A district court judge has dismissed an “unfairness” claim included in the FTC’s complaint against D-Link, a connected devices manufacturer selling routers and internet-connected cameras. The FTC had made the claim without alleging that any consumers were actually harmed by the alleged cybersecurity vulnerabilities in D-Link’s products. In dismissing the allegation, the district court determined that the FTC had failed to allege facts that would allow the court to conclude that consumer harm was a likely result of D-Link’s security practices, even though the FTC had thoroughly investigated the practices and alleged the issues were longstanding.
Earlier this year, the FTC filed a complaint against D-Link. Citing alleged security flaws that the FTC claimed exposed consumers who used D-Link’s products to hackers, the FTC’s complaint charged D-Link with six violations of the FTC Act. The first count of the FTC’s complaint claimed D-Link engaged in an unfair trade practice when it sold allegedly vulnerable products to consumers. The other five counts were based on security-related misrepresentations allegedly made by D-Link the course of marketing its products.
At the time it was filed, the D-Link complaint attracted significant attention from observers who noted that the FTC brought the complaint without alleging any consumers were actually harmed by using D-Link’s products. Instead, the FTC argued only that “[c]onsumers are likely to suffer substantial injury” as a result of D-Link’s actions. See Compl. at ¶ 46. Notably, a few months before the complaint was filed against D-Link, the FTC had received an unfavorable opinion on a similar theory of harm from the Eleventh Circuit Court of Appeals in the LabMD case. LabMD v. FTC, 678 Fed.Appx. 816 (11th Cir. 2016). In that decision, the Eleventh Circuit stayed the FTC’s order against LabMD, suggesting that LabMD was likely to succeed in its argument that the FTC had misinterpreted its authority to bring actions for “unfair” trade practices based only on a likelihood of consumer harm. Id. at 821 (“In other words, we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”). Following that opinion, the D-Link complaint was filed over the dissenting vote of then-Commissioner Ohlhausen, who now serves as the Acting Chairman of the FTC.
In an order dated September 19, 2017, Judge James Donato from the Northern District of California dismissed three of the six counts in the FTC’s complaint. The Court dismissed two of the alleged misrepresentation-related counts, holding that the FTC had failed to plead them with sufficient particularity. See Order re: Motion to Dismiss, 3:17-CV-00039:JD, 5 (Sept. 19, 2017). Specifically, the Court determined that the FTC had failed to identify statements in certain complained-of materials that would be “likely to mislead consumers,” while also failing to allege when other, “more plausibly deceptive statements . . . were made.” Id. at 5-6. Three other misrepresentation counts survived the motion to dismiss.
The Court then assessed the FTC’s claim that D-Link’s failure to implement reasonable security measures was “unfair” to consumers. Id. at 8. Quoting from Section 5(n) of the FTC Act, the Court noted that an unfair act or practice is one that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Id. (citations omitted). The FTC’s complaint, the Court felt, did not adequately plead conduct that met this standard. Instead, the FTC relied on an argument that “DLS put consumers at ‘risk’ because ‘remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable.’” Id.
This claim, the Court decided, ultimately failed to allege anything more than “a mere possibility of injury at best.” Id. Without “concrete facts” showing harm to consumers, the Court argued that it might be “just as possible that DLS’s devices are not likely to substantially harm consumers.” Id. at 9. Indeed, the Court noted that the FTC had already conducted “a thorough investigation before filing the complaint” and claimed that the “challenged security flaws” had existed for years. Id. at 9. Although the Court suggested the FTC’s claim of unfairness could have survived a motion to dismiss if it was tied to the “representations underlying the deception claims,” it dismissed the stand-alone unfairness count as “ultimately untenable.” Id. at 9.
The Court’s focus on the absence of evidence of actual consumer harm in a case involving a through FTC investigation and a long-standing potentially harmful condition echoes the concerns raised by the Administrative Law Judge who dismissed the FTC’s claim against LabMD in 2015. In that decision, the ALJ rejected the FTC’s argument that exposure of sensitive information created an ongoing substantial risk of consumer harm, in part because seven years had passed “since the exposure” of the information without any “evidence that identity theft has occurred” as a result. In re LabMD, Dkt. No. 9357, 64 (Nov. 13, 2015). Accordingly, the ALJ concluded, the evidence did not show that the incident was “likely to cause” harm to consumers. Id. at 65.
Taken together, the LabMD and D-Link cases suggest an emerging set of limits on the FTC’s ability to bring “unfairness” claims based on poor security without demonstrating that any shortcomings were exploited to harm consumers. Indeed, Acting Chairman Ohlhausen has suggested the FTC may steer away from similar enforcement actions in the future. In her speech to the 2017 ABA Consumer Protection Conference, Acting Chairman Ohlhausen announced an intention to focus on “concrete consumer injury,” arguing that “[t]he agency should focus on cases with objective, concrete harms such as monetary injury and unwarranted health and safety risks. The agency should not focus on speculative injury, or on subjective types of harm.” Unfairness claims similar to the one made against D-Link may become increasingly uncommon, at least for now, as a result.