Hackability as a defect?

By Stephen E. Embry on March 18, 2015

By Stephen E. Embry, Frost Brown Todd

Google Self Driving Car

Toyota, Ford, and GM were recently hit with a proposed nationwide class action accusing them of selling dangerous and defective vehicles that are vulnerable to potentially catastrophic hacks. The suit, filed in federal court in California, claims that hackers could hypothetically wrest control of essential functions such as brakes and steering through the vehicles’ electrical control systems.

According to the complaint, Toyota, Lexus, Scion, Ford, Lincoln, Mercury, Buick, Cadillac, Chevrolet, GMC, Hummer, Pontiac and Saturn vehicles contain a series of electronic control units that are connected through a network, called a CAN bus. Data is sent from the control units to the vehicle’s CAN bus. If a hacker is able to send their own information to the network, they can take control of basic functions such as braking, steering and acceleration — and the driver of the vehicle would not be able to regain control, the complaint said. Claims breach of warranty, breach of contract, and violation of consumer protection laws are alleged in the 343 page complaint.

How this case is eventually treated has enormous potential impact for not only the automotive industry, but for most electronics and products with electronic components. The nature of the product would, of course, determine the impact of the potential hack, with varying degrees of gravity from a mere annoyance to life threatening consequences. Makers of medical devices, climate control systems, home appliances, smart phones, navigation systems, and a multitude of other product manufacturers could find themselves subject to such hacking threats, and, therefore, such claims.

Fortunately, no one in the present class action suit has yet suffered from such a hack. However, this brings up the operative question: Is hackability in and of itself a defect, before any damage has actually occurred? Do plaintiffs have standing to pursue a claim for hackability based on loss of property value alone? In this case, plaintiffs rely on the theory that the defect itself – which they define as the susceptibility to being hacked – supplies the damage, since they paid more for the products than they are worth, considering the defect.

Cases dealing with data breach issues may be the best indicator for how claims such as this will be treated. Some courts have held that an “increased risk” of identity theft alone is insufficient to confer standing to plaintiffs in a class action suit, while others have interpreted the U.S. Supreme Court case of Clapper v. Amnesty Int’l USA as permitting standing where there is a real or credible threat of harm, rather than actual injury. See e.g., In re Sci Applications Int’l Corp Backup Tape Data Theft Litigation; Krottner v. Starbucks. Considering its more liberal view on this issue, the Ninth Circuit may well be the plaintiffs’ best choice for such a claim.

With its wide-ranging potential impact, this case represents a new frontier in class action claims. If hackablity equals liability, then the floodgates could truly open for litigation concerning a vast array of technology-based products.

Stephen E. Embry is a member of Frost Brown Todd LLC and is a member of the Firm’s class action, privacy and mass tort groups. He frequently defends partici­pants in consumer class actions and mass tort litigation. Stephen has dealt with a broad range of problems; his mission is to find simple, successful and elegant solutions to the problems posed by complex and substantial litigation, primarily in the mass tort and consumer class actions, and more recently, the privacy and data breach arenas.