Injury in fact and the metaphysical risk of hacking in connected devices
November 2016 | EXPERT BRIEFING | RISK MANAGEMENT
Last year, in Cahen vs. Toyota Motor Corporation, the US District Court for the Northern District of California dismissed a putative consumer class action that focused on the vulnerability of connected cars sold by several carmakers to hacking. The court found that the plaintiffs lacked standing and that they failed to show legal injury: the plaintiffs alleged only that their cars were susceptible to hacking, but not that hacking had actually occurred or that the alleged potential for hacking caused them redressable injury. The plaintiffs, the court found, failed to establish the three elements of standing required in US law – injury in fact, an injury traceable to the challenged action of the defendant, and not the result of the independent action of some third party, and the redressability of the injury by a favourable judicial decision. In so ruling, the court seemed to remove one potential deterrent – the possibility that a consumer who had not suffered concrete, legal harm sufficient to confer standing could nonetheless maintain a lawsuit and recover damages – to manufacturers that want to market devices that collect, store and share data and become part of the burgeoning Internet of Things (IoT). But the story does not end with the district court’s dismissal of the plaintiffs’ claims. Cahen is on appeal, cases dealing with similar questions concerning other connected devices are pending in other courts, and similar cases are likely to appear as the IoT spreads.
Though it is often said that litigation in general, and consumer class action litigation more specifically, introduce incentives aside from simply protecting ‘public safety’, rendering them imperfect means through which to achieve reform, makers of connected devices cannot afford to ignore the potential economic impacts of such litigation. There has been relatively little IoT-related litigation thus far, but with Cahen and other cases involving home security systems, and fears that medical devices and household devices are vulnerable to hacking will culminate in litigation, it is becoming clear that consumer litigation may play a role in bringing IoT device manufacturers’ public safety responsibilities and potential liabilities into sharper focus. Cahen and other cases like it have introduced the idea that a purchaser of a connected device, even if not actually harmed by the device, can receive compensation from a manufacturer on the basis that they could be harmed – specifically, that the vulnerability of a connected device to hacking is an injury that confers standing upon a consumer.
And although the Northern District of California rejected those arguments in Cahen, the District Court’s ruling is not the final word on the issue – the ruling has been appealed. And EPIC, the Electronic Privacy Information Center, a Washington, DC based public interest research centre that writes extensively on safety and privacy implications of connected devices, has submitted a brief as amicus curiae in further support of the appeal, focusing on whether vulnerability to hacking satisfies the requirement of standing, and urging that the District Court’s ruling in Cahen on standing be reversed.
EPIC argues that the district court conflated “injury in fact, i.e., the illegal invasion of a legal right”, and “consequential harm” in the analysis of plaintiffs’ standing. “The court,” EPIC says, “failed to examine whether the plaintiffs had suffered violations of law” and focused “on whether consequential harms were ‘certainly impending’ thereby conflating legal injury with harm”. The district court found that a plaintiff’s speculation about harm does not a claim of legal harm make, but EPIC now argues that to characterise the harm as “speculative” is a “fundamental misunderstanding of security vulnerabilities created by connected cars”. EPIC says that connected cars, by their nature, are reliant upon “electronic control units” to allow components of the cars to communicate with each other, also they are vulnerable to malfunction and hacking. According to EPIC, the data collected by those units is unencrypted and open to attack. A consumer class action could adapt that line of thinking to other types of connected devices. The limits of that type of litigation are the bounds of the IoT and, in the world of ubiquitous connectivity that IoT proponents envision, those limits will be exceedingly far-flung.
But is that threat sufficient to confer standing to sue upon a consumer who has not yet suffered harm? In that question lies the tension in Cahen. Concerns about connected devices, though perhaps still hypothetical – there have not been hacking incidents involving connected cars outside of controlled experiments – are widely harboured and, quite possibly, legitimate. Hypothetical doomsday hacking scenarios receive substantial press coverage and capture public attention because there could very well come a day when a hacked connected device physically or economically harms consumers. Think of the tens of billions of connected devices that are expected to be online within the next decade, the places they will be used – heavy industry, power grids, transit systems, cars, homes, human bodies – and the inherent difficulties of securing the data they generate and transmit, and the possibilities by which a connected device could be hacked and cause a person harm abound. To this point the district court in Cahen offered the simple rejoinder – courts routinely dismiss cases in which there has been no actual injury and the injury in fact theory rests only on an unproven risk of future harm; the threat of hacking, for the fear it rightly engenders, is no different. If the hacking is merely speculative, it does not confer standing upon a plaintiff. Though the injuries caused by a car accident may be severe, they should not be conflated with the question of whether an injury occurred. And, in any event, should the threat of hacking be left to consumer class action litigation to address? Data vulnerabilities and solutions are highly technical and difficult to understand. As some commentators have pointed out, these threats may be better addressed by implementing uniform standards, designed by the legislature, rather than leaving them for the market and litigation, with their vagaries, to solve.
Cases like Cahen, which focus on the standing of consumers who have purchased connected devices, like home security systems, will work their way through US courts in the coming years, with the expected boom in connected devices bringing billions of connected devices collecting, storing and sharing data, online. The liabilities to manufacturers are potentially enormous, particularly if courts permit plaintiffs to point to risks of speculative future harm as a basis for their “injury in fact” theory. Manufacturers would be well-advised to monitor these cases as they consider whether to bring IoT-related products to market and how to address specific potential vulnerabilities in those devices, particularly at this stage, while regulatory standards for connected devices have not yet been established.
Geoffrey A. North is a partner at BakerHostetler. He can be contacted on +1 (212) 589 4642 or by email: firstname.lastname@example.org.
© Financier Worldwide
Geoffrey A. North