FTC vs D-Link: The legal risks of IoT insecurity
As the Internet of Things (IoT) becomes more of a fact of daily life for many people and businesses, securing the data and devices involved has emerged as the single biggest IoT challenge. This isn't surprising, given that security incidents related to connected devices will likely rise -- as will legal action related to product and service vulnerabilities.
See: D-Link fights back against 'baseless' data security lawsuit
A prime example came earlier this month, when the United States Federal Trade Commission (FTC) filed a lawsuit against D-Link, a maker of networked devices for business users and consumers, claiming the company put thousands of customers at risk of unauthorized access by failing to secure its IP cameras and routers. Security vulnerabilities in the products had been discovered last year.
The lawsuit claims that D-Link failed to take reasonable software testing and remediation measures to protect its routers and IP cameras against well-known and easily preventable software security flaws.
The case against D-Link is the latest of many recent FTC actions brought against consumer-facing technology companies for allegedly failing to implement reasonable data security, said Jeremy Goldman, a data security law expert and a partner in the litigation, privacy and data security groups at law firm Frankfurt Kurnit Klein & Selz.
"D-Link has just been made the poster child for IoT security, and similar actions are likely," Goldman said. "However, the key question is whether the incoming administration will continue to prioritize data security and interpret the FTC's powers as broadly as the current commission."
The legal action should grab the attention of any company that is developing IoT and other Internet-enabled consumer or business products.
"The FTC is sending a clear message to manufacturers of IoT and other connected devices: you have to think seriously about the technical controls built into your products," Goldman said. "Innovation has to include reasonable security designed to protect consumer data and privacy. What does that mean? Among other things, default passwords simply will not fly."
In the current political climate, Goldman thinks it is unlikely the U.S. government will enact any new legislation setting minimum security standards for IoT or other connected devices.
Best Google Chrome productivity, privacy and security extensions 2017
"It is more likely that the FTC and other federal regulators will continue to try and fill the gaps using their authority under existing laws," Goldman said. "States have become increasingly active in the data security space, both in terms of cyber-policing by state [prosecutors] as well as state legislatures passing new cyber security laws."
In addition to the FTC, and depending on the functionality and intended users of an IoT product, legal action might arise from other federal regulators such as the FCC as well as state attorneys general charged with protecting consumers, Goldman said.
"The other major source of legal action is class action lawyers, who have been very aggressive and creative in the privacy and data security space," Goldman said. "Companies that market products abroad also may face action from foreign data protection regulators."
As technology evolves and new exploits are discovered, what constitutes a reasonable level security is going to change over time, Goldman noted. "That said, there is helpful guidance out there," he said.
For example, the FTC published a detailed report recommending a series of concrete steps that IoT developers can take to enhance the security of their products. "While not binding, companies that follow the FTC's recommendations would have a strong argument that they acted reasonably in protecting the privacy and data security of their consumers," he said.
Video: Why building IoT Solutions remains a challenge for developers
