Internet of Things security claims have caught the attention of lawmakers and regulators. The Internet has been interesting to follow and work with as a realm of process and information exchange. As the devices used to transmit information increase in our lives and work, protecting what is transmitted from unwanted eyes is not necessarily going in the same direction as the advancement of innovation. With that concern is the Federal Trade Commission determining that standards are needed to address foreseen vulnerabilities. These vulnerabilities were of concern when the FTC’s study focused on devices transmitting amid networks through the concept of the Internet of Things (IoT).
Since 2014, efforts to standardize measures to enhance cyber security were taking shape with Executive Order and the Cybersecurity Enhancement Act of 2014. The emphasis was to perpetuate the work of the National Institute of Standards and Technology (NIST). The FTC acknowledges the urgency with in which Web applications are being deployed to achieve tangible communication features for daily used devices.
Along with these concerns, the FTC saw fit to file a complaint against a device manufacturer of devices commonly used for Internet access and transmission. The angle taken by the FTC regarding D-Link was one based on weaknesses on cyber security. The claims were not based on actual consumer harm experienced by consumers, but rather on the security of cyber itself. This complaint was addressing IoT devices, such as routers, cameras and their Internet Protocol. The FTC also discussed the software that is implemented to achieve the desired transmission for devices to work as desired. This approach also peered into consumers use of mobile apps in the transmission and delivery of communications.
Under the authority to address misrepresentation in business practices, the FTC seeks to determine of an entity misguided consumers into believing and trusting its representation, especially if the claims were of the cyber security nature, touting that measures were implemented to a level of prevention when they were not. Section 5(a) of the FTC Act, provides authority consistent with this role and pursuit in the D-Link matter. Claiming to implement security measure when the very commonly accepted measure was not, the FTC deems deceptive under its Act. To aggravate the matter, if the measures that were not taken are the ones that are reasonable to implement, and that they are known in the industry to prevent, if implemented, unauthorized access, then the entity is failing to take reasonable precautions. D-Link was considered to have deceptively led consumers to believe that security features were in place with its claims.
It is noteworthy that the issue of actual harm was not at the gravamen of the filing but rather the deceptive aspect of cyber security claims by the devise manufacturer. This matter is telling for business. If they advertise claiming security features, such claims better be backed up with reasonable measures to meet the claims. The FTC takes seriously claims without supporting measures. If the practices to ensure that the claims are met are indeed industry reasonable measures, the business in question will face a hurdle of credibility and reputation in the industry, not to mention the scrutiny of the FTC.
Advertising is key to business growth and brand development. Advertising, on the other hand, done with over statements and exaggerations and non-carried-out claims, is only asking for trouble. Business should take care to address their policies, manuals, promotions, packaging, advertisements, with an honest involvement with the technical stakeholders of the business and management before publishing any security claims to the consumer public. If carelessly crafted and promoted, materials published by a business will be seen as deceptive and will run counter to FTC guidelines which are intended to establish standards of practice, addressing considerations for Internet of Things devices.