In January, we commented here about the Federal Trade Commission’s (“FTC”) enforcement action against D-Link Systems Corp. (Federal Trade Commission v. D-Link Systems Corp. et al, case number 3:17-cv-00039,) wherein, for the first time, it initiated proceedings based on an entity’s alleged vulnerability to cyberattacks that left consumer data potentially vulnerable to the unauthorized acquisition of their data by third parties,  even though the data had not been hacked and there was no injury or damages sustained by consumers. At the time, we noted the enforcement action signified an attempt by the FTC to expand its regulatory powers under the unfairness prong of the “unfairness doctrine” to any organization that fails to employ reasonable measures to protect customer data, irrespective of whether such failure resulted in any exposed harm to its customers.

In D-Link, the FTC alleged that D-Link failed to protect its router, cameras and software products from foreseeable risks to, which the FTC claimed made it likely to cause substantial injury to consumers, in violation of section 5(a) of the FTC Act (15 USC §45). In its complaint, the FTC alleged claims against D-Link for deception practices and one claim for unfair practices. D-Link moved to dismiss.

Recently, in ruling on D-Link’s motion to dismiss, U.S. District Judge James Donato, of the U.S. District Court for the Northern District Court of California, issued a decision dismissing (with leave to amend) the FTC’s unfairness claim. The decision, at a minimum, will require the FTC to reevaluate how it pleads claims under the unfairness prong that do not include allegations of actual harm to consumers. Furthermore, the decision may cast doubt on the FTC’s ability to successfully prosecute an organization under the unfairness prong if it cannot (1) demonstrate a breach and/or actual harm or (2) tie the organization’s alleged failure to employ reasonable security measures to protect data into a deception claim. (The court denied D-Link’s motion concerning several of the deceptive practices claims that alleged misrepresentations as to the security of the D-Link devices at issue. It dismissed two of the deceptive practices claims that did not sufficiently allege any misrepresentations.)  

The unfairness doctrine, reflected in Section 5(a) of the FTC Act, is the basic consumer protection statute enforced by the FTC. It prohibits “unfair or deceptive acts or practices in or affecting commerce” and, in general, provides two independent grounds or prongs for enforcement actions brought by the FTC. Under the unfairness prong, an act or trade practice is considered unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. Section 45(n). Under the deceptive practices prong, a deceptive act or practice is a material representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment.

With respect to the FTC’s unfair practices claim, D-Link, challenged the FTC’s general authority and jurisdiction to bring cyber-related enforcement actions and leveled several other broad based attacks, all of which were rejected by the district court as having previously been decided or without merit. In addressing the specific attack on the plausibility of the FTC’s unfairness claim, however, the court reached a different conclusion that, in its view, required dismissal of the claim. In particular, the Court found the FTC’s claim that there was “substantial likelihood” of risk to consumers, without any actual injury was insufficient, noting:

The pleading problem the FTC faces concerns the first element of injury. The FTC does not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive personal data was accessed or exposed. Instead, the FTC relies solely on the likelihood that DLS put consumers at “risk” because “remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable.” Dkt. No. 1 ¶ 17; see also id. ¶ 18 (attacker “could compromise” a router and thereby “could obtain” tax returns or other sensitive files)…. The FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way, or whose IP camera has been compromised by unauthorized parties, or who has suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in the DLS devices. The absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor. Twombly, 550 U.S. at 557. D Link at p.8-9.  

The Court went on to observe that the FTC acknowledged that the complained of security flaws had existed since 2011, suggesting the fact that no consumer records had been compromised since then failed to support the FTC’s allegations that there was a substantial likelihood of harm to consumers. Moreover, because, in its complaint, the FTC divorced the unfairness practices claim from the deceptive practices claims, presumably for strategic reasons to establish that it had the right to proceed on independent grounds under the unfairness prong, the Court stated it could not sustain the claims based on any interconnection between the two claims. The Court, however, granted the FTC leave to amend its complaint. If it does so, it may seek to include allegations that tie the unfair practices claim into the allegations of the deceptive practices claims or, again, seek to proceed solely based on the substantial likelihood of risk of harm to consumers’ aspect of the unfairness claim. If it elects the latter, it will likely need to allege additional facts to satisfy the Court that it has set forth a plausible claim for relief.

The Court’s decision in D-Link suggests there are limits to the FTC’s cybersecurity enforcement capabilities. Whether that decision is a watershed moment that identifies the outer limits of the FTC’s reach remains to be seen. Accordingly, the scope of the decision should likely be limited to its facts and the particular pleading at issue. In that regard, it remains unclear if the FTC had been able to demonstrate, with concrete facts, that there was a substantial likelihood of risk to consumers’ records, whether the court would have dismissed its unfairness claim, even in the absence of any harm to consumers. The fact that the alleged security flaws existed since 2011, without any consumer records being compromised also seemed to undermine the FTC’s claim.

As additional courts grapple with similar claims brought by the FTC, the issue of whether it must allege an actual data breach and/or harm to consumers will come into focus. In the interim, organizations should continue to ensure they are implementing reasonable measures to protect their customers’ data and following best practices as it applies to them and their respective industries to avoid triggering potential enforcement actions and liability under Section 5(a) of the FTC Act.