Suing over Technology Security Still Requires Standing, but For How Long?
We continue to see concern over technology and security, with an increasing focus on the Internet of Things (IoT). Courts are becoming a popular forum for these disputes, with class-action litigants, like those in Edenborough et al v. ADT, LLC et al, No. 3:16-cv-02233 (N.D. Cal. Apr. 25, 2016), hoping that the courts will step in to set technology policy. Likewise, commentators like Bruce Schneier encourage the government to use regulation or standards of care to let litigants “impose liabilities on manufacturers” of IoT devices.
Courts, in the main, insist that plaintiffs bring non-abstract claims based on actual harm. In an opinion released late last year in a highly watched case, the Ninth Circuit affirmed a lower court’s dismissal of Cahen v. Toyota Motor Corp, a class-action case involving automotive cybersecurity. There, class-action plaintiffs claimed, based on news reports, that their vehicles contained electronic control units that could be hacked, and sought money damages despite there being no actual exploit or breach of consumer data.
The Ninth Circuit affirmed the dismissal for lack of standing because the plaintiffs failed to allege an injury-in-fact. Their vehicles had not actually been hacked and they could not show that any vehicle had been hacked outside of a controlled environment. The court stated that mere risk of being hacked was “speculative” and not enough to show injury.
Nor could the plaintiffs show injury based on over-paying for their cars, a novel theory that plaintiffs were testing. The court stated that such an allegation was “conclusory and unsupported by any facts” because the plaintiffs could not show any economic loss.
Finally, the plaintiffs could not show they suffered injury based on invasion of privacy. They could not show why the data collected from their cars is sensitive or individually identifiable to a particular driver. They therefore could not “demonstrat[e] how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data cause an actual injury.”
This case shows that a high bar continues to face Plaintiffs bringing lawsuits related to security issues in new technology: they will need to show that they were actually injured. Abstract claims are insufficient. But, the case also highlights the growing use of litigation to try to influence emerging technology. We expect more such litigation in the future, even though, as discussed in an earlier post, tech policy is best developed--not by judges and juries--but by the market, supported by executive and legislative branch action to facilitate innovation.