On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.


Continue Reading Lessons from the FTC’s First Enforcement Action Against an IoT Company