CoA Institute Urges Supreme Court to Rein In FTC’s Unconstitutional Pursuit of Money Damages

Washington, D.C. (November 13, 2019) – Today, Cause of Action Institute (“CoA Institute”) filed an amicus brief in the U.S. Supreme Court supporting cert petitions filed by AMG Capital Management and Publishers Business Services. The petitions urge the Court to review the Federal Trade Commission’s (“FTC”) claim that Section 13(b) of the FTC Act, which authorizes injunctions, also grants the agency power to obtain money damages, raid businesses, and impose asset freezes and receiverships.

Learn More

FTC v. Qualcomm: FTC Oversteps its Section 13(b) Authority . . . Again

On August 30, 2019, Cause of Action Institute (CoA) filed an amicus brief in the Ninth Circuit in support of Qualcomm in FTC v. Qualcomm, Inc., No. 19-16122.  This unprecedented, highly controversial case of international importance represents FTC’s latest ultra vires attempt to expand its powers.  It does so here by seeking to transmogrify an alleged breach of contract into an antitrust violation.  A former FTC Commissioner, a current FTC Commissioner, the U.S. Department of Justice, numerous other federal agencies, a former Chief Judge of the Federal Circuit, leading antitrust scholars, and others all publicly oppose FTC’s wayward lawsuit against Qualcomm. Learn More

The D-Link Systems’ Consent Order Explained

On Tuesday, August 6, 2019, the U.S. District Court for the Northern District of California entered a consent order between the Federal Trade Commission (“FTC”) and D-Link Systems, Inc., a U.S. company that is a global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers, resolving an FTC lawsuit alleging that D-Link Systems’ security practices violated Section 5 of the FTC Act.  The D-Link Systems order marks the close of the first ever litigated FTC action over the application of Section 5 to the security practices used for Internet of Things (“IoT”) devices.  This result is good for D-Link Systems, and good for the FTC.

I.  FTC v. D-Link Litigation Background

The D-Link Systems order resolves the FTC Complaint brought in January 2017.  The Commission authorized its filing by a 2-1 vote, over the dissent of Honorable then-Commissioner Maureen K. Ohlhausen.  Importantly, the Complaint did not allege that any actual data breach occurred or that any identifiable person was harmed in any way by the company’s alleged security practices, nor did the FTC pursue such a claim in litigation.  There were also no allegations of mishandling or misuse of customer information or any privacy violations in the FTC’s action.

In September 2017, the Court dismissed FTC’s “unfairness” claim, noting that there was no allegation of “any actual consumer injury in the form of a monetary loss or an actual incident where sensitive personal data was accessed or exposed.”[1]   The Court also dismissed two “deception” claims at the pleading stage.  Although the Complaint initially named D-Link Systems’ Taiwan-based parent, it was dismissed from the case in May 2017 by agreement of the parties pursuant to the Court Order and is not a party to the settlement.  The matter proceeded past the summary judgment stage without a finding of liability against D-Link Systems, as neither side prevailed on their cross-motions.[2]

II. The Groundbreaking Consent Order

A Commitment to Continue Industry Leading Data Security Practices

Against this backdrop, the matter was resolved, without any liability finding on the part of D-Link Systems, by a consent order that contractually advances the parties’ shared goal of protecting the security of IoT products in a constructive way.  As we will discuss in upcoming blog posts, this is significant, given the ongoing debate over this issue in FTC consent orders.

At the heart of the consent order is D-Link Systems’ agreement that it will “continue with” its current “comprehensive software security program,” which furthers this mutual goal.  Because robust security practices were voluntarily adopted for the products D-Link Systems sells long before the consent order, the order thus effectively further memorializes D-Link Systems’ commitment to continuing to use industry best practices, such as sophisticated pre- and post-release testing as well as the use of evidence-based internal and external assessments to continuously improve the security practices.  In essence, under the no-fault consent order, D-Link Systems agrees with FTC to continue doing what it has already been doing.

The order differs from prior FTC data-security consent orders in several important ways.  First, the order sets forth in greater detail than prior FTC consent orders the state-of-the-art security practices and rigorous security program that the company already had in place, providing a roadmap for continued compliance.[3]  In addition, the consent order allows D-Link Systems another pathway to compliance: D-Link Systems has the option of using a state-of-the-art industry security standard, IEC 62443-4-1, or another suitable industry standard of its choice, if approved by FTC, to meet its obligations under the consent order.  This provision balances the need for certainty as to the company’s obligations with the need for flexibility to innovate and adapt to changes in technology, providing D-Link Systems with the freedom to continually improve its products and practices in this rapidly changing area.

The consent order is also only the second time FTC has granted a company safe harbor.  This means, if D-Link Systems successfully obtains an evidence-based certification from a third-party security expert that an approved industry standard has been complied with, D-Link Systems is deemed to be in compliance with the order’s “comprehensive software security program” requirement for a period of two years moving forward.  If D-Link Systems wishes to significantly change its practices after an assessment, it must obtain a certification from the assessor that the changed practice is compliant.  The consent order thereby expressly links compliance with the software security program requirement to successful completion of the required biennial assessments, providing certainty as to how the obligations must be met – the necessary certainty for a company to continue to comply with obligations to consumers while they continue to innovate.

No Marketing Restrictions, No Privacy Provisions

The D-Link Systems order also contrasts sharply with FTC’s other consent orders with IoT companies, which include very broad restrictions on what those other companies may say about their products.  Unlike past cases where FTC had alleged “deception,” the D-Link Systems order contains no restrictions about the marketing statements D-Link Systems can make about the security of its products.  Likewise, unlike most FTC consent orders, the D-Link Systems order does not impose any obligations upon D-Link Systems regarding “covered information,” which reflects that D-Link Systems was not alleged to have mishandled any such privacy information or to have engaged in privacy violations.

Significantly Shorter Duration

In contrast to most FTC data security consent orders, this order is also generally shorter in duration.  For example, although most orders require biennial assessments for a period of twenty (20) years, the D-Link Systems consent order only requires these assessments for ten (10) years.  Except for D-Link Systems’ agreement to “continue with” its “comprehensive software security program” for twenty (20) years (unless it chooses to cease to sell consumer routers and IP cameras), and the linked annual certification provision, all other provisions of the consent order terminate in ten (10) or less years.  This stands in stark contrast to other FTC data security consent orders in federal court, which are permanent, and other administrative consent orders in data security and privacy cases, which last for at least twenty years.

The appropriate length of FTC consent orders in data security matters is hotly contested, in part because there are sound reasons why these orders should be for a shorter duration of ten (10) years or less – such as the reality that technology and the associated legal landscape continue to evolve in this rapidly changing area.  As the ABA Section of Antitrust Law has explained: “Especially in areas where technology is rapidly evolving, order provisions that make sense when they are entered may no longer be appropriate in 10 years, let alone 20 years later, and may serve to chill innovative and useful corporate practices.”[4]  Accordingly, D-Link Systems has informed the Court of its intent to respectfully request that the Court exercise its discretion to terminate the remaining provisions in the order after ten years of compliance.

A Carefully Constructed, Bespoke Remedy in Data Security Policy

The D-Link Systems consent order reflects a well-intentioned ongoing learning process.  In a recent joint statement issued in connection with another FTC matter, Honorable FTC Commissioners Noah Joshua Phillips and Christine S. Wilson thoughtfully remarked: “Our view is that remedies have a purpose; that experience and learning tell us how best to use them; and that more is not necessarily better. The Commission has an obligation to ensure that the relief in our orders is tailored carefully to the facts and circumstances of each matter—just because we can seek and obtain a particular remedy does not mean that we should.”[5]  This sentiment encapsulates the ethos of the parties’ amicable and constructive agreement to settle this matter, which was never a zero-sum game because sound software security practices and product security remain a priority for all involved.  That is the message this case sends.

In the end, the D-Link Systems consent order represents a welcome intersection of good business and sound public policy in the important area of data security and technology, which benefits the consuming public.  It accomplishes this by carefully tailoring its provisions to suit the facts and circumstances of this specific matter involving a good corporate citizen like D-Link Systems that cares about its customers, thereby achieving the consent order’s forward-looking purpose of benefitting consumers in the real world.  This is a net benefit for all involved.

Moving forward, this consent order may provide guidance both as to what good IoT companies can do to secure their products, as well as what FTC expects of the industry.  The consent order’s appropriate emphasis on the continuation of top-notch security practices—including rigorous, evidence-based outside assessments by third-party experts to facilitate continuous improvements—also underscores why there is no need whatsoever for the creation of any new and unusual federal administrative bodies in the areas of data security, privacy, and technology.

John J. Vecchione is President and CEO at Cause of Action Institute. Michael Pepson is Special Counsel for Administrative Law at Cause of Action Institute. Jessica L. Thompson is Counsel at Cause of Action Institute. Cause of Action Institute has represented D-Link Systems in this matter since January 2017.


[1] FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 U.S. Dist. LEXIS 152319, at *14 (N.D. Cal. Sep. 19, 2017)

[2] FTC v. D-Link Sys., Inc., No. 17-cv-00039-JD, 2018 U.S. Dist. LEXIS 199023 (N.D. Cal. Nov. 5, 2018)

[3] This is a feature, not a bug.  Some press reports imply that specificity in an order is an onerous burden on the agency while vagueness aids a company’s ability to comply.  Quite the opposite is true.  See FTC v. LabMD, 894 F.3d 1221 (11th Cir. 2018) (finding the FTC’s enforcement order void for vagueness).

[4] ABA Section of Antitrust Law, Presidential Transition Report: The State of Antitrust Enforcement, 30 (January 2017), https://www.americanbar.org/content/dam/aba/publications/antitrust_law/state_of_antitrust_enforcement.pdf

[5] Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson, U.S. v. iSpring Water Systems, LLC. et al. Matter No. C4611 (April 12, 2019) (emphasis in original), https://www.ftc.gov/system/files/documents/public_statements/1513499/ispring_water_systems_llc_c4611_modified_joint_statement_of_commissioners_phillips_and_wilson_4-12.pdf

Court Approves Consent Agreement in Federal Trade Commission v. D-Link Systems

WASHINGTON D.C. (August 6, 2019) – Today, the U.S. District Court for the Northern District of California entered a consent order between the Federal Trade Commission (“FTC”) and D-Link Systems, Inc. Cause of Action Institute has represented D-Link Systems throughout this matter. This joint resolution resolves the FTC’s allegations about the security practices D-Link Systems used for its products. D-Link Systems is an industry leader in Internet of Things (“IoT”) and networking solutions.

Key terms of the consent agreement between D-Link Systems and the FTC include the following:

  • No finding of liability for any alleged violation.
  • No finding of deceptive marketing statements or practices by D-Link Systems.
  • No monetary payment requirement.
  • D-Link Systems continues its current comprehensive software security program and can be granted a two-year Safe Harbor for successful security certifications.

This agreement contrasts sharply with the FTC’s other consent orders with IoT companies, which include very broad restrictions on what those companies may say about their products. Importantly, unlike other IoT matters in which the FTC had alleged “deception,” today’s order contains no such restrictions.

John Vecchione, CoA Institute’s President and CEO and lead trial counsel for D-Link Systems commented on the Court’s consent agreement:

“We are pleased with the order that Judge James Donato has entered in this case. In this evolving regulatory landscape governing the Internet of Things, we are confident that this resolution embodies positive policy for the industry. We are honored to represent D-Link Systems, which will continue to make consumer privacy and security a top priority.”

Case Background:

Cause of Action Institute announced on January 10, 2017 that it would represent D-Link Systems, Inc. in its defense against the FTC.

In May of 2017, the Court instructed the FTC to dismiss D-Link Corp. from the case after D-Link Corp. filed a motion to dismiss the case on the basis that the Court lacked jurisdiction over the Taiwan-based parent company which has not conducted any business activity in the United States for many years.

In September of 2017, the Court dismissed three counts against D-Link Systems, Inc. including the FTC’s Section 5 “unfairness” claim due to the “absence of any concrete facts” supporting the FTC’s allegations of potential consumer harm.

On July 2nd, 2019, a proposed joint settlement agreement was filed with the Court. Today the Court issued a consent order approving the parties’ agreement.

For more information on the background of this case, please visit our website.

###

Media Contact: Nichole Van Valkenburg, nichole.vanvalkenburg@causeofaction.org |
202-317-0266 

Case Information
FTC v. D-Link Systems, Inc., Case No. 17-cv-00039-JD (N.D. Cal.)

About Cause of Action Institute
Cause of Action Institute is a 501(c)(3) non-profit, non-partisan government oversight organization working for economic liberty unencumbered by overregulation. Cause of Action uses investigative, legal, and communications tools to educate the public about government accountability, transparency, and the rule of law.

About D-Link Systems, Inc.
D-Link Systems is a global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers.

Settlement in Federal Trade Commission v. D-Link Systems Includes No Finding of Liability

WASHINGTON D.C. – Today, Cause of Action Institute (CoA Institute) announced the resolution its client, D-Link Systems, Inc., has reached with the Federal Trade Commission (FTC) regarding the FTC’s allegations about the security practices D-Link Systems used for its products. D-Link Systems is an industry leader in Internet of Things (IoT) and networking solutions.

Key terms of the settlement between D-Link Systems and the FTC announced today include the following:

  • No finding of liability for any alleged violation.
  • No finding of deceptive marketing statements or practices by D-Link Systems.
  • No monetary payment requirement.
  • D-Link Systems continues its current comprehensive software security program and can be granted a two-year Safe Harbor for successful security certifications.

This settlement contrasts sharply with the FTC’s other consent orders with IoT companies, which include very broad restrictions on what those companies may say about their products. Importantly, unlike other IoT matters in which the FTC had alleged “deception,” today’s proposed order contains no such restrictions.

D-Link Systems issued the following statement:

“We are pleased to reach an amicable resolution with the FTC. Notably, this order does not find D-Link Systems liable for any alleged violations.  We chose to defend against this litigation based on our strong belief in the quality and security of our products and practices.  This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices.  Today’s announcement further formalizes D-Link Systems’ commitment to product quality, which remains a top priority.  We thank Cause of Action for zealously and relentlessly defending D-Link Systems in concluding this litigation.”

John Vecchione, CoA Institute’s President and CEO and lead trial counsel for D-Link Systems commented on the resolution:

“This case will have a lasting impact and, we hope, positively shape public policy in the important areas of technology, data security, and privacy.  The Court’s dismissal of the Complaint’s ‘unfairness’ claim for failure to plead actual consumer harm will hopefully refocus the FTC’s efforts on practices that actually injure identifiable consumers, providing technology companies with additional certainty necessary for permissionless and evolving innovation.  Today’s settlement is equally unprecedented and represents sound public policy.  For the first time, an IoT company has been granted safe harbor for two years if it obtains an assessment certifying its compliance with a state-of-the-art industry standard, as well as the opportunity to choose to replace this standard, working with the FTC, to keep pace with evolving technology.”

Michael Pepson of Cause of Action, counsel for D-Link Systems, added “we took on D-Link Systems’ cause, pro bono, because we believe that D-Link Systems is a responsible corporate citizen that cares about its customers.  The settlement reflects that both sides take security and protecting consumers very seriously.”

Christine Yang, counsel for D-Link Systems, joins CoA Institute to thank the Court, particularly Magistrate Judge Jacqueline Scott Corley, for taking the time to help the parties to amicably resolve this matter.

D-Link Systems cooperated with the FTC throughout the agency’s investigation and acted in good faith to amicably resolve this matter with the FTC, thereby conserving judicial resources and avoiding unnecessary further litigation.

Case Background:

Cause of Action Institute announced on January 10, 2017 that it would represent D-Link Systems Inc. in its defense against the FTC.

In May of 2017, the Court instructed the FTC to dismiss D-Link Corp. from the case after D-Link Corp. filed a motion to dismiss the case on the basis that the Court lacked jurisdiction over the Taiwan-based parent company which has not conducted any business activity in the United States for many years.

In September of 2017, the Court dismissed three counts against D-Link Systems, Inc. including the FTC’s Section 5 “unfairness” claim due to the “absence of any concrete facts” supporting the FTC’s allegations of potential consumer harm.

For more information on the background of this case, please visit our website.

###

Media Contact: Nichole Van Valkenburg, nichole.vanvalkenburg@causeofaction.org | 202-317-0266

Case Information

FTC v. D-Link Systems, Inc., Case No. 17-cv-00039-JD (N.D. Cal.)

About Cause of Action Institute

Cause of Action Institute is a 501(c)(3) non-profit, non-partisan government oversight organization working for economic liberty unencumbered by overregulation. Cause of Action uses investigative, legal, and communications tools to educate the public about government accountability, transparency, and the rule of law.

About D-Link Systems, Inc.

D-Link Systems is a global leader in connectivity for home, small business, mid-to large-sized enterprise environments, and service providers.

Small business owners prevail, Court denies all damages sought by FTC

WASHINGTON D.C. (May 10, 2019) – In a major victory, Cause of Action Institute (CoA Institute) today, celebrated the decision by the U.S. District Court Middle District of Florida denying all damages against its client, small business owners Robert and Angelo Cupo and their business Vylah Tec LLC. In January 2019, the Court found Messrs. Cupo and Vylah Tec liable, however the Court denied all financial damages, decrying the government’s failure to support its demand and writing in its opinion, “[a]s this Court stated in trial, it is obvious that the disgorgement (financial penalty) total is a moving target.” The decision repeatedly chided the government for continually changing both the total damages sought and the basis for the calculations – both of these “moving targets” make it impossible for small business owners like the Cupos to defend. Today’s decision is a major blow to the Federal Trade Commission’s (FTC), which had sought millions of dollars from the small business.

“Today’s decision serves as a rebuke to the Federal Trade Commission’s attempt to confiscate a small business owners’ property while completely ignoring the legal standards required to do so.” said John Vecchione, president and CEO of Cause of Action Institute. “While the Cupos and Vylah Tec may be the named parties, this victory should be celebrated by all small business owners and entrepreneurs who fear the Federal Trade Commission’s wrath, which too often treats small businesses more harshly than larger corporations, and by all supporters of the rule of law.”

Case background

After obtaining a secret court order in early 2017, the FTC targeted, Vylah Tec, LLC, a small family-run tech company and conducted an hours-long raid of the company’s headquarters on suspicion of “deceptive” sales practices because it bore a superficial resemblance to companies with illegitimate practices. The raid was initiated as part of a politically-hyped campaign known as Operation Tech Trap headed by the FTC in conjunction with the Florida Attorney General’s office. Failing to take into account Vylah Tec’s substantial well-regarded services, the government sought to shut the company down, depriving thousands of customers of pre-paid technical support services.

Not only did the FTC demand a freeze of assets of the defendants, but it also went so far as to demand a freeze of the jointly held marital assets of the wife of one of the defendants. After the 11th Circuit Court of Appeals reversed this freeze, the FTC filed a new motion to recapture the same personal assets without the evidence needed in equity. The Court strongly rebuked the motion. In September, the government prevailed in finding Messrs Cupo and V-Tec liable for damages. However, as the Court found today, the government was unable to prove these damages.

The Vylah Tec case demonstrates the vast power of the federal government and the ability of the FTC to use a court order obtained in secret to deny a family-run company due process by swooping in and seizing assets—including the money they needed to hire a lawyer and mount a defense. Cause of Action Institute firmly believes a prosperous society allows all individuals, entrepreneurs, and companies an opportunity to succeed, but far too often when facing the FTC, companies or individuals have their livelihoods threatened and must defend themselves against a regulatory authority with near endless resources and no motive to render justice.

###

Media ContactMatt Frendewey, matt.frendewey@causeofaction.org | 202-699-2018

CoA Institute Files Amicus Brief in FTC v. AMG Capital Management

On March 14, 2019, Cause of Action Institute (CoA Institute) filed an amicus brief in the Ninth Circuit in support of an en banc petition to rehear a three-judge panel ruling for the Federal Trade Commission (FTC) in FTC v. AMG Capital Management, LLC, et al., No. 16-17197.

This case addresses the important issue of the power of the FTC to take businesses’ property without the due process protections Congress has placed around such confiscation. Here, for example, the FTC used Section 13(b) of the FTC Act to obtain a judgement of over one billion dollars against AMG Capital Management, LLC (AMG) for practices that the FTC (which began its investigation in 2002) never notified AMG were, in the FTC’s view, unlawful until it sued a decade later in 2012. Congress, however, only provided the FTC with power to obtain such relief under Section 19 of the FTC Act, which established a number of procedural safeguards that ensure companies’ ability to defend themselves, including a requirement that the FTC must prove that the defendant knew or should have known its actions were wrongful and a three-year statute of limitations. Section 13, on the other hand, was enacted so that the FTC could quickly get preliminary injunctive relief to stop a company from doing harm to consumers if it could show an ongoing, current violation.

The FTC, in keeping with the tropism of agencies to aggrandize their power beyond Congressional limitations, set out to persuade the judiciary that Section 13(b) allowed the agency, through “ancillary” relief under equity, to get the same confiscations Congress allowed under Section 19. The Ninth Circuit long ago accepted this argument. In this case, however, two Judges ruling for the FTC stated that they had to rule that way as precedent demanded it, but that the larger Ninth Circuit (by an en banc panel) should review the case and change that Circuit’s precedent in light of subsequent Supreme Court rulings, notably, Kokesh v. Securities and Exchange Commission, 137 S. Ct. 1637 (2017).

The amicus brief focuses on the long-term strategy of the FTC to lead the Courts astray on what Congress had allowed and not allowed by enacting specific sections of the FTC Act to do different things. The Washington Legal Foundation and the Chamber of Commerce also urged in amicus briefs that the Ninth Circuit take up this case to right a legal error of the past.

Our full amicus brief can be view here.

John J. Vecchione is President and CEO at Cause of Action Institute.