Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Privacy & Security Litigation

Court Trims FTC Complaint Asserting Deception and Unfairness Claims

Last week, the U.S. District Court for the Northern District of California dismissed three of six claims the Federal Trade Commission (FTC) asserted against D-Link Systems (D-Link) related to its sale of routers and IP cameras and related software and services.  The decision has implications for the pleading standards courts use to evaluate such claims at the motion to dismiss stage and for the FTC’s assertion of unfairness claims based on alleged likelihood of substantial consumer harm.

The FTC initially filed suit against D-Link and its Taiwanese parent corporation in January 2017.  The FTC alleged that D-Link failed to take reasonable steps to secure the routers and IP cameras it sold to consumers, and that while D-Link marketed these products as being secure, the company failed to protect them from widely known and reasonably foreseeable security risks.  As a result of these alleged shortcomings, the FTC asserted that D-Link’s products were vulnerable to attack, creating a “significant risk” that consumers’ personal information and local networks would be compromised.  The complaint asserted a single unfairness claim and five deception claims under Sections 5(a) and 5(n) of the FTC Act.  While D-Link moved to dismiss the complaint for failure to state a claim upon which relief could be granted, D-Link’s parent company, based in Taiwan, argued the suit should be dismissed for lack of personal jurisdiction.  The jurisdictional issue was resolved when the parties stipulated to dismissal of the parent corporation from the case without prejudice.  The court then issued its decision on D-Link’s motion to dismiss.

The court first held that the five claims alleging deception under the FTC Act sounded in fraud and therefore had to meet the heightened pleading requirements under Federal Rule of Civil Procedure 9(b).  In so holding, the court entered a split between courts across the country, adding further persuasive weight to decisions that have held that Rule 9(b) applies to FTC deception claims premised on alleged false or misleading statements.  The court’s application of Rule 9(b) showed that the heightened pleading requirements had some bite.  The court found that the FTC’s allegations with respect to two of the five deception claims fell short of that standard: the FTC failed to allege facts showing the “who, what, when, where, and how” of D-Link’s purported misconduct regarding alleged misrepresentations for IP cameras and graphical user interfaces for routers.  But for the other three deception claims—based on alleged misrepresentations regarding D-Link’s data security policies and practices and other alleged misrepresentations regarding its routers and IP cameras—the court found that the FTC’s allegations satisfied Rule 9(b).

With respect to the FTC’s unfairness claim, the court refrained from deciding whether Rule 9(b)’s heightened requirements applied to that claim because it found that it failed under Rule 8’s general pleading standard.  As an initial matter, the court rejected D-Link’s arguments that challenged the FTC’s authority to assert an unfairness claim as well as the FTC’s basis for bringing such a claim.  But the Court agreed with D-Link that the FTC’s complaint did not adequately allege one of the essential elements of an unfairness claim—that the act or practice at issue “causes or is likely to cause substantial injury to consumers.”   The court underscored the FTC’s reliance on conclusory allegations about the risk of future harm consumers faced.  The FTC never alleged that consumers’ personal information or networks had actually been improperly accessed.  And according to the court, the FTC’s allegations amounted to a “mere possibility of injury at best,” and it was “just as possible” that D-Link’s devices would not cause substantial injury to consumers.  The latter was all the more likely because the alleged security flaws the FTC identified dated back to 2011 without any apparent incident.

The court’s skepticism about the FTC’s theory of harm has important implications for future litigation where the agency seeks to base an unfairness claim on risk of future harm untethered to any actual misuse or exposure.  The court, however, dismissed the unfairness claim and the two deception claims without prejudice and gave the FTC the opportunity to file an amended complaint.  It remains to be seen whether the FTC will attempt to cure the pleading deficiencies the court identified and if the court will find that those changes are sufficient to get past the motion to dismiss stage.

It also remains to be seen whether the FTC will tweak the theory of harm underlying its unfairness claim in an effort to satisfy the FTC Act’s injury requirement.  The court suggested just that, explaining that if the FTC “had tied the unfairness claim to the representations underlying the deception claims, it might have had a more colorable injury element.”  According to the court, a consumer’s purchase of a device that is not reasonably secure would “likely be in the ballpark” of substantial consumer injury.  The FTC will have to make these decisions about if and how it will amend its complaint ahead of its December 2017 workshop about consumer injury and enforcement priorities.  If the FTC does file an amended complaint against D-Link, that complaint may provide a preview of how the agency is thinking about these issues.