One area of concern for data privacy and cybersecurity professionals is the security of the Internet of Things, which refers to the digitally connected smart devices present in almost every aspect of our lives and growing exponentially in number every day. Though it has tremendous upside and potential for consumers and businesses, the Internet of Things has proven vulnerable to hackers and cybercriminals who have used these devices to cause disruption and steal personal information. To give a recent example, in October 2016, hackers took control of hundreds of thousands of Internet-connected devices and used them to send a flood of traffic to the websites of several major businesses including, Twitter, Netflix, and The New York Times, making them inaccessible for several hours.

FTC v. D-Link

In an ongoing effort aimed at making the Internet of Things more secure, the Federal Trade Commission (FTC) filed a complaint last week against D-Link, a Taiwan-based computer networking equipment manufacturer, for alleged security flaws in its wireless routers and Internet cameras that left the devices vulnerable to hackers. According to the complaint, while advertising that its products were "easy to secure" and had "advanced" network security features, D-Link's devices suffered from well-known and easily preventable security flaws, such as having hard-coded user credentials on devices and keeping mobile app login credentials in readable text form. According to the FTC, these practices were deceptive under section 5 of the FTC Act.

While the complaint does not specifically identify any hack or breach involving D-Link devices, it gives examples of how these vulnerabilities put consumers' sensitive personal information at risk and alleges that the risk of hackers exploiting these vulnerabilities is "significant." To succeed, the FTC must show that these devices caused or are likely to cause substantial injury to consumers.

With this action, D-Link joins a growing list of manufacturers that have found themselves in the crosshairs of the FTC's ongoing efforts to make the Internet of Things more secure. The FTC previously brought actions against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras, resulting in settlement agreements. Smart device manufacturers and related software developers can expect to see additional enforcement actions, particularly for commonly-hacked devices such as routers and modems that act as a bridge to the Internet and are often the first line of defense for other devices.

Takeaways

To avoid such actions, the FTC has issued a guidance on the Internet of Things, detailing steps businesses can take to enhance and protect consumers' privacy and security. Manufacturers and software developers are encouraged to review and incorporate these guidelines into their products and devices to the extent feasible. The IoT guidance can be found here.

Another lesson to glean from this case is to be mindful in marketing and advertising products to consumers. If a company advertises a product as easy to secure and keep safe, it had better be both. Companies that over-sell or over-promise security, safety, or privacy may find themselves subject to an FTC enforcement action.

Lastly, this case shows the risk involved in trying to address privacy and security concerns in products after they have entered the market. While hindsight is always 20/20, the best course of conduct would be to incorporate as much privacy and security in the design of a product before it hits the market. If more companies do that, we will be one step closer to making the Internet of Things more secure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.