Pending Appeal May Let Litigation Distort IoT Security Priorities
Innovators and regulators are wondering how to promote IoT security and public dialogue, including about vulnerabilities. Patching IoT devices will be complex and require cooperation from many parts of the ecosystem. This complicates industry and government efforts, like those at the National Telecommunications and Information Administration, to understand and develop frameworks for IoT security and patching.
One sure way to undermine progress is to let opportunistic litigation punish companies for hypothetical harms from claimed product and software vulnerabilities. Few are discussing how the threat of litigation—unique to the United States with its active class action bar, amorphous state laws, and massive attorneys’ fees—can undermine IoT innovation. I previously wrote about how litigation can impact IoT, and my colleague Matt Gardner just did a post on a recent case against ADT. A pending appeal brings these issues into stark relief.
You likely recall reports in 2015 about hackers getting control over a Jeep and causing its brakes to fail. (See here for criticism of how it was done.) Some on the Hill have been raising concerns about car cybersecurity, and after the Jeep incident, it wasn’t long before the vultures circled.
In a pending case out of California, a purported class action seeks lots and lots of money (and attorneys’ fees) from GM and Toyota for “failure to disclose the highly material fact that their vehicles are susceptible to hacking.” They also complain that manufacturers collect data from cars and “share it with or sell it to third parties, often without adequate security (making it an attractive target for hackers).”
The district court rejected the suit, finding that plaintiffs lacked standing because they had not alleged any actual harm from the vulnerability or exposure of data, noting that courts regularly “deny standing in product liability cases where there has been no actual injury and the injury in fact theory rests only on an unproven risk of future harm.”
On appeal, the plaintiffs are trying to work around standing obstacles and open a new avenue for plaintiffs in cyber cases. By way of background, in Clapper v. Amnesty International (2013), the Supreme Court rejected a theory of standing based on self-inflicted monetary injury or speculation about possible actions of third parties. (Fun fact: I filed the only amicus brief on the winning side, for a bi-partisan group of former U.S. Attorneys General and the Washington Legal Foundation). A subsequent Supreme Court case, Spokeo v. Robins (2016), required in a data privacy context that “an injury in fact must be both concrete and particularized” to show standing. And, a recent district court case found allegations that “vulnerabilities have exposed [plaintiffs] to an increased risk of injury or death if their vehicles were hacked” insufficient to confer Article III standing. Flynn v. FCA US LLC, No. 15-cv-0855-MJR-DGW, Dkt. No. 115, Mem. Order at 4 (S.D. Ill. Sept. 23, 2016).
GM and Toyota have strong arguments to affirm the district court’s decision on standing issues. According to GM, “[t]he Complaint relies upon news media, online articles, and one academic study suggesting that remote control is possible by experts under test conditions, but no actual incidents of such hacking taking place.”
Though GM and Toyota should prevail against the plaintiffs’ appeal, the case’s implications are troubling. Amicus EPIC frames the case as about policy and technology preferences. In its brief, EPIC invokes the “risks of data breach, auto theft, and physical injury” and cites dozens of press clippings and policy papers, presenting a litany of frustrations with connected car policy and innovations that have not been mandated. It invokes “risks” that have yet to harm an actual customer and laments that “manufacturers should be required to implement these safeguards to protect their customers.” Industry and NHTSA are working through these issues, and car companies are developing and following best practices. These complex issues are not best resolved in court.
The Cahen case and others like it may shape the future of IoT innovation. Class actions are a threat to innovators because they bring expensive litigation and risk of crushing liability. Permitting class actions like this to proceed may chill IoT innovators across sectors, whose products may later be shown to need updates and who may be sued for vulnerabilities that may or may not be exploited by nefarious third parties. This is not how IoT security should be addressed. As federal agencies look to create incentives for IoT development and market demand for security, they should consider how to limit the uncertainty and litigation risk reflected in this sort of litigation.