Federal Trade Commission v. D-Link Corporation et al
Filing
90
ORDER by Judge James Donato granting in part and denying in part 25 Motion to Dismiss. Amended Pleadings due by 10/20/2017. (jdlc3S, COURT STAFF) (Filed on 9/19/2017)
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
FEDERAL TRADE COMMISSION,
Plaintiff,
8
9
10
United States District Court
Northern District of California
11
Case No. 3:17-cv-00039-JD
ORDER RE MOTION TO DISMISS
v.
Re: Dkt. No. 25
D-LINK SYSTEMS, INC.,
Defendant.
12
In this enforcement action under Section 5(a) and Section 13(b) of the Federal Trade
13
Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a) and 53(b), the Federal Trade Commission
14
(“FTC”) alleges that defendant D-Link Systems (“DLS”) engaged in unfair and deceptive
15
practices in the marketing and sales of routers and Internet-protocol (“IP”) cameras. Dkt. No. 1.
16
The FTC also sued D-Link Corporation, DLS’s Taiwanese parent, but the parties agreed to
17
dismiss it without prejudice. Dkt. No. 75. DLS moves to dismiss the complaint on a variety of
18
grounds. Dkt. No. 25. The motion is granted in part and denied in part.
19
20
BACKGROUND
As alleged in the complaint, DLS sells router and IP camera products to consumers in the
21
United States. Dkt. No. 1 ¶ 7. DLS marketed these products as providing good data security
22
because they featured “the latest wireless security features to help prevent unauthorized access”
23
and “the best possible encryption” protections, among other safeguards. See id. ¶¶ 21-24. The
24
FTC alleges that, in fact, DLS failed to protect its products from “widely known and reasonably
25
foreseeable risks of unauthorized access” by not providing “easily preventable” measures against
26
“‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the
27
private key DLS used with consumers to validate software updates, and not deploying “free
28
software, available since at least 2008, to secure users’ mobile app login credentials.” Id. ¶ 15. As
1
a consequence, “consumers’ sensitive personal information and local networks” are at significant
2
risk of being accessed by unauthorized agents. Id. ¶¶ 16-18. DLS’s practices constitute, in the
3
FTC’s view, unfair and deceptive conduct under the FTC Act.
4
5
6
DISCUSSION
I.
PLEADING STANDARDS
DLS challenges the sufficiency of the complaint under Federal Rules of Civil Procedure
7
12(b)(6), 8(a), and 9(b). The standards governing the application of Rule 12(b)(6) are
8
straightforward. To meet the pleading requirements of Rule 8(a) and to survive a Rule 12(b)(6)
9
motion to dismiss, a claim must provide “a short and plain statement . . . showing that the pleader
is entitled to relief,” Fed. R. Civ. P. 8(a)(2), including “enough facts to state a claim . . . that is
11
United States District Court
Northern District of California
10
plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is plausible
12
on its face if, accepting all factual allegations as true and construing them in the light most
13
favorable to the plaintiff, the Court can reasonably infer that the defendant is liable for the
14
misconduct alleged. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). The plausibility analysis is
15
“context-specific” and not only invites but “requires the reviewing court to draw on its judicial
16
experience and common sense.” Id. at 679.
17
Whether the FTC’s complaint should also meet the specificity requirements of Rule 9(b) is
18
a more nuanced question. There is no doubt that the gravamen of the deception claims is that DLS
19
misled consumers about the data safety and security features of its products. That core allegation
20
sounds in fraud and would appear to fit squarely within the rule in our circuit that such claims
21
must meet the heightened pleading standards of Rule 9(b). See Vess v. Ciba-Geigy Corp. USA,
22
317 F.3d 1097, 1103-04 (9th Cir. 2003). The wrinkle is that the circuit has not yet had occasion to
23
determine whether Vess and similar decisions apply to FTC deception claims, and the FTC says
24
that Rule 9(b) should not apply because “[u]nlike the elements of common law fraud, the FTC
25
need not prove scienter, reliance, or injury to establish a § 5 violation.” Dkt. No. 28 at 12 (quoting
26
FTC v. Freedom Comm’cns, Inc., 401 F.3d 1192, 1203 n.7) (10th Cir. 2005)).
27
28
This argument is not persuasive. In essence, the FTC contends Rule 9(b) is inapplicable
because fraud is not an essential element of its deception claims. But that is precisely the
2
1
truncated view of Rule 9(b) that our circuit has rejected. Vess requires a claim to satisfy Rule
2
9(b)’s specificity demands when the defendant is alleged to have engaged in fraudulent conduct,
3
even though fraud is not a necessary element of the claim. Vess, 317 F.3d at 1103-04. Tellingly,
4
Vess articulated this standard in the context of California’s Unfair Competition Law (“UCL”),
5
which like Section 5 outlaws deceptive practices without requiring fraud as an essential element.
6
Id. Our circuit has consistently held that UCL and similar consumer claims rooted in allegations
7
of false or misleading statements about a product sound in fraud and must meet Rule 9(b)’s
8
requirements. See, e.g., Rubenstein v. Neiman Marcus Group LLC, 687 Fed. Appx. 564, 567 (9th
9
Cir. 2017); Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009). The FTC’s deception
claims are premised on exactly these types of misleading statements to consumers, and so Rule
11
United States District Court
Northern District of California
10
9(b) must apply to them. Other district courts have reached the same conclusion. See, e.g., FTC v.
12
Lights of Am., Inc., 760 F. Supp. 2d 848, 852-855 (C.D. Cal. Dec. 17, 2010) (applying rule to
13
deception claims); FTC v. ELH Consulting, LLC, No. CV 12-02246-PHX-FJM, 2013 WL
14
4759267, at *1 (D. Ariz. Sept. 4, 2013) (same); see also FTC v. Swish Marketing, No. C-09-
15
03814-RS, 2010 WL 653486, at *2-4 (N.D. Cal. Feb. 22, 2010) (finding “a real prospect” that
16
Rule 9(b) applies but not deciding the issue).
17
Whether the FTC must also plead its unfairness claim under Rule 9(b) is more debatable.
18
The parties have assumed that only Rule 8 applies. That was not necessarily unreasonable. Under
19
Section 5(n), an act may be unfair if it: (1) causes or is likely to cause substantial injury to
20
consumers; (2) is not reasonably avoidable by consumers; and (3) is not outweighed by
21
countervailing benefits to consumers or competition. 15 U.S.C. § 45(n). There is little flavor of
22
fraud in these elements, and the FTC has expressly stated that the unfairness claim against DLS is
23
not tied to an alleged misrepresentation. See Section III, below. At the same time, however, the
24
FTC has said that for all of its claims “the core facts overlap, absolutely,” Dkt. No. 42 at 13, and
25
there is no doubt that the overall theme of the complaint is that DLS misled consumers about the
26
data security its products provide. The FTC also acknowledges that DLS’s misrepresentations are
27
relevant to the unfairness claim because consumers could not have reasonably avoided injury in
28
light of them. Dkt. No. 28 at 7.
3
1
Consequently, there is a distinct possibility that Rule 9(b) might apply to the unfairness
2
claim. But the question presently is not ripe for resolution. As discussed below, the unfairness
3
claim is dismissed under Rule 8. Whether it will need to satisfy Rule 9(b) will depend on how the
4
unfairness claim is stated, if the FTC chooses to amend.
5
II.
THE DECEPTION CLAIMS
6
Counts II through VI are grounded on allegedly deceptive practices by DLS. All are
7
reviewed for sufficiency under Rule 9(b), with different outcomes depending on the specific
8
allegations.
9
Count II states a plausible claim. This claim alleges that DLS has misrepresented the data
security and protections its devices provide. Among other examples, the FTC alleges that DLS
11
United States District Court
Northern District of California
10
has made misleading statements to consumers about its data security policies and practices. See
12
Dkt. No. 1 ¶ 20. The allegations in support of the claim identify specific statements DLS made at
13
specific times between December 2013 and September 2015. Id., PX 1. The allegations also
14
specify why the statements are deceptive. Paragraphs 15-18 allege that DLS’s routers and IP
15
cameras do not protect against “critical and widespread web application vulnerabilities” identified
16
since 2007, including “‘hard-coded’ user credentials,” “command injection flaws” and “other
17
backdoors.” Id. ¶ 15. These allegations, along with others in the complaint, amply provide “the
18
who, what, when, where and how of the misconduct charged.” Ebeid ex rel. United States v.
19
Lungwitz, 616 F.3d 993, 998 (9th Cir. 2010).
20
DLS says that Rule 9(b) requires an exacting identification of the IP camera models or
21
router models with the alleged security flaws described in Paragraph 15. See generally Dkt. No.
22
25 at 13. This goes too far. While mere labels, conclusions and “[b]road allegations that include
23
no particularized supporting detail do not suffice” for Rule 9(b) purposes, “this standard does not
24
require absolute particularity or a recital of the evidence. . . . [A] complaint need not allege ‘a
25
precise time frame,’ ‘describe in detail a single specific transaction’ or identify the ‘precise
26
method’ used to carry out the fraud.” United States v. United Healthcare Ins. Co., 848 F.3d 1161,
27
1180 (9th Cir. 2016) (citing Cooper v. Pickett, 137 F.3d 616, 627 (9th Cir. 1997)) (other citations
28
omitted). Count II identifies the time period during which DLS made the statements and provides
4
1
specific reasons why the statements were false -- for example, that the routers and IP cameras
2
could be hacked through hard-coded user credentials or command injection flaws. Dkt. No. 1 ¶
3
15(a). That is all Rule 9(b) demands.
4
DLS’s suggestion that the complaint should allege specific consumer reliance on the
5
statements, Dkt. No. 25 at 13, is also not well-taken. In this vein, DLS highlights that the security
6
policy ends with a disclaimer: “It is up to the reader to determine the suitability of any directions
7
or information in this document.” Id. It is certainly true that the ultimate determination of
8
whether a statement was deceptive depends on whether it was likely to have misled consumers
9
acting reasonably under the circumstances. See FTC v. Pantron I Corp., 33 F.3d 1088, 1095 (9th
Cir.1994). But at this stage, the FTC simply needs to allege particularized facts leading to a
11
United States District Court
Northern District of California
10
plausible inference of liability, which it has done. Disclaimers, moreover, do not as a matter of
12
law immunize statements that are otherwise deceptive. See FTC v. Brown & Williamson Tobacco
13
Corp., 778 F.2d 35, 42-44 (D.C. Cir. 1985). That point is particularly apt here, where the DLS
14
disclaimer attempts a sweeping abandonment of responsibility that purports to dump on the
15
consumer all of the risk that DLS may be wrong, reckless or outright lying about its data security
16
features.
17
Counts III and VI also state plausible claims. The exhibits attached to the complaint
18
identify the contents of the allegedly deceptive statements as well as the years those statements
19
were made. Dkt. No. 1, PX 2-5 & 11. Paragraphs 15-18 offer specific facts to explain why and
20
how the types of statements contained in these materials are false or misleading.
21
Counts IV and V fare less well under Rule 9(b). These counts center on alleged
22
misrepresentations in promotional materials for IP cameras and graphic user interfaces (GUI’s) for
23
routers. Id., PX 6-9. Exhibit 6, a promotional brochure for an IP camera, is the only dated exhibit
24
supporting these counts, and even there the FTC has not alleged facts showing that such brochures
25
are likely to mislead consumers. The brochure simply advertises a “surveillance camera” for the
26
“home or small office” and contains no representations at all about digital security. Id., PX 6. It is
27
not plausible that a reasonable consumer would believe the camera is secure from digital attacks
28
just because the word “SECURITY” is printed on the bottom corner of the brochure. After all, the
5
1
device is being marketed as a home security camera. The remaining exhibits contain more
2
plausibly deceptive statements but fail to identify when those statements were made. These claims
3
lack enough specificity to give DLS fair notice of its allegedly deceptive conduct, and are
4
dismissed with leave to amend. Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985).
5
III.
6
THE UNFAIRNESS CLAIM
The parties hotly contest the viability of Count I, which alleges unfair practices under the
7
FTC Act. DLS raises several broad objections, starting with the contention that the unfairness
8
claim as a whole is an ultra vires reach by the FTC to assert authority over general data security
9
practices. “Section 5 says nothing about data security . . . . If Congress wanted the FTC to
regulate data security for the entire economy, it would have clearly said so.” Dkt. No. 25 at 12.
11
United States District Court
Northern District of California
10
This contention echoes similar arguments in other cases attacking the FTC’s authority to regulate
12
data security practices, particularly in the absence of rulemaking. See, e.g., FTC v. Wyndham
13
Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d, 799 F.3d 236 (3d Cir. 2015).
14
This type of challenge to the FTC’s authority has been consistently rejected by other
15
courts, with good reason. Congress intentionally made Section 5 open-ended, and “explicitly
16
considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of
17
competition’ by tying the concept of unfairness to a common-law or statutory standard or by
18
enumerating the particular practices to which it was intended to apply.” FTC v. Sperry &
19
Hutchinson Co., 405 U.S. 233, 239-40 (citing and discussing Senate Report No. 597, 63d Cong.,
20
2d Sess., 13 (1914)). The FTC is “charged with giving meaning to ‘the elusive, but
21
congressionally mandated standard of fairness,’ Sperry & Hutchinson Co., 405 U.S. at 244, which
22
by its very nature, is ‘a flexible concept with evolving content.’ FTC v. Bunte Bros., Inc., 312
23
U.S. 349, 353 (1941).” FTC v. IFC Credit Corp., 543 F. Supp. 2d 925, 940 (N.D. Ill. 2008); see
24
also 15 U.S.C. § 45(a)(2) (“The Commission is hereby empowered and directed” to prevent unfair
25
practices). Consequently, the fact that data security is not expressly enumerated as within the
26
FTC’s enforcement powers is of no moment to the exercise of its statutory authority. See also
27
FTC v. Wyndham Worldwide Corp, 799 F.3d 236, 259 (3d Cir. 2015) (finding that legislative acts
28
affecting cybersecurity have not “reshaped the provision’s [15 U.S.C. § 45(a)] meaning to exclude
6
1
cybersecurity”).
2
DLS’s next broad objection goes to fair notice. DLS says that the FTC has not
3
“promulgate[d] clear, unambiguous standards” for fair practices in data security, Dkt. No. 25 at
4
10, and that fair notice requires that the FTC adopt standards before pursuing enforcement actions
5
in federal court or at the Commission.
6
This misconstrues federal administrative law. Agencies are not required to anticipate
problems and promulgate general rules before performing their statutory duties. Sec. & Exch.
8
Comm’n v. Chenery Corp., 332 U.S. 194, 201-02 (1947); see also NLRB v. Bell Aerospace Co.,
9
416 U.S. 267, 292 (1974) (same). While “quasi-legislative” rulemaking may be an optimal way
10
for agencies to proceed, requiring it as a precedent to all enforcement actions would “stultify the
11
United States District Court
Northern District of California
7
administrative process” and render it “inflexible and incapable” of meeting its statutory
12
commands. Chenery, 332 U.S. at 202-03. Consequently, the choice “between proceeding by
13
general rule or by individual, ad hoc litigation is one that lies primarily in the informed discretion
14
of the administrative agency.” Id. at 203; see also Bell Aerospace, 416 U.S. at 294 (“choice
15
between rulemaking and adjudication lies in the first instance in the” agency’s discretion). There
16
can be no serious question that data security is a new and rapidly developing facet of our daily
17
lives, and to require the FTC in all cases to adopt rules or standards before responding to data
18
security issues faced by consumers is impractical and inconsistent with governing law.
19
DLS does not cite any authority to the contrary. It refers to United States v. Trident
20
Seafoods Corp., 60 F.3d 556, 559 (9th Cir. 1995), but Trident holds only that a corporation cannot
21
be subject to a penalty “not clearly applicable either by statute or by regulation.” Id. (emphasis
22
added). DLS also cites Montgomery Ward & Co. v. FTC, 691 F.2d 1322, 1328-32 (9th Cir. 1982),
23
but that case embraces Chenery, as it must, and holds only that the FTC cannot impose stricter
24
standards in an adjudication than those plainly specified in a promulgated regulation.
25
DLS’s final broad attack is on the time frame of the unfairness claim. DLS says that
26
Section 5 applies to only current unfair practices, and because Paragraphs 15-18 in the complaint
27
“are pleaded in the past tense,” the FTC has not successfully pleaded an unfairness claim. Dkt.
28
No. 25 at 4 (emphasis in original).
7
1
The better view is that the challenged paragraphs use the present perfect tense: “have
2
failed”, “repeatedly have failed”, “has failed to take reasonable steps”, “have failed to use free
3
software”, “instead have stored.” Dkt. No. 1 ¶ 15. The present perfect is typically used to
4
describe an action that started in the past and continues in the present. For example, the phrase “I
5
have served as a federal judge since 2014” means that I started as a judge in 2014 and continue to
6
be one today. It does not mean, as DLS would have it, that I was once a judge but stopped being
7
one at some undefined time in the past. This is the most grammatically sensible reading of the
8
complaint, and any lingering doubts have been dispelled by the FTC’s position at the motion
9
hearing that it is suing DLS for current and ongoing practices. Dkt. No. 42 at 8.
10
While DLS’s general objections to the unfairness claim are unavailing, a specific issue of
United States District Court
Northern District of California
11
adequacy under Rule 8 has merit. As noted, Section 5(n) makes unfair an act or practice that
12
“causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by
13
consumers themselves and not outweighed by countervailing benefits to consumers or to
14
competition.” 15 U.S.C. § 45(n). This statutory definition has been used by the courts and the
15
Commission as setting out the three elements of an unfairness claim under Section 45(n). See,
16
e.g., Am. Fin. Servs. Ass’n v. FTC, 767 F.2d 957, 972 (D.C. Cir. 1985); FTC v. Neovi, Inc., 604
17
F.3d 1150, 1155 (9th Cir. 2010).
18
The pleading problem the FTC faces concerns the first element of injury. The FTC does
19
not allege any actual consumer injury in the form of a monetary loss or an actual incident where
20
sensitive personal data was accessed or exposed. Instead, the FTC relies solely on the likelihood
21
that DLS put consumers at “risk” because “remote attackers could take simple steps, using widely
22
available tools, to locate and exploit Defendants’ devices, which were widely known to be
23
vulnerable.” Dkt. No. 1 ¶ 17; see also id. ¶ 18 (attacker “could compromise” a router and thereby
24
“could obtain” tax returns or other sensitive files).
25
That is effectively the sum total of the harm allegations, and they make out a mere
26
possibility of injury at best. The FTC does not identify a single incident where a consumer’s
27
financial, medical or other sensitive personal information has been accessed, exposed or misused
28
in any way, or whose IP camera has been compromised by unauthorized parties, or who has
8
1
suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in
2
the DLS devices. The absence of any concrete facts makes it just as possible that DLS’s devices
3
are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory
4
allegations about potential injury to tilt the balance in its favor. Twombly, 550 U.S. at 557. The
5
lack of facts indicating a likelihood of harm is all the more striking in that the FTC says that it
6
undertook a thorough investigation before filing the complaint, Dkt. No. 42 at 8, and that the DLS
7
devices have had the challenged security flaws since 2011, id. at 18. This complaint stands in
8
sharp contrast to complaints that have survived motions to dismiss in other cases involving data
9
security issues. See, e.g., FTC v. Wyndham Worldwide, 799 F.3d 236, 242 (3d. Cir. 2015)
(sustaining complaint that alleged data theft of personal information of hundreds of thousands of
11
United States District Court
Northern District of California
10
consumers with over $10.6 million in fraudulent charges).
12
The FTC nevertheless contends that dismissal is unwarranted because “[t]he degree of
13
likely substantial injury is a question of fact inappropriate for this stage of the case,” Dkt. No. 28
14
at 6, and cites this Court’s holding in Brickman v. Fitbit, Inc., No. 15-CV-02077-JD, 2016 WL
15
3844327, at *3 (N.D. Cal. July 15, 2016), to that end. This misunderstands Brickman. That
16
decision, in a case which did not involve Section 5(n) or the FTC, held only that consumer
17
reliance on the defendant’s allegedly deceptive marketing statements entailed disputes of fact not
18
suited for resolution on a Rule 12(b)(6) motion. Id.; see also Williams v. Gerber Products, Co.,
19
552 F.3d 934, 938-39 (9th Cir. 2009). That is not the question here, particularly since the FTC has
20
expressly divorced the unfairness claim from any of DLS’s representations to consumers. Dkt.
21
No. 42 at 12-13. Brickman is not at all germane.
22
If the FTC had tied the unfairness claim to the representations underlying the deception
23
claims, it might have had a more colorable injury element. A consumer’s purchase of a device
24
that fails to be reasonably secure -- let alone as secure as advertised -- would likely be in the
25
ballpark of a “substantial injury,” particularly when aggregated across a large group of consumers.
26
See Neovi, 604 F.3d at 1157 (“An act or practice can cause substantial injury by doing a small
27
harm to a large number of people”) (citation and quotes omitted). But the FTC pursued a different
28
and ultimately untenable track.
9
1
2
CONCLUSION
Counts I, IV, and V of the complaint are dismissed with leave to amend. The motion to
3
dismiss is denied in all other respects. If the FTC would like to amend, it should file a revised
4
complaint that is consistent with this order by October 20, 2017.
5
IT IS SO ORDERED.
6
7
Dated: September 19, 2017
8
9
JAMES DONATO
United States District Judge
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
10
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?