when many routers and IP cameras had vulnerabilities that left data exposed and did not follow established security practices in setting up passwords.
The FTC process suffered a setback when the court found that evidence was lacking to establish any link between product vulnerabilities and actual losses to consumers. However, D-Link would still have to defend itself against allegations of misleading advertising.
The Cause of Action Institute, which represented D-Link in the lawsuit, said the agreement had freed the company of all charges. The institute considered the agreement to be positive, since, unlike similar actions of the FTC, which imposed restrictions on the advertising of the accused companies, D-Link will not be subject to any prohibition or payment of a fine.
But the FTC got D-Link to commit to a number of safety measures that should impact the formulation of products. The manufacturer will be required to perform “security monitoring”, maintain contact with security researchers and even create specific features, such as automatic firmware update.
Firmware is software that is embedded in routers and cameras. Although the steps to update this software are rarely known to consumers, it is an essential procedure for equipment safety.
The audit of D-Link’s products can not be based solely on statements of the executives themselves. In other words, the audit will have to independently seek evidence to support your reports. All documentation must remain available to the FTC for five years.
Instead of following the rules imposed by the FTC, the agreement also allows D-Link to opt for a safe development standard from the International Electrotechnical Commission (IEC). In this case, the auditor hired by D-Link will have to certify compliance with the standard. The clause will be considered void if the company provides “false or misleading information” in one of its biannual reports.