As more consumers start to drive connected cars, plaintiffs’ lawyers and regulators are scrutinizing the cars’ cybersecurity for any perceived vulnerabilities. Although researchers state the risk of hacking is remote, some plaintiffs’ lawyers have been particularly aggressive in pursuing cyber claims in this area, bringing cases even against connected car manufacturers who already have security measures in place.
Consistent with a broader trend of class actions seeking damages for allegedly hackable consumer products, connected cars may be subject to significant (and costly) cyber litigation risk in the years to come.
Two recent cases—Cahen v. Toyota Motor Corp. in the Ninth Circuit and Flynn v. FCA US LLC in federal district court in Illinois—illustrate the need to begin to consider these issues now, before a lawsuit is inevitably filed.
In Cahen, plaintiffs from California, Oregon, and Washington filed a class action in March 2015 in the Northern District of California against three connected car manufacturers, alleging that the manufacturers equipped their cars with technology susceptible to third-party hacks.
According to the plaintiffs, the technology at issue created a potential risk of theft, damage, injury, or death and lowered the value of their cars.
The plaintiffs also alleged that the manufacturers impermissibly invaded their privacy by collecting and transmitting information about car performance and location data.
The district court dismissed the complaint, holding:
- the plaintiffs did not have Article III standing to sue, and
- the plaintiffs did not have personal jurisdiction over one of the manufacturers.
With respect to Article III standing, the district court held that the mere susceptibility of the plaintiffs’ cars to hacking was not a “certainly impending” harm sufficient to establish the required injury-in-fact.
The court also rejected the plaintiffs’ economic loss theory of injury, describing as “conclusory” the plaintiffs’ claim that they would have paid less for the cars if they had been aware of the alleged defects. (This kind of claim has met with a similar fate in more garden-variety data breach class action lawsuits.)
In addition, the court held there was no injury-in-fact for the invasion of privacy claims because the plaintiffs failed to adequately identify a protected privacy interest or to establish a credible risk of future identity theft.
As to personal jurisdiction, the court concluded there was no personal jurisdiction over one of the manufacturers because the alleged misconduct did not take place in California and because the manufacturer was not incorporated, headquartered, or otherwise “essentially at home” in California.
Abandoning their personal jurisdiction arguments, plaintiffs appealed the court’s dismissal for lack of standing, which the Ninth Circuit Court of Appeals affirmed in a short unpublished memorandum disposition.
The plaintiffs found more success in Flynn, a similar class action brought in July 2015 in the Southern District of Illinois against a car manufacturer and its supplier of “infotainment” hardware and software.
In this case, plaintiffs alleged violations of the federal Magnuson-Moss Act, implied warranties of merchantability, Michigan, Illinois and Missouri consumer protection statutes, as well as claims for negligence and unjust enrichment.
Like the plaintiffs in Cahen, the Flynn plaintiffs claimed that cars they purchased or leased from a manufacturer were susceptible to hacking via their infotainment systems, creating a risk of future injury, instilling fear and anxiety of such injury, and diminishing the value of their cars.
However, the Flynn plaintiffs also provided greater detail regarding why the vulnerabilities allegedly could have affected the value of their cars, pointing to a 2015 article in a popular magazine describing the alleged vulnerabilities and to reports from consumers during a recall that their cars had purportedly been hacked.
Unlike in Cahen, the district court in Flynn denied the defendants’ motions to dismiss for lack of Article III standing. The court focused on the plaintiffs’ claims that the alleged vulnerabilities lowered their cars’ values.
The court reasoned that these allegations were sufficient to create the requisite injury-in-fact because bad press and consumer reports of hacks could potentially affect both the original purchase value and the resale value of the plaintiffs’ cars, and additionally noted that plaintiffs had raised questions about the effectiveness of the manufacturer’s recall efforts.
Nonetheless, after learning of the potentially conflicting decision in Cahen, the Flynn court acknowledged that the standing ruling was a close issue and certified it for interlocutory appeal. The Seventh Circuit Court of Appeals declined to hear the appeal, and the U.S. Supreme Court denied a petition by the defendants for a writ of certiorari.
The Flynn court ultimately certified three state-based classes with respect to certain claims that survived summary judgment, but declined to certify an “unwieldy” nationwide class. The case is currently in discovery and proceeding toward trial.
Importantly, neither the Cahen nor the Flynn courts have ruled on the merits of any plaintiffs’ claims.
What to Do Now
Connected vehicle manufacturers and other companies facing allegations that their products contain security vulnerabilities that have not yet been exploited should pay close attention to the defenses raised in Cahen and Flynn. In both cases, lack-of-injury-based dismissal arguments proved to be particularly powerful, resulting in a complete dismissal in Cahen and a certified order for interlocutory appeal in Flynn.
Connected car manufacturers should consider now what to do to minimize the thrust of the deprivation of value arguments that plaintiffs have had success with, to further forestall plaintiffs from suing and building up defenses in the event that they do so.
Here are some things to consider:
- Develop “patching” protocols and tools that manufacturers can deploy after the vehicle has been sold, to fix vulnerabilities as soon as they are identified;
- Implement a “security by design” approach during product development;
- Subject connected parts and components to a robust series of security assessments (penetration tests, vulnerability assessments, etc.) as part of a vendor management program;
- Manage risk through contracts with “connected” parts and component suppliers, including by adding relevant warranties and indemnities, and by monitoring the financial health of such suppliers;
- And, when litigation hits, emphasize injury-based dismissal arguments early on, challenging class certification for any remaining claims, and carefully evaluating any additional defenses that may be available.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Aravind Swaminathan is a partner at Orrick in Seattle and Boston and global co-chair of Orrick’s internationally recognized Cyber, Privacy & Data Innovation team. He collaborates with his clients to proactively plan for a crisis and develop strategies to improve resiliency, respond efficiently and effectively, and protect their business and brand.
David T. Cohen is of counsel at Orrick in New York who focuses on complex litigation, particularly in the area of privacy and data security. He has extensive experience working with corporate clients that have suffered data breaches or have been accused of privacy violations, defending them against class actions and claims asserted by payment card brands and representing them in connection with federal and state government actions.
David Curtis is a law clerk at Orrick (pending admission in Washington state) working in the firm’s Cybersecurity, Privacy and Data Innovation practice. He is a graduate of Harvard Law School and is admitted to practice in New York and Massachusetts.