Device manufacturer D-Link Systems has agreed to implement a “comprehensive software security program” to settle Federal Trade Commission charges that the company exposed customer data to hackers while advertising top-of-the-line security measures.
D-Link will not pay any financial penalties as part of the settlement, but its manufacturing process will have to include threat modeling; tests for security bugs prior to a product’s release; ongoing device monitoring to address flaws; automatic firmware updates; and the acceptance of vulnerability reports from researchers.
The government’s litigation against the Southern California company, which makes wireless routers and smart cameras, began in 2017. Regulators found that D-Link, despite billing its products as having “advanced network security,” actually failed to test them and did not remediate “well known and preventable security flaws.” That same year, researchers found 10 vulnerabilities in a single D-Link router model that could have been exploited to take over a device.
Under the settlement, the company also will be subject to third-party risk assessments every other year from an external firm, which the FTC has the authority to approve.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in a statement. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
FTC commissioners voted 5-0 to approve the settlement. The agency’s complaint in January 2017 marked the first time it took action against a company that failed to secure connected devices. The legal argument rested on two principles: that D-Link violated the FTC’s deceptive practices act, which forbids outward misrepresentation, and that D-Link had failed to take “reasonable” steps to secure its routers and cameras.
Last year, the 11th U.S. Circuit Court of Appeals invalidated an FTC action ordering the now-defunct medical company LabMD to institute a “data-security program that comported with the FTC’s standard of reasonableness,” saying those instructions were too vague. Now, if the settlement agreement with D-Link is any indication, other companies now could have a clearer idea of what the FTC expects.
The proposed settlement is available in full below:
[documentcloud url=”http://www.documentcloud.org/documents/6180252-FTC.html” responsive=true]