On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.Continue Reading Lessons from the FTC’s First Enforcement Action Against an IoT Company

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.

Continue Reading The Irish Data Protection Commissioner Issues the GDPR Preparation Checklist