Menu

FTC Brings Action Against D-Link in Ongoing Effort to Secure the Internet of Things

Cybersecurity and Privacy   |   Technology   |   January 9, 2017
Download   
Share Page

One area of concern for data privacy and cybersecurity professionals is the security of the Internet of Things, which refers to the digitally connected smart devices present in almost every aspect of our lives and growing exponentially in number every day. Though it has tremendous upside and potential for consumers and businesses, the Internet of Things has proven vulnerable to hackers and cybercriminals who have used these devices to cause disruption and steal personal information. To give a recent example, in October 2016, hackers took control of hundreds of thousands of Internet-connected devices and used them to send a flood of traffic to the websites of several major businesses including, Twitter, Netflix, and The New York Times, making them inaccessible for several hours.

FTC v. D-Link

In an ongoing effort aimed at making the Internet of Things more secure, the Federal Trade Commission (FTC) filed a complaint last week against D-Link, a Taiwan-based computer networking equipment manufacturer, for alleged security flaws in its wireless routers and Internet cameras that left the devices vulnerable to hackers. According to the complaint, while advertising that its products were “easy to secure” and had “advanced” network security features, D-Link’s devices suffered from well-known and easily preventable security flaws, such as having hard-coded user credentials on devices and keeping mobile app login credentials in readable text form. According to the FTC, these practices were deceptive under section 5 of the FTC Act.

While the complaint does not specifically identify any hack or breach involving D-Link devices, it gives examples of how these vulnerabilities put consumers’ sensitive personal information at risk and alleges that the risk of hackers exploiting these vulnerabilities is “significant.” To succeed, the FTC must show that these devices caused or are likely to cause substantial injury to consumers.

With this action, D-Link joins a growing list of manufacturers that have found themselves in the crosshairs of the FTC’s ongoing efforts to make the Internet of Things more secure. The FTC previously brought actions against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras, resulting in settlement agreements. Smart device manufacturers and related software developers can expect to see additional enforcement actions, particularly for commonly-hacked devices such as routers and modems that act as a bridge to the Internet and are often the first line of defense for other devices.

Takeaways

To avoid such actions, the FTC has issued a guidance on the Internet of Things, detailing steps businesses can take to enhance and protect consumers’ privacy and security. Manufacturers and software developers are encouraged to review and incorporate these guidelines into their products and devices to the extent feasible. The IoT guidance can be found here.

Another lesson to glean from this case is to be mindful in marketing and advertising products to consumers. If a company advertises a product as easy to secure and keep safe, it had better be both. Companies that over-sell or over-promise security, safety, or privacy may find themselves subject to an FTC enforcement action.

Lastly, this case shows the risk involved in trying to address privacy and security concerns in products after they have entered the market. While hindsight is always 20/20, the best course of conduct would be to incorporate as much privacy and security in the design of a product before it hits the market. If more companies do that, we will be one step closer to making the Internet of Things more secure.


©2019 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.