Earlier this month, the Northern District of California dismissed FTC’s unfairness claims against D-Link, a manufacturer of routers and IP cameras, while allowing most of FTC’s claims rooted in deception to survive, suggesting that traditional false advertising actions may be FTC’s most effective means of addressing suspect data security practices. Further, the Northern District of California’s decision to dismiss the unfairness claims shows this court’s unwillingness to entertain data security actions rooted in the FTC’s unfairness prong, without concrete harm.
Deception
FTC filed suit against D-Link in January of this year, alleging that the company engaged in both deceptive and unfair practices based on D-Link’s claimed flimsy data security practices. Specifically, the FTC alleged that D-Link engaged in deceptive practices by marketing sophisticated and state-of-the-art security provided with its products, while simultaneously failing to protect users from “widely known and reasonably foreseeable risks of unauthorized access.” For example, D-Link touted that its products featured “the latest wireless security features to help prevent unauthorized access” and offered the “best possible encryption.” But in practice, according to FTC’s pleadings, D-Link failed to take “easily preventable measures” against “hard-coded user credentials and other backdoors.” And, the Northern District held, these accusations were sufficient to plead a deception claim under the FTC Act. However, where the company did not specifically market its data security practices, its advertising was not deceptive – such as in a brochure where D-Link described the camera as a “surveillance camera” for the “home or small office.” Indeed, where D-Link did not refer to its digital security, the court would not imply messages about the state of that security.
Unfairness
Notably though, the Northern District dismissed FTC’s claims that, because D-Link failed to provide adequate data security, it engaged in unfair practices. Specifically, the court found that, because the FTC could not plead actual harm, it had not sufficiently pled a violation of the FTC Act. FTC was unable, the court noted, to show any “monetary loss or an actual incident where sensitive personal data was accessed or exposed.” It was not enough to plead that D-Link put customers at risk.
The Northern District did not, however, completely close the door on potential unfairness claims against D-Link. Choosing to dismiss the claims without prejudice, the Northern District noted that “[i]f the FTC had tied the unfairness claim to representations underlying the deception claims, it might have had a more colorable injury element.” Accordingly, where a company does not make affirmative representations about its data security practices, a court will likely be reluctant to find a violation of the FTC Act without concrete injury.