The U.S. District Court for the Northern District of California recently issued a mixed ruling on D-Link Systems’ motion to dismiss in FTC v. D-Link Sys., Inc.1 D-Link sells routers and Internet protocol (IP) cameras that it markets as having good data security, including “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”2 The Federal Trade Commission (FTC) filed a complaint against D-Link, alleging that the company’s products were in fact subject to “widely known and reasonably foreseeable risks of unauthorized access,” and that, among other things, D-Link failed to deploy “free software, available since at least 2008, to secure users’ mobile app login credentials.”3 The complaint alleges five claims for deceptive marketing practices and one count for unfair practices under Section 5 of the FTC Act.
D-Link moved to dismiss the FTC’s complaint under Federal Rules of Civil Procedure 12(b)(6), 9(b), and 8(a). Judge James Donato denied D-Link’s motion with respect to three of the FTC’s deception counts, and dismissed the other two deception counts and the unfairness count with leave to amend. In so doing, Judge Donato held that deception claims under Section 5 sound in fraud and are therefore subject to the heightened pleading standards of Rule 9(b). Judge Donato also observed that Rule 9(b) might apply to Section 5 unfairness claims in some circumstances, but dismissed that claim separately because the FTC had failed to plead any “substantial injury” to consumers.4 The court’s decision suggests a departure from the injury standard articulated by the FTC in In re LabMD, Inc. At the same time, the court signaled to the FTC how it might amend its unfairness count to state a viable claim going forward.
Rule 9(b) and Section 5
The Ninth Circuit has not yet had an opportunity to rule on whether the heightened pleading standards of Rule 9(b) that apply to claims sounding in fraud also apply to claims under Section 5. The D-Link court, however, joined several other district courts in concluding that it does.5
In reaching its conclusion, the court looked to the Ninth Circuit’s decision in Vess v. Ciba-Geigy Corp. USA.6 In Vess, the Ninth Circuit examined whether claims under the California Unfair Competition Law (UCL), which, like Section 5, prohibits deceptive practices without requiring fraud as an element, must nevertheless satisfy Rule 9(b). It held that any claim that alleges a defendant engaged in fraudulent conduct must indeed satisfy Rule 9(b), even if fraud is not necessarily an element of the claim. Based on Vess and other Ninth Circuit decisions, Judge Donato concluded Rule 9(b) applies to the FTC’s deception claims in this case.
Judge Donato also considered whether Rule 9(b) should apply to the FTC’s unfairness claim under Section 5. Although the court observed there is “little flavor of fraud” in the formal elements of a Section 5 unfairness claim,7 the FTC expressly stated that “the core facts [of its deception and unfairness claims] overlap, absolutely.”8 In light of that overlap, the court found “a distinct possibility that Rule 9(b) might apply to the unfairness claim.”9 But because the court ultimately dismissed that claim on other grounds, it held the issue of whether Rule 9(b) applies to the FTC’s unfairness claim was “not ripe for resolution” and will depend “how the unfairness claim is stated, if the FTC chooses to amend.”10
Judge Donato found three of the FTC’s five deception counts adequately stated claims for relief. The court held that those claims, which allege that D-Link misrepresented the data security and protections its devices provide, adequately stated the “‘who, what, when, where and how of the misconduct charged’” as required by Rule 9(b).11 Specifically, it found the FTC’s allegations that D-Link’s routers and IP cameras “do not protect against ‘critical and widespread web application vulnerabilities’ identified since 2007, including ‘“hard-coded” user credentials,’ ‘command injection flaws’ and ‘other backdoors’”12 sufficiently explained why D-Link’s statements about data security were deceptive.
The FTC’s other two deception counts alleged D-Link misrepresented data security features in promotional materials for IP cameras and graphic user interfaces for routers. Although the complaint attached materials in support of those claims, most failed to identify the dates when the misrepresentations were made or seen, and only one of those materials met the standards of Rule 9(b). That document, a brochure for an IP camera, simply advertised a “surveillance camera” and otherwise “contain[ed] no representations at all about digital security.”13 Judge Donato held that the document did not adequately support claims that D-Link misrepresented the data security features of IP cameras and routers, and dismissed those claims with leave to amend.
D-Link raised several broad objections to the FTC’s unfairness claim, all of which the court rejected. D-Link first argued that the FTC lacks regulatory authority over general data security practices. The court concluded that type of challenge “has been consistently rejected by other courts, with good reason.”14 It held that Section 5 is intentionally open-ended and that the FTC has broad regulatory authority to prevent unfair practices, including unfair practices related to data security. D-Link next argued that the FTC is required to give companies “fair notice” of data security standards before it may pursue enforcement actions against them.15 Judge Donato squarely rejected that argument as well: “[a]gencies are not required to anticipate problems and promulgate general rules before performing their statutory duties”16 and “to require the FTC in all cases to adopt rules or standards before responding to data security issues faced by consumers is impractical and inconsistent with governing law.”17
Nevertheless, the court found D-Link’s argument that the FTC’s unfairness claim failed under Rule 8(a) persuasive and dismissed it on that basis. Section 5(n) defines an unfair act or practice as one that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”18 The court held the FTC failed to adequately plead the first element of injury. Judge Donato observed that the FTC had failed to allege any actual consumer injury and had only alleged “likelihood” of “risk” to consumers’ data.19 The court further held that FTC’s allegations about potential injury were “conclusory”20 and that the complaint “lack[ed] . . . facts indicating a likelihood of harm.”21 Given all this, the court concluded that the FTC’s allegations differed significantly from data security complaints that survived motions to dismiss.22
In light of the insufficiency of the FTC’s allegations regarding actual harm or the likelihood of consumer harm, the Court dismissed the FTC’s unfairness claim. At the same time, Judge Donato pointed out that if the FTC had tied its unfairness claim to the representations that underlie the deception claims, the injury element would be more colorable because purchasing a device that fails to be reasonably secure, or as secure as advertised, “would likely be in the ballpark of a ‘substantial injury.’”23 Judge Donato thus paved a path forward for the FTC to replead its unfairness claim based on a more traditional economic loss theory of consumer harm.
Substantial Injury and LabMD
At first glance, the court’s dismissal of the FTC’s unfairness claim based on the absence of a substantial injury might appear to diverge from the standard for injury that the FTC articulated in its opinion in LabMD, Inc. There, the commission found that LabMD’s data security practices were “likely to cause substantial injury” because there was a “significant risk” that sensitive consumer health data contained in a file shared on a peer-to-peer network could be located by malicious users who sought it out, even though there was no evidence of actual consumer harm.24 The FTC’s opinion overturned an earlier holding by an administrative law judge (ALJ) that “likely to cause” requires a showing that substantial consumer injury was “probable.”25 The ALJ placed significant weight on the fact that the complaint counsel in LabMD had “not . . . identified even one consumer that suffered any harm as a result of Respondent’s alleged unreasonable data security,” and it concluded that this “undermines the persuasiveness of Complaint Counsel’s claim that such harm is nevertheless ‘likely’ to occur.”26 The FTC rejected the ALJ’s reasoning, holding that it “comes perilously close to reading the term ‘likely’ out of the statute. When evaluating a practice, we judge the likelihood that the practice will cause harm at the time the practice occurred, not on the basis of actual future outcomes. This is particularly true in the data security context.”27
While Judge Donato, like the ALJ in LabMD, emphasized that the FTC had not alleged even a single consumer suffered any kind of injury as a result of D-Link’s data security practices,28 the unfairness claim was ultimately dismissed because the complaint also “lack[ed] . . . facts indicating a likelihood of harm.”29 Although the FTC alleged facts to suggest a “possibility” of harm,30 these allegations in the D-Link complaint were necessarily less detailed and developed at the pleading stage than the facts before the commission in LabMD. By the time the LabMD matter had been appealed to the FTC, the facts had been well-developed to the point they included expert findings. Seeming to acknowledge this, the FTC tried to argue that the degree of likely substantial injury is an issue of fact that the D-Link court should not resolve on a motion to dismiss, but the court rejected that argument. It follows that the court’s decision in D-Link may not depart from the FTC’s standard for substantial injury in LabMD, so much as the federal courts impose higher procedural hurdles than agency adjudication when it comes to developing the facts needed to demonstrate substantial injury. Assuming that the FTC decides to replead, how the court will ultimately rule on the FTC’s unfairness count once the facts are known remains to be seen. For now, the court’s decision suggests, perhaps unsurprisingly, that the FTC’s unfairness claims are likely to fare better through the agency’s administrative channels than in federal courts.
1 No. 3:17-cv-00039-JD, 2017 U.S. Dist. LEXIS 152319 (N.D. Cal. Sept. 19, 2017).
2 Id. at *2.
4 Id. at *5-6, *14-17.
5 D-Link, 2017 U.S. Dist. LEXIS 152319, at *5; FTC v. Lights of Am., Inc., 760 F. Supp. 2d 848, 852-55 (C.D. Cal. 2010); FTC v. ELH Consulting, LLC, No. CV 12-02246-PHX-FJM, 2013 U.S. Dist. LEXIS 126110, at *1 (D. Ariz. Sept. 4, 2013); FTC v. Swish Mktg., No. C 09-03814 RS, 2010 U.S. Dist. LEXIS 15016, at *4-10 (N.D. Cal. February 22, 2010).
6 317 F.3d 1097, 1103-04 (9th Cir. 2003).
7 Id. at *5.
9 Id. at *6.
11 Id. (quoting Ebeid ex rel. United States v. Lungwitz, 616 F.3d 993, 998 (9th Cir. 2010)).
12 Id. at *7.
15 Id. at *11.
16 Id. at *11-12.
17 Id. at *12 (citing SEC v. Chenery Corp., 332 U.S. 194, 201-02 (1947); NLRB v. Bell Aerospace Co., 416 U.S. 267, 292 (1974)).
18 15 U.S.C. § 45(n).
19 D-Link, 2017 U.S. Dist. LEXIS 152319, at *14; see also id. at *15 (finding the sum total of the FTC’s harm allegations “make out a mere possibility of injury at best”).
22 Id. at *15-16 (citing FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (where the complaint alleged actual consumer injury resulting from theft of the personal information of hundreds of thousands of consumers and over $10.6 million in fraudulent charges)).
23 Id. at *16.
24 LabMD, slip op at 20-25.
25 Id. at 20.
26 Id. at 23 (alteration in original) (citation omitted).
28 D-Link, 2017 U.S. Dist. LEXIS 152319, at *15.