As more consumer devices connect to the Internet, regulators take a more aggressive stance requiring security promises be met.
On January 5, 2017, the FTC filed a complaint against computer networking equipment manufacturer, D-Link Corporation, alleging that the company failed to take reasonable steps to secure routers and Internet-protocol cameras from “widely known and reasonably foreseeable risks of unauthorized access,” leaving consumers vulnerable to data privacy and security risks.
The D-Link case is the FTC’s third case in the Internet of Things (IOT) space. The first was in 2014 against TRENDnet, Inc., a computer networking devices retailer, and the second was in 2016 against ASUSTek Computer, Inc., a computer hardware manufacturer. According to the FTC, D-Link put consumers at a significant risk of harm because D-Link failed to take steps “to address well-known and easily preventable security flaws,” including flaws “ranked among the most critical and widespread web application vulnerabilities since at least 2007” by the Open Web Application Security Project. In response to the FTC’s complaint, D-Link denied the allegations and promised to “vigorously defend the action.”
The absence of security measures promised to consumers in product brochures and other public statements regarding privacy is problematic for the FTC. Like in the TRENDnet and the ASUS cases, in the D-Link case, the FTC alleged D-Link misrepresented its security practices to consumers. Several exhibits to the FTC’s complaint show the security representations D-Link made to customers of its various products. These include a Security Event Response Policy, and statements like “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” According to the FTC, D-Link told its customers that their equipment is secure, and the FTC expects that D-Link will honor its representations to its customers by taking the necessary steps to secure its products against hackers.
IOT companies need to remain vigilant and use resources such as the Open Web Application Project, the NIST and the FTC’s published guidance to learn about the latest security practices in the industry. IOT companies likely will not be safe from regulatory scrutiny if they do not remain current with the latest security practices.