On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.


Continue Reading Lessons from the FTC’s First Enforcement Action Against an IoT Company

The Commission on Enhancing National Cybersecurity, established by President Obama, has released its much-awaited Report on Securing and Growing the Digital Economy (December 1, 2016). The Commission was tasked with assessing the state of our nation’s cybersecurity and developing actionable recommendations for securing the digital economy, while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the development of new technical solutions.

The Commission sought to examine what is working well, what represents a challenge, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors. The Commission found that while the interconnectedness of the digital ecosystem creates unparalleled value for society, technological advancement is outpacing security and will continue to do so unless the government and the private sector change how they approach and implement cybersecurity strategies and practices.

Among the observed challenges, the Commission pointed out that technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. An example of this would be the widely-used Internet-of-Things (IoT) devices, ranging from pacemakers to fitness trackers to smart home devices, many of which do not provide sufficient security.

Another challenge is represented by mobile working environments. The Commission observed that gone are the days when employees performed work only at an office using an organization-issued (and controlled) desktop computer, but that many organizations fail to properly secure mobile devices. Moreover, today, no organization is an island, and few are able to function without connecting to vendors, customers, and partners in multiple global supply chains. These developments are making the classic concept of the security perimeter largely obsolete.


Continue Reading New Report from the Commission on Enhancing National Cybersecurity Calls for Government-Industry Collaboration