisdiction over the company. FTC’s dismissal of D-Link Corp. renders that motion moot. The case will now proceed with California-based D-Link Systems, Inc. as the sole Defendant.
Cause of Action Institute Assistant Vice President Patrick Massari: “The FTC sued a Taiwanese-based corporation without any factual predicate or consumer victims, real or imagined, exceeding the bounds of its regulatory authority. We are grateful for the Court’s directive and pleased with this resolution of issues raised by D-Link Corp.’s motion to dismiss. We look forward to continuing to vigorously defend this case on behalf of D-Link Systems, Inc.”
Background:
In early January, the FTC filed a complaint against D-Link Systems Inc. and D-Link Corp. The complaint makes vague and unsubstantiated allegations, without asserting a single data breach of any product sold in the U.S. by either company. Instead, the FTC’s complaint relies on unspecified press reports and mere speculation that consumers were placed “at risk,” but fails to allege, as it must, that consumers suffered or are likely to suffer actual or substantial injury. D-Link Systems continues to stand behind its products and maintains a robust range of procedures to address potential security vulnerabilities.
For information regarding this press release, please contact Zachary Kurz, Director of Communications: zachary.kurz@causeofaction.org