On Tuesday, August 6, 2019, the U.S. District Court for the Northern District of California entered a consent order between the Federal Trade Commission (“FTC”) and D-Link Systems, Inc., a U.S. company that is a global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers, resolving an FTC lawsuit alleging that D-Link Systems’ security practices violated Section 5 of the FTC Act.  The D-Link Systems order marks the close of the first ever litigated FTC action over the application of Section 5 to the security practices used for Internet of Things (“IoT”) devices.  This result is good for D-Link Systems, and good for the FTC.

I.  FTC v. D-Link Litigation Background

The D-Link Systems order resolves the FTC Complaint brought in January 2017.  The Commission authorized its filing by a 2-1 vote, over the dissent of Honorable then-Commissioner Maureen K. Ohlhausen.  Importantly, the Complaint did not allege that any actual data breach occurred or that any identifiable person was harmed in any way by the company’s alleged security practices, nor did the FTC pursue such a claim in litigation.  There were also no allegations of mishandling or misuse of customer information or any privacy violations in the FTC’s action.

In September 2017, the Court dismissed FTC’s “unfairness” claim, noting that there was no allegation of “any actual consumer injury in the form of a monetary loss or an actual incident where sensitive personal data was accessed or exposed.”[1]   The Court also dismissed two “deception” claims at the pleading stage.  Although the Complaint initially named D-Link Systems’ Taiwan-based parent, it was dismissed from the case in May 2017 by agreement of the parties pursuant to the Court Order and is not a party to the settlement.  The matter proceeded past the summary judgment stage without a finding of liability against D-Link Systems, as neither side prevailed on their cross-motions.[2]

II. The Groundbreaking Consent Order

A Commitment to Continue Industry Leading Data Security Practices

Against this backdrop, the matter was resolved, without any liability finding on the part of D-Link Systems, by a consent order that contractually advances the parties’ shared goal of protecting the security of IoT products in a constructive way.  As we will discuss in upcoming blog posts, this is significant, given the ongoing debate over this issue in FTC consent orders.

At the heart of the consent order is D-Link Systems’ agreement that it will “continue with” its current “comprehensive software security program,” which furthers this mutual goal.  Because robust security practices were voluntarily adopted for the products D-Link Systems sells long before the consent order, the order thus effectively further memorializes D-Link Systems’ commitment to continuing to use industry best practices, such as sophisticated pre- and post-release testing as well as the use of evidence-based internal and external assessments to continuously improve the security practices.  In essence, under the no-fault consent order, D-Link Systems agrees with FTC to continue doing what it has already been doing.

The order differs from prior FTC data-security consent orders in several important ways.  First, the order sets forth in greater detail than prior FTC consent orders the state-of-the-art security practices and rigorous security program that the company already had in place, providing a roadmap for continued compliance.[3]  In addition, the consent order allows D-Link Systems another pathway to compliance: D-Link Systems has the option of using a state-of-the-art industry security standard, IEC 62443-4-1, or another suitable industry standard of its choice, if approved by FTC, to meet its obligations under the consent order.  This provision balances the need for certainty as to the company’s obligations with the need for flexibility to innovate and adapt to changes in technology, providing D-Link Systems with the freedom to continually improve its products and practices in this rapidly changing area.

The consent order is also only the second time FTC has granted a company safe harbor.  This means, if D-Link Systems successfully obtains an evidence-based certification from a third-party security expert that an approved industry standard has been complied with, D-Link Systems is deemed to be in compliance with the order’s “comprehensive software security program” requirement for a period of two years moving forward.  If D-Link Systems wishes to significantly change its practices after an assessment, it must obtain a certification from the assessor that the changed practice is compliant.  The consent order thereby expressly links compliance with the software security program requirement to successful completion of the required biennial assessments, providing certainty as to how the obligations must be met – the necessary certainty for a company to continue to comply with obligations to consumers while they continue to innovate.

No Marketing Restrictions, No Privacy Provisions

The D-Link Systems order also contrasts sharply with FTC’s other consent orders with IoT companies, which include very broad restrictions on what those other companies may say about their products.  Unlike past cases where FTC had alleged “deception,” the D-Link Systems order contains no restrictions about the marketing statements D-Link Systems can make about the security of its products.  Likewise, unlike most FTC consent orders, the D-Link Systems order does not impose any obligations upon D-Link Systems regarding “covered information,” which reflects that D-Link Systems was not alleged to have mishandled any such privacy information or to have engaged in privacy violations.

Significantly Shorter Duration

In contrast to most FTC data security consent orders, this order is also generally shorter in duration.  For example, although most orders require biennial assessments for a period of twenty (20) years, the D-Link Systems consent order only requires these assessments for ten (10) years.  Except for D-Link Systems’ agreement to “continue with” its “comprehensive software security program” for twenty (20) years (unless it chooses to cease to sell consumer routers and IP cameras), and the linked annual certification provision, all other provisions of the consent order terminate in ten (10) or less years.  This stands in stark contrast to other FTC data security consent orders in federal court, which are permanent, and other administrative consent orders in data security and privacy cases, which last for at least twenty years.

The appropriate length of FTC consent orders in data security matters is hotly contested, in part because there are sound reasons why these orders should be for a shorter duration of ten (10) years or less – such as the reality that technology and the associated legal landscape continue to evolve in this rapidly changing area.  As the ABA Section of Antitrust Law has explained: “Especially in areas where technology is rapidly evolving, order provisions that make sense when they are entered may no longer be appropriate in 10 years, let alone 20 years later, and may serve to chill innovative and useful corporate practices.”[4]  Accordingly, D-Link Systems has informed the Court of its intent to respectfully request that the Court exercise its discretion to terminate the remaining provisions in the order after ten years of compliance.

A Carefully Constructed, Bespoke Remedy in Data Security Policy

The D-Link Systems consent order reflects a well-intentioned ongoing learning process.  In a recent joint statement issued in connection with another FTC matter, Honorable FTC Commissioners Noah Joshua Phillips and Christine S. Wilson thoughtfully remarked: “Our view is that remedies have a purpose; that experience and learning tell us how best to use them; and that more is not necessarily better. The Commission has an obligation to ensure that the relief in our orders is tailored carefully to the facts and circumstances of each matter—just because we can seek and obtain a particular remedy does not mean that we should.”[5]  This sentiment encapsulates the ethos of the parties’ amicable and constructive agreement to settle this matter, which was never a zero-sum game because sound software security practices and product security remain a priority for all involved.  That is the message this case sends.

In the end, the D-Link Systems consent order represents a welcome intersection of good business and sound public policy in the important area of data security and technology, which benefits the consuming public.  It accomplishes this by carefully tailoring its provisions to suit the facts and circumstances of this specific matter involving a good corporate citizen like D-Link Systems that cares about its customers, thereby achieving the consent order’s forward-looking purpose of benefitting consumers in the real world.  This is a net benefit for all involved.

Moving forward, this consent order may provide guidance both as to what good IoT companies can do to secure their products, as well as what FTC expects of the industry.  The consent order’s appropriate emphasis on the continuation of top-notch security practices—including rigorous, evidence-based outside assessments by third-party experts to facilitate continuous improvements—also underscores why there is no need whatsoever for the creation of any new and unusual federal administrative bodies in the areas of data security, privacy, and technology.

John J. Vecchione is President and CEO at Cause of Action Institute. Michael Pepson is Special Counsel for Administrative Law at Cause of Action Institute. Jessica L. Thompson is Counsel at Cause of Action Institute. Cause of Action Institute has represented D-Link Systems in this matter since January 2017.

[1] FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 U.S. Dist. LEXIS 152319, at *14 (N.D. Cal. Sep. 19, 2017)

[2] FTC v. D-Link Sys., Inc., No. 17-cv-00039-JD, 2018 U.S. Dist. LEXIS 199023 (N.D. Cal. Nov. 5, 2018)

[3] This is a feature, not a bug.  Some press reports imply that specificity in an order is an onerous burden on the agency while vagueness aids a company’s ability to comply.  Quite the opposite is true.  See FTC v. LabMD, 894 F.3d 1221 (11th Cir. 2018) (finding the FTC’s enforcement order void for vagueness).

[4] ABA Section of Antitrust Law, Presidential Transition Report: The State of Antitrust Enforcement, 30 (January 2017), https://www.americanbar.org/content/dam/aba/publications/antitrust_law/state_of_antitrust_enforcement.pdf

[5] Joint Statement of Commissioners Noah Joshua Phillips and Christine S. Wilson, U.S. v. iSpring Water Systems, LLC. et al. Matter No. C4611 (April 12, 2019) (emphasis in original), https://www.ftc.gov/system/files/documents/public_statements/1513499/ispring_water_systems_llc_c4611_modified_joint_statement_of_commissioners_phillips_and_wilson_4-12.pdf