FTC Settles Data Security Case, Continuing Trend of Requiring Comprehensive Security Programs and Third-Party Assessments

FTC Settles Data Security Case

Alerts

July 22, 2019

On July 2, 2019, the Federal Trade Commission (FTC) announced a settlement with smart home products manufacturer, D-Link, regarding allegations that D-Link misrepresented the security of its wireless routers, modems, and security cameras that had been marketed for use in consumers' homes.¹

The D-Link settlement is another example of the FTC imposing more specific requirements as part of the comprehensive security programs it mandates to settle claims of alleged failures to provide reasonable security controls. (Our June 2019 WSGR Alert discusses the DealerBuilt settlement, where the FTC imposed obligations that went beyond any previous settlement.) In D-Link, the FTC goes even further, requiring D-Link to agree to specific injunctive relief in which it cannot sell, distribute, or host on its website certain software in a particular manner and must provide appropriate notices to consumers regarding firmware updates in devices.²

In addition, for the first time, the FTC incorporated the International Electrotechnical Commission's (IEC's) standards on secure product development lifecycle requirements in the settlement as an "approved standard." By doing so, it appears that the FTC is willing to consider accepted industry standards in determining what constitutes appropriate technical security safeguards.

Background

During summer 2016, a security flaw in a D-Link Wi-Fi product was discovered, which allowed for remote execution of code that could overwrite administrator passwords, add new users with administrative access, download malicious firmware, or reconfigure products in home Wi-Fi cameras, routers, and modems, and affected over 400,000 devices on the market.³

On January 5, 2017, the FTC filed suit in federal district court, alleging that D-Link violated Section 5 of the FTC Act by failing to adequately secure routers and IP cameras that it sold and by deceptively marketing the devices as possessing "advanced network security" software.⁴ The FTC alleged that D-Link repeatedly failed to implement reasonable software testing and remediation measures to protect its devices against well-known industry flaws, utilized the same hard-coded user credentials across devices—which were easy to guess and could not be changed in the event hackers discovered the default credentials—and provided software to consumers with backdoor vulnerabilities and command injection flaws. The FTC also alleged that D-Link failed to protect its administrative private key that gave access to D-Link devices, resulting in the exposure of the private key on a public website and potentially allowing consumers to download third-party malware. Further, D-Link allegedly stored users' mobile app login credentials in clear, readable text on users' devices.

In response, D-Link filed a motion to dismiss all of the claims under Federal Rules of Civil Procedure 12(b)(6), 9(b), and 8(a).⁵ On September 19, 2017, the court issued a mixed ruling, granting D-Link's motion to dismiss three of the six claims, but allowing three deception claims to proceed.⁶ The court ruled that the FTC failed to adequately plead harm because the allegations only asserted a "likelihood" that D-Link's conduct put consumers at risk of "remote attackers," which the court determined constitutes "a mere possibility of injury at best."⁷ (Our November 2017 issue of the WSGR Data Advisor discusses the court's ruling on D-Link's motion to dismiss.) On November 5, 2018, the court rejected the parties' cross-motions for summary judgment as the court found "a panoply of genuine disputes of material fact… particularly [as to] the claim of consumer deception that is at the heart of the FTC's complaint."⁸

Key Takeaway No. 1: The Settlement Builds on the FTC's Practice of Mandating Specific Conduct Related to Security Programs

To resolve this case, D-Link agreed to implement and maintain for 20 years a "comprehensive software security program." Several of the new security program requirements were also included in three settlements that the FTC announced earlier in 2019.⁹ For example, D-Link must document its security program in writing; provide a written copy of the security program and annual updates to its board of directors or governing body; perform internal security risk assessments at least once every 12 months, and modify its security program based on the results; test and monitor the effectiveness of its safeguards at least once every 12 months; as well as require senior management to provide annual compliance certifications to the FTC.

The D-Link settlement implements additional specific requirements for the security program, including:

engaging in security planning by documenting in writing how functionality and features will affect the security of its devices;
performing threat modeling to identify risks to the security of data transmitted via its devices;
engaging in code review prior to every release of software for its devices through the use of automated static analysis tools;
maintaining a database of shared code to help find all instances of vulnerabilities when a vulnerability is reported or otherwise discovered;
pushing automatic firmware updates directly to devices that are configured to receive automatic firmware updates;
providing a clear and conspicuous notice to consumers who registered their device and on the product information page on D-Link's website, at least 60 days prior to ceasing security updates, if the device was scheduled to no longer receive firmware updates; and
conducting biennial security training for personnel and vendors responsible for developing, implementing, or reviewing its devices' software.

Further, the D-Link settlement includes specific conduct provisions prohibiting D-Link from selling, distributing, or hosting on its website an IP camera set-up wizard software that allows the consumer to enter a password to secure the consumer's camera that had previously been set by D-Link. The D-Link settlement also mandates that D-Link provide clear and conspicuous notice to all consumers who registered particular devices, through communications channels designated by consumers, with instructions for updating devices with the latest firmware updates.

Key Takeaway No. 2: The FTC Labels Standards Established by the International Electrotechnical Commission as an "Approved Standard" in Verifying D-Link's Compliance with the Order

The FTC also required D-Link to obtain initial and biennial third-party security assessments by a qualified certified secure software lifecycle professional for 10 years. Like the three earlier data security settlements in 2019, the FTC requires, among other things, that the assessor must sign the assessment and state that it has conducted an independent review of the information security program; retain all documents relevant to the assessment for five years after its completion and make these materials available to the FTC if requested to do so; and not withhold documents from the FTC on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, or attorney client privilege.

Unlike the other 2019 security settlements, the FTC designated a standard—the IEC's standards on secure product development lifecycle requirements—which D-Link may elect to use as an "approved standard" for the third-party assessor's verification of compliance with the security program mandated in the settlement. The IEC is a multidisciplinary organization composed of 20,000 experts across industry, academia, and government that sets industry best practices for electronics and related technologies.¹⁰ Among other activities, the IEC frequently releases white papers and area-specific technical guides for data security procedures and proper data handling practices.¹¹

While this is not the first time that the FTC has incorporated industry standards in a settlement order,¹² the inclusion of the IEC's standards demonstrates that the FTC is evaluating and keeping abreast of standards developed with input from various stakeholders, including professional societies, trade associations, regulators, consumers, and standards developers. As a result, many of the safeguards that D-Link agreed to implement align with industry standards for data handling and minimize the extent to which D-Link must implement extraneous measures.

Conclusion

While the FTC required D-Link to agree to specific technical security safeguards and permit extensive auditing of such safeguards, the FTC also included industry-developed standards that could be used for the auditing of compliance with the mandated security program. As the FTC continues to issue increasingly rigorous data security orders, it may be willing to incorporate industry guidelines—like the IEC standards—into its data security orders. Companies should consider such standards in developing security programs to minimize the potential for security incidents or subsequent regulatory scrutiny.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and has successfully represented numerous clients in FTC privacy and data security investigations. For more information, please contact Lydia Parnes, Chris Olsen, Beth George, Allison Bender, or another member of the firm's privacy and cybersecurity practice.

Megan Kayo and Edward Ruse contributed to the preparation of this WSGR alert.

¹Press Release, FTC, "D-Link Agrees to Make Security Enhancements to Settle FTC Litigation," July 2, 2019, https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation.

²Fed. Trade Comm'n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD (N.D. Cal. July 2, 2019).

³Charlie Osborne, Security flaw in D-Link Wi-Fi products exposed 400,000 devices, ZDNet, July 8, 2016, https://www.zdnet.com/article/security-flaw-in-120-d-link-wi-fi-iot-products-can-be-exploited-with-one-click/.

⁴Complaint for Permanent Injunction and Other Equitable Relief, D-Link, No. 3:17-cv-00039-JD (N.D. Cal. Jan. 5, 2017).

⁵Motion to Dismiss, D-Link, 2017 U.S. Dist. LEXIS 152319 (N.D. Cal. April 3, 2017).

⁶D-Link, 2017 U.S. Dist. LEXIS 152319 (N.D. Cal. Sep. 19, 2017).

⁷Id. at *15.

⁸D-Link, 2018 U.S. Dist. LEXIS 199023, at *2 (N.D. Cal. Nov. 5, 2018).

⁹See, e.g. FTC Decision and Order, In the Matter of Lightyear Dealer Technologies, LLC, d/b/a DealerBuilt, https://www.ftc.gov/system/files/documents/cases/172_3051_dealerbuilt_decision_order.pdf; see also FTC Decision and Order, In the Matter of James V. Grago, Jr., individually and d/b/a ClixSense.com, https://www.ftc.gov/system/files/documents/cases/172_3003_-_clixsense_order_final.pdf; United States of America v. Unixiz, Inc. et al, No. 5:19-cv-2222 (N.D. Cal. April 24, 2019).

¹⁰International Electrotechnical Commission, https://www.iec.ch/about/activities/standards.htm (last visited July 8, 2019).

¹¹Id.

¹²The FTC order settling claims of deceptive and unfair acts related to data security against Wyndham included the Payment Card Industry Data Security Standard as an approved standard. Fed. Trade Comm'n v. Wyndham Worldwide Corp. et al, 799 F.3d 236 (3d Cir. 2015).