Is there a duty of device security? U.S. regulator fires warning shot over obligations of IoT manufacturers
A complaint filed by the U.S. Federal Trade Commission (the “FTC”) against D–Link Corporation, a Taiwanese computer networking equipment manufacturer, and its U.S. subsidiary (collectively, “D–Link”) is raising questions about the extent of responsibility that networking equipment manufacturers may have for the security of their products, and how much of that responsibility rests with consumers and end users.
On January 5, the FTC filed a complaint in the U.S. District Court in the Northern District of California, alleging that D–Link failed to take reasonable steps to secure its routers and internet–based cameras. The mandate of the FTC is to promote competition and to protect and educate consumers. The agency may file a complaint when it has a reason to believe that the law has been or is being violated, and it appears that proceeding would be in the public interest. The FTC has used its broad mandate to protect consumers from unfair or deceptive practices in the marketplace to investigate privacy and security claims.
The FTC’s media release announcing the lawsuit indicates that the alleged failure on the part of D–Link compromised sensitive consumer information (such as providing live video and audio feeds from private D–Link cameras, or by redirecting a consumer to a fraudulent website). The FTC claims that despite D–Link’s promotional representations about the security of its routers (i.e., “Easy to Secure”, “Advanced Network Security”), the company failed to take steps to address widely known and easily preventable security issues. Security issues with a number of common routers used in businesses and homes have been widely reported in the media in recent months and years.
The FTC’s complaint comes at a formative stage in the development of regulations for the Internet of Things (“IoT”) – a matter we have blogged about before. The FTC has emphasized that the only way for the IoT to reach its full potential for innovation is with the trust of consumers. To that end, it has published guidance on device security protocols and standards for both corporations and consumers. Likewise, it is through FTC litigation such as that brought against D–Link, ASUS, and TRENDnet that the regulator seeks to give force and shape to the obligations of manufacturers over the security of their equipment. This comes at a time when breaches of privacy and security can have further–reaching consequences than ever before, and even the most mundane household products are gaining network–based functionality. With that functionality comes vulnerability.
Like the FTC, the Privacy Commissioner of Canada is tasked with protecting the privacy interests of consumers, albeit with different powers and jurisdiction. The Commissioner recently expressed that there is significant room for improvement with respect to how well companies explain to consumers how Internet–connected devices handle their personal information. It is unclear whether Canadian policymakers will unveil more particularized directives with respect to the IoT.
What is clear is that neither U.S. or Canadian privacy regulators are content to allow manufacturers to wash their hands of responsibility for providing a reasonable level of security and protection on their networked devices and products. The alleged failure of D–Link to address widely–reported and easily–addressed security flaws also points to the need for such manufacturers (and those looking to move into the IoT space) to stay abreast of new security threats and establish formal protocols for managing privacy risks and the legal liability which may follow. The D–Link litigation may serve as a cautionary tale for Canadian manufacturers seeking growth in the U.S. market.
By: Douglas Judson, Associate