Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, D-Link Systems Inc., a router manufacturer, successfully challenged the FTC’s position that a Section 5 claim can be supported based solely on the existence of a data security vulnerability without any evidence that the vulnerability was actually exploited resulting in consumer harm.

The FTC’s Authority. Under Section 5 of the FTC Act, the FTC can investigate and obtain injunctive and equitable relief against companies that engage in unfair or deceptive acts or practices.  To establish that a company’s practices are unfair, the FTC must show that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits to them.

The FTC’s Position is that “Unreasonable” Data Security Is an “Unfair” Practice. In its complaints, the FTC commonly alleges that a company’s unreasonable data security measures are an unfair act or practice that violates Section 5.  Typically, to support its position that consumers were harmed, the FTC points to evidence of both (a) a vulnerability created by the allegedly unreasonable data security practices, and (b) exploitation of such vulnerability to gain unauthorized access to data or systems.  It would seem that exploitation is necessary to create a nexus between a vulnerability and any consumer harm.  But, to the surprise of many, the FTC has also filed complaints against companies alleging only the existence of a vulnerability, without evidence that such vulnerability actually was exploited.  In at least two cases, the FTC has alleged that the risk of cyber attack from a vulnerability was alone enough to satisfy the Section 5 requirement that the practice “causes or is likely to cause substantial consumer injury.”

The FTC’s Case against HTC. In 2013, the FTC settled a case with HTC America over the company’s alleged deceptive statements and failure to employ reasonable and appropriate security in the software on certain mobile phones it manufactured.  According to the complaint, HTC “introduced numerous security vulnerabilities in the process of customizing [the operating system on] its mobile devices.”  The complaint alleged that malware “could exploit these vulnerabilities.” (emphasis added)  “Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm.”  The complaint did not allege that the vulnerabilities were actually exploited, but HTC did not challenge the complaint in court.

The FTC’s Case against D-Link. In early 2017, the FTC took this same position when it filed a complaint against D-Link in the Northern District of California.  D-Link manufactures routers, IP cameras, and other computer hardware.  The FTC complaint states that D-Link failed to take reasonable steps to protect certain devices it sold to consumers.  The FTC alleged that the unreasonable security left the devices and data on them vulnerable to “a significant risk of unauthorized access.”  The FTC listed several ways the vulnerabilities could be exploited and stated that media reports indicated that the devices may have been infected by malicious software.  In a rare occurrence, D-Link did not settle with the FTC, and it filed a motion to dismiss the complaint in federal court.

The Court Held that the Existence of a Vulnerability Alone Is Not “Substantial Consumer Injury.” D-Link argued that the FTC had failed to adequately allege actual, or even likely harm, as opposed to speculative harm.  The Court agreed, dismissed the FTC’s unfairness claim, and found that the FTC failed to identify a single incident involving the exploitation of the alleged vulnerabilities.  Instead, stated the Court, the FTC relied solely on a risk of potential attacks to constitute consumer harm, which indicated “a mere possibility of injury at best.”  The FTC can amend and reassert its unfairness claim.

The FTC Is Reassessing Its View of Consumer Harm in Data Security Cases. Acting FTC Chairman Maureen K. Ohlhausen, who dissented in filing the FTC’s D-Link complaint, has taken an interest in clarifying the consumer harm aspect of data security cases.  Acting Chairman Ohlhausen created an internal task force to study the economics of privacy and data security “to better understand the markets for consumer information, incentives for the various parties in that marketplace, and how to quantify costs and benefits of different actions that the FTC or others could take.”  The FTC will also hold a workshop December 12, 2017 to help it better understand consumer injury in the context of privacy and data security.

Criticism of the efforts by regulators and plaintiffs’ lawyers in data security-related cases has increased because they continue to bring cases against companies when the actual or potential harms are speculative at best. For example, lawsuits that follow breaches of only phone book information (e.g., name, address, and telephone number) may be seen as wasteful and distort companies’ effective risk management practices. As a result of the FTC’s defeat in federal court, the FTC may redirect its enforcement efforts to data breach cases that have resulted in demonstrable and substantial harm to consumers, rather than the mere risk of possible future harm. Companies should also consider participating in the workshop to help educate the FTC about the realities of data breaches and the consumer harm that may follow.