Federal Trade Commission v. D-Link Corporation et al

Filing 90

ORDER by Judge James Donato granting in part and denying in part 25 Motion to Dismiss. Amended Pleadings due by 10/20/2017. (jdlc3S, COURT STAFF) (Filed on 9/19/2017)

Download PDF
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 FEDERAL TRADE COMMISSION, Plaintiff, 8 9 10 United States District Court Northern District of California 11 Case No. 3:17-cv-00039-JD ORDER RE MOTION TO DISMISS v. Re: Dkt. No. 25 D-LINK SYSTEMS, INC., Defendant. 12 In this enforcement action under Section 5(a) and Section 13(b) of the Federal Trade 13 Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a) and 53(b), the Federal Trade Commission 14 (“FTC”) alleges that defendant D-Link Systems (“DLS”) engaged in unfair and deceptive 15 practices in the marketing and sales of routers and Internet-protocol (“IP”) cameras. Dkt. No. 1. 16 The FTC also sued D-Link Corporation, DLS’s Taiwanese parent, but the parties agreed to 17 dismiss it without prejudice. Dkt. No. 75. DLS moves to dismiss the complaint on a variety of 18 grounds. Dkt. No. 25. The motion is granted in part and denied in part. 19 20 BACKGROUND As alleged in the complaint, DLS sells router and IP camera products to consumers in the 21 United States. Dkt. No. 1 ¶ 7. DLS marketed these products as providing good data security 22 because they featured “the latest wireless security features to help prevent unauthorized access” 23 and “the best possible encryption” protections, among other safeguards. See id. ¶¶ 21-24. The 24 FTC alleges that, in fact, DLS failed to protect its products from “widely known and reasonably 25 foreseeable risks of unauthorized access” by not providing “easily preventable” measures against 26 “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the 27 private key DLS used with consumers to validate software updates, and not deploying “free 28 software, available since at least 2008, to secure users’ mobile app login credentials.” Id. ¶ 15. As 1 a consequence, “consumers’ sensitive personal information and local networks” are at significant 2 risk of being accessed by unauthorized agents. Id. ¶¶ 16-18. DLS’s practices constitute, in the 3 FTC’s view, unfair and deceptive conduct under the FTC Act. 4 5 6 DISCUSSION I. PLEADING STANDARDS DLS challenges the sufficiency of the complaint under Federal Rules of Civil Procedure 7 12(b)(6), 8(a), and 9(b). The standards governing the application of Rule 12(b)(6) are 8 straightforward. To meet the pleading requirements of Rule 8(a) and to survive a Rule 12(b)(6) 9 motion to dismiss, a claim must provide “a short and plain statement . . . showing that the pleader is entitled to relief,” Fed. R. Civ. P. 8(a)(2), including “enough facts to state a claim . . . that is 11 United States District Court Northern District of California 10 plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is plausible 12 on its face if, accepting all factual allegations as true and construing them in the light most 13 favorable to the plaintiff, the Court can reasonably infer that the defendant is liable for the 14 misconduct alleged. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). The plausibility analysis is 15 “context-specific” and not only invites but “requires the reviewing court to draw on its judicial 16 experience and common sense.” Id. at 679. 17 Whether the FTC’s complaint should also meet the specificity requirements of Rule 9(b) is 18 a more nuanced question. There is no doubt that the gravamen of the deception claims is that DLS 19 misled consumers about the data safety and security features of its products. That core allegation 20 sounds in fraud and would appear to fit squarely within the rule in our circuit that such claims 21 must meet the heightened pleading standards of Rule 9(b). See Vess v. Ciba-Geigy Corp. USA, 22 317 F.3d 1097, 1103-04 (9th Cir. 2003). The wrinkle is that the circuit has not yet had occasion to 23 determine whether Vess and similar decisions apply to FTC deception claims, and the FTC says 24 that Rule 9(b) should not apply because “[u]nlike the elements of common law fraud, the FTC 25 need not prove scienter, reliance, or injury to establish a § 5 violation.” Dkt. No. 28 at 12 (quoting 26 FTC v. Freedom Comm’cns, Inc., 401 F.3d 1192, 1203 n.7) (10th Cir. 2005)). 27 28 This argument is not persuasive. In essence, the FTC contends Rule 9(b) is inapplicable because fraud is not an essential element of its deception claims. But that is precisely the 2 1 truncated view of Rule 9(b) that our circuit has rejected. Vess requires a claim to satisfy Rule 2 9(b)’s specificity demands when the defendant is alleged to have engaged in fraudulent conduct, 3 even though fraud is not a necessary element of the claim. Vess, 317 F.3d at 1103-04. Tellingly, 4 Vess articulated this standard in the context of California’s Unfair Competition Law (“UCL”), 5 which like Section 5 outlaws deceptive practices without requiring fraud as an essential element. 6 Id. Our circuit has consistently held that UCL and similar consumer claims rooted in allegations 7 of false or misleading statements about a product sound in fraud and must meet Rule 9(b)’s 8 requirements. See, e.g., Rubenstein v. Neiman Marcus Group LLC, 687 Fed. Appx. 564, 567 (9th 9 Cir. 2017); Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009). The FTC’s deception claims are premised on exactly these types of misleading statements to consumers, and so Rule 11 United States District Court Northern District of California 10 9(b) must apply to them. Other district courts have reached the same conclusion. See, e.g., FTC v. 12 Lights of Am., Inc., 760 F. Supp. 2d 848, 852-855 (C.D. Cal. Dec. 17, 2010) (applying rule to 13 deception claims); FTC v. ELH Consulting, LLC, No. CV 12-02246-PHX-FJM, 2013 WL 14 4759267, at *1 (D. Ariz. Sept. 4, 2013) (same); see also FTC v. Swish Marketing, No. C-09- 15 03814-RS, 2010 WL 653486, at *2-4 (N.D. Cal. Feb. 22, 2010) (finding “a real prospect” that 16 Rule 9(b) applies but not deciding the issue). 17 Whether the FTC must also plead its unfairness claim under Rule 9(b) is more debatable. 18 The parties have assumed that only Rule 8 applies. That was not necessarily unreasonable. Under 19 Section 5(n), an act may be unfair if it: (1) causes or is likely to cause substantial injury to 20 consumers; (2) is not reasonably avoidable by consumers; and (3) is not outweighed by 21 countervailing benefits to consumers or competition. 15 U.S.C. § 45(n). There is little flavor of 22 fraud in these elements, and the FTC has expressly stated that the unfairness claim against DLS is 23 not tied to an alleged misrepresentation. See Section III, below. At the same time, however, the 24 FTC has said that for all of its claims “the core facts overlap, absolutely,” Dkt. No. 42 at 13, and 25 there is no doubt that the overall theme of the complaint is that DLS misled consumers about the 26 data security its products provide. The FTC also acknowledges that DLS’s misrepresentations are 27 relevant to the unfairness claim because consumers could not have reasonably avoided injury in 28 light of them. Dkt. No. 28 at 7. 3 1 Consequently, there is a distinct possibility that Rule 9(b) might apply to the unfairness 2 claim. But the question presently is not ripe for resolution. As discussed below, the unfairness 3 claim is dismissed under Rule 8. Whether it will need to satisfy Rule 9(b) will depend on how the 4 unfairness claim is stated, if the FTC chooses to amend. 5 II. THE DECEPTION CLAIMS 6 Counts II through VI are grounded on allegedly deceptive practices by DLS. All are 7 reviewed for sufficiency under Rule 9(b), with different outcomes depending on the specific 8 allegations. 9 Count II states a plausible claim. This claim alleges that DLS has misrepresented the data security and protections its devices provide. Among other examples, the FTC alleges that DLS 11 United States District Court Northern District of California 10 has made misleading statements to consumers about its data security policies and practices. See 12 Dkt. No. 1 ¶ 20. The allegations in support of the claim identify specific statements DLS made at 13 specific times between December 2013 and September 2015. Id., PX 1. The allegations also 14 specify why the statements are deceptive. Paragraphs 15-18 allege that DLS’s routers and IP 15 cameras do not protect against “critical and widespread web application vulnerabilities” identified 16 since 2007, including “‘hard-coded’ user credentials,” “command injection flaws” and “other 17 backdoors.” Id. ¶ 15. These allegations, along with others in the complaint, amply provide “the 18 who, what, when, where and how of the misconduct charged.” Ebeid ex rel. United States v. 19 Lungwitz, 616 F.3d 993, 998 (9th Cir. 2010). 20 DLS says that Rule 9(b) requires an exacting identification of the IP camera models or 21 router models with the alleged security flaws described in Paragraph 15. See generally Dkt. No. 22 25 at 13. This goes too far. While mere labels, conclusions and “[b]road allegations that include 23 no particularized supporting detail do not suffice” for Rule 9(b) purposes, “this standard does not 24 require absolute particularity or a recital of the evidence. . . . [A] complaint need not allege ‘a 25 precise time frame,’ ‘describe in detail a single specific transaction’ or identify the ‘precise 26 method’ used to carry out the fraud.” United States v. United Healthcare Ins. Co., 848 F.3d 1161, 27 1180 (9th Cir. 2016) (citing Cooper v. Pickett, 137 F.3d 616, 627 (9th Cir. 1997)) (other citations 28 omitted). Count II identifies the time period during which DLS made the statements and provides 4 1 specific reasons why the statements were false -- for example, that the routers and IP cameras 2 could be hacked through hard-coded user credentials or command injection flaws. Dkt. No. 1 ¶ 3 15(a). That is all Rule 9(b) demands. 4 DLS’s suggestion that the complaint should allege specific consumer reliance on the 5 statements, Dkt. No. 25 at 13, is also not well-taken. In this vein, DLS highlights that the security 6 policy ends with a disclaimer: “It is up to the reader to determine the suitability of any directions 7 or information in this document.” Id. It is certainly true that the ultimate determination of 8 whether a statement was deceptive depends on whether it was likely to have misled consumers 9 acting reasonably under the circumstances. See FTC v. Pantron I Corp., 33 F.3d 1088, 1095 (9th Cir.1994). But at this stage, the FTC simply needs to allege particularized facts leading to a 11 United States District Court Northern District of California 10 plausible inference of liability, which it has done. Disclaimers, moreover, do not as a matter of 12 law immunize statements that are otherwise deceptive. See FTC v. Brown & Williamson Tobacco 13 Corp., 778 F.2d 35, 42-44 (D.C. Cir. 1985). That point is particularly apt here, where the DLS 14 disclaimer attempts a sweeping abandonment of responsibility that purports to dump on the 15 consumer all of the risk that DLS may be wrong, reckless or outright lying about its data security 16 features. 17 Counts III and VI also state plausible claims. The exhibits attached to the complaint 18 identify the contents of the allegedly deceptive statements as well as the years those statements 19 were made. Dkt. No. 1, PX 2-5 & 11. Paragraphs 15-18 offer specific facts to explain why and 20 how the types of statements contained in these materials are false or misleading. 21 Counts IV and V fare less well under Rule 9(b). These counts center on alleged 22 misrepresentations in promotional materials for IP cameras and graphic user interfaces (GUI’s) for 23 routers. Id., PX 6-9. Exhibit 6, a promotional brochure for an IP camera, is the only dated exhibit 24 supporting these counts, and even there the FTC has not alleged facts showing that such brochures 25 are likely to mislead consumers. The brochure simply advertises a “surveillance camera” for the 26 “home or small office” and contains no representations at all about digital security. Id., PX 6. It is 27 not plausible that a reasonable consumer would believe the camera is secure from digital attacks 28 just because the word “SECURITY” is printed on the bottom corner of the brochure. After all, the 5 1 device is being marketed as a home security camera. The remaining exhibits contain more 2 plausibly deceptive statements but fail to identify when those statements were made. These claims 3 lack enough specificity to give DLS fair notice of its allegedly deceptive conduct, and are 4 dismissed with leave to amend. Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985). 5 III. 6 THE UNFAIRNESS CLAIM The parties hotly contest the viability of Count I, which alleges unfair practices under the 7 FTC Act. DLS raises several broad objections, starting with the contention that the unfairness 8 claim as a whole is an ultra vires reach by the FTC to assert authority over general data security 9 practices. “Section 5 says nothing about data security . . . . If Congress wanted the FTC to regulate data security for the entire economy, it would have clearly said so.” Dkt. No. 25 at 12. 11 United States District Court Northern District of California 10 This contention echoes similar arguments in other cases attacking the FTC’s authority to regulate 12 data security practices, particularly in the absence of rulemaking. See, e.g., FTC v. Wyndham 13 Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d, 799 F.3d 236 (3d Cir. 2015). 14 This type of challenge to the FTC’s authority has been consistently rejected by other 15 courts, with good reason. Congress intentionally made Section 5 open-ended, and “explicitly 16 considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of 17 competition’ by tying the concept of unfairness to a common-law or statutory standard or by 18 enumerating the particular practices to which it was intended to apply.” FTC v. Sperry & 19 Hutchinson Co., 405 U.S. 233, 239-40 (citing and discussing Senate Report No. 597, 63d Cong., 20 2d Sess., 13 (1914)). The FTC is “charged with giving meaning to ‘the elusive, but 21 congressionally mandated standard of fairness,’ Sperry & Hutchinson Co., 405 U.S. at 244, which 22 by its very nature, is ‘a flexible concept with evolving content.’ FTC v. Bunte Bros., Inc., 312 23 U.S. 349, 353 (1941).” FTC v. IFC Credit Corp., 543 F. Supp. 2d 925, 940 (N.D. Ill. 2008); see 24 also 15 U.S.C. § 45(a)(2) (“The Commission is hereby empowered and directed” to prevent unfair 25 practices). Consequently, the fact that data security is not expressly enumerated as within the 26 FTC’s enforcement powers is of no moment to the exercise of its statutory authority. See also 27 FTC v. Wyndham Worldwide Corp, 799 F.3d 236, 259 (3d Cir. 2015) (finding that legislative acts 28 affecting cybersecurity have not “reshaped the provision’s [15 U.S.C. § 45(a)] meaning to exclude 6 1 cybersecurity”). 2 DLS’s next broad objection goes to fair notice. DLS says that the FTC has not 3 “promulgate[d] clear, unambiguous standards” for fair practices in data security, Dkt. No. 25 at 4 10, and that fair notice requires that the FTC adopt standards before pursuing enforcement actions 5 in federal court or at the Commission. 6 This misconstrues federal administrative law. Agencies are not required to anticipate problems and promulgate general rules before performing their statutory duties. Sec. & Exch. 8 Comm’n v. Chenery Corp., 332 U.S. 194, 201-02 (1947); see also NLRB v. Bell Aerospace Co., 9 416 U.S. 267, 292 (1974) (same). While “quasi-legislative” rulemaking may be an optimal way 10 for agencies to proceed, requiring it as a precedent to all enforcement actions would “stultify the 11 United States District Court Northern District of California 7 administrative process” and render it “inflexible and incapable” of meeting its statutory 12 commands. Chenery, 332 U.S. at 202-03. Consequently, the choice “between proceeding by 13 general rule or by individual, ad hoc litigation is one that lies primarily in the informed discretion 14 of the administrative agency.” Id. at 203; see also Bell Aerospace, 416 U.S. at 294 (“choice 15 between rulemaking and adjudication lies in the first instance in the” agency’s discretion). There 16 can be no serious question that data security is a new and rapidly developing facet of our daily 17 lives, and to require the FTC in all cases to adopt rules or standards before responding to data 18 security issues faced by consumers is impractical and inconsistent with governing law. 19 DLS does not cite any authority to the contrary. It refers to United States v. Trident 20 Seafoods Corp., 60 F.3d 556, 559 (9th Cir. 1995), but Trident holds only that a corporation cannot 21 be subject to a penalty “not clearly applicable either by statute or by regulation.” Id. (emphasis 22 added). DLS also cites Montgomery Ward & Co. v. FTC, 691 F.2d 1322, 1328-32 (9th Cir. 1982), 23 but that case embraces Chenery, as it must, and holds only that the FTC cannot impose stricter 24 standards in an adjudication than those plainly specified in a promulgated regulation. 25 DLS’s final broad attack is on the time frame of the unfairness claim. DLS says that 26 Section 5 applies to only current unfair practices, and because Paragraphs 15-18 in the complaint 27 “are pleaded in the past tense,” the FTC has not successfully pleaded an unfairness claim. Dkt. 28 No. 25 at 4 (emphasis in original). 7 1 The better view is that the challenged paragraphs use the present perfect tense: “have 2 failed”, “repeatedly have failed”, “has failed to take reasonable steps”, “have failed to use free 3 software”, “instead have stored.” Dkt. No. 1 ¶ 15. The present perfect is typically used to 4 describe an action that started in the past and continues in the present. For example, the phrase “I 5 have served as a federal judge since 2014” means that I started as a judge in 2014 and continue to 6 be one today. It does not mean, as DLS would have it, that I was once a judge but stopped being 7 one at some undefined time in the past. This is the most grammatically sensible reading of the 8 complaint, and any lingering doubts have been dispelled by the FTC’s position at the motion 9 hearing that it is suing DLS for current and ongoing practices. Dkt. No. 42 at 8. 10 While DLS’s general objections to the unfairness claim are unavailing, a specific issue of United States District Court Northern District of California 11 adequacy under Rule 8 has merit. As noted, Section 5(n) makes unfair an act or practice that 12 “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by 13 consumers themselves and not outweighed by countervailing benefits to consumers or to 14 competition.” 15 U.S.C. § 45(n). This statutory definition has been used by the courts and the 15 Commission as setting out the three elements of an unfairness claim under Section 45(n). See, 16 e.g., Am. Fin. Servs. Ass’n v. FTC, 767 F.2d 957, 972 (D.C. Cir. 1985); FTC v. Neovi, Inc., 604 17 F.3d 1150, 1155 (9th Cir. 2010). 18 The pleading problem the FTC faces concerns the first element of injury. The FTC does 19 not allege any actual consumer injury in the form of a monetary loss or an actual incident where 20 sensitive personal data was accessed or exposed. Instead, the FTC relies solely on the likelihood 21 that DLS put consumers at “risk” because “remote attackers could take simple steps, using widely 22 available tools, to locate and exploit Defendants’ devices, which were widely known to be 23 vulnerable.” Dkt. No. 1 ¶ 17; see also id. ¶ 18 (attacker “could compromise” a router and thereby 24 “could obtain” tax returns or other sensitive files). 25 That is effectively the sum total of the harm allegations, and they make out a mere 26 possibility of injury at best. The FTC does not identify a single incident where a consumer’s 27 financial, medical or other sensitive personal information has been accessed, exposed or misused 28 in any way, or whose IP camera has been compromised by unauthorized parties, or who has 8 1 suffered any harm or even simple annoyance and inconvenience from the alleged security flaws in 2 the DLS devices. The absence of any concrete facts makes it just as possible that DLS’s devices 3 are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory 4 allegations about potential injury to tilt the balance in its favor. Twombly, 550 U.S. at 557. The 5 lack of facts indicating a likelihood of harm is all the more striking in that the FTC says that it 6 undertook a thorough investigation before filing the complaint, Dkt. No. 42 at 8, and that the DLS 7 devices have had the challenged security flaws since 2011, id. at 18. This complaint stands in 8 sharp contrast to complaints that have survived motions to dismiss in other cases involving data 9 security issues. See, e.g., FTC v. Wyndham Worldwide, 799 F.3d 236, 242 (3d. Cir. 2015) (sustaining complaint that alleged data theft of personal information of hundreds of thousands of 11 United States District Court Northern District of California 10 consumers with over $10.6 million in fraudulent charges). 12 The FTC nevertheless contends that dismissal is unwarranted because “[t]he degree of 13 likely substantial injury is a question of fact inappropriate for this stage of the case,” Dkt. No. 28 14 at 6, and cites this Court’s holding in Brickman v. Fitbit, Inc., No. 15-CV-02077-JD, 2016 WL 15 3844327, at *3 (N.D. Cal. July 15, 2016), to that end. This misunderstands Brickman. That 16 decision, in a case which did not involve Section 5(n) or the FTC, held only that consumer 17 reliance on the defendant’s allegedly deceptive marketing statements entailed disputes of fact not 18 suited for resolution on a Rule 12(b)(6) motion. Id.; see also Williams v. Gerber Products, Co., 19 552 F.3d 934, 938-39 (9th Cir. 2009). That is not the question here, particularly since the FTC has 20 expressly divorced the unfairness claim from any of DLS’s representations to consumers. Dkt. 21 No. 42 at 12-13. Brickman is not at all germane. 22 If the FTC had tied the unfairness claim to the representations underlying the deception 23 claims, it might have had a more colorable injury element. A consumer’s purchase of a device 24 that fails to be reasonably secure -- let alone as secure as advertised -- would likely be in the 25 ballpark of a “substantial injury,” particularly when aggregated across a large group of consumers. 26 See Neovi, 604 F.3d at 1157 (“An act or practice can cause substantial injury by doing a small 27 harm to a large number of people”) (citation and quotes omitted). But the FTC pursued a different 28 and ultimately untenable track. 9 1 2 CONCLUSION Counts I, IV, and V of the complaint are dismissed with leave to amend. The motion to 3 dismiss is denied in all other respects. If the FTC would like to amend, it should file a revised 4 complaint that is consistent with this order by October 20, 2017. 5 IT IS SO ORDERED. 6 7 Dated: September 19, 2017 8 9 JAMES DONATO United States District Judge 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 10

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?