Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers. Recently, D-Link Systems Inc., a router manufacturer, successfully challenged the FTC’s position that a Section 5 claim can be supported based solely on the existence of a data security vulnerability without any evidence that the vulnerability was actually exploited resulting in consumer harm.
The FTC’s Authority. Under Section 5 of the FTC Act, the FTC can investigate and obtain injunctive and equitable relief against companies that engage in unfair or deceptive acts or practices. To establish that a company’s practices are unfair, the FTC must show that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits to them.
The FTC’s Position is that “Unreasonable” Data Security Is an “Unfair” Practice. In its complaints, the FTC commonly alleges that a company’s unreasonable data security measures are an unfair act or practice that violates Section 5. Typically, to support its position that consumers were harmed, the FTC points to evidence of both (a) a vulnerability created by the allegedly unreasonable data security practices, and (b) exploitation of such vulnerability to gain unauthorized access to data or systems. It would seem that exploitation is necessary to create a nexus between a vulnerability and any consumer harm. But, to the surprise of many, the FTC has also filed complaints against companies alleging only the existence of a vulnerability, without evidence that such vulnerability actually was exploited. In at least two cases, the FTC has alleged that the risk of cyber attack from a vulnerability was alone enough to satisfy the Section 5 requirement that the practice “causes or is likely to cause substantial consumer injury.”
Continue Reading Court Deals Blow to FTC’s Position on Unfair Data Security Practices