Trial Magazine
Theme Article
A Broken Net
When internet-connected products injure consumers, class actions are a key way to hold the manufacturers of these devices accountable for security failures.
December 2018The internet occupies a central role in our daily lives—for entertainment and work. More recently, it has become a tool to allow companies to install software patches and fix problems without technician intervention. Manufacturers of consumer goods have also expanded the internet’s reach into products such as appliances, toys, cars, Fitbits, Apple Watches, “smart” home speakers, and medical devices. Together, these connected devices are known as the “Internet of Things” or “IoT.” But the connected nature of these and other products can lead to problems—from privacy breaches to physical injuries.1
Cybersecurity vulnerabilities are not amorphous or nonthreatening. Much like the recent Equifax, Yahoo, Google+, and Uber data breaches that have affected hundreds of millions of people,2 inadequate IoT cybersecurity can expose consumers’ private information. In 2017, for example, hundreds of thousands of consumers’ emails and passwords and millions of private recorded messages were exposed to hackers by Spiral Toys, a company that sells smart stuffed animals called CloudPets, because its database was not behind a firewall or password protected.3 To make matters worse, reports later revealed how CloudPets could be exploited via Bluetooth so that third parties could control the devices through the internet and listen in from outside of consumers’ homes.4 In 2018, retailers started pulling CloudPets from their stores and sales platforms due to the cybersecurity weaknesses.5
Although halting sales of an IoT device like CloudPets helps protect future consumers and incentivizes the manufacturer to implement adequate cybersecurity protections, such after-the-fact actions fail to rectify the harm that has already occurred. Injured consumers may be able to pursue various claims in court, including those related to fraud, warranties, and consumer protection statutes. They also can seek redress in court via a class action, like the one consumers are currently pursuing against Equifax.6
Consumers depend on device manufacturers to incorporate industry standards and regulatory agency guidance on cybersecurity to ensure that consumers’ data, privacy, and health are safeguarded—especially when laws and regulations have failed to keep pace with technological change.
Potential Risks
Injuries in IoT cases typically fall into two categories, and early litigation in this area can provide guidance on how courts are handling these issues.
Privacy. Class action claims over IoT cybersecurity vulnerabilities are not new. For example, in 2016, consumers sued ADT, the home security company, alleging that they were deceived about their wireless home security devices’ vulnerability to hacking due to a lack of encryption.7 After the court allowed certain fraud claims to proceed, ADT settled the consumer cases in 2017 for $16 million.8
In another case, a consumer class action was initiated against Bose in 2017 concerning the company’s wireless headphones, alleging that the company secretly collected, transmitted, and disclosed its customers’ private music selections without consent.9 A motion to dismiss the case is pending.10
Exposing consumers' private information is not the only type of claim concerning loT devices. Risks to consumers' physical safety have also led to litigation in recent years.
Physical safety. Exposing consumers’ private information is not the only type of claim concerning IoT devices. Risks to consumers’ physical safety have also led to litigation in recent years. For example, in a class action involving many Chrysler cars, trucks, and SUVs, consumers allege that a security flaw in the company’s Uconnect® dashboard computer could allow hackers to hijack critical systems such as the steering, brakes, and transmission, creating the potential for physical harm.11
A recall involved a software security update, but the lawsuit alleges that the recall was insufficient because the Uconnect system and its vulnerabilities are still connected to essential engine and safety controls, making these vehicles defective.12 In 2018, the district court partially denied the defendants’ summary judgment motions and granted class certification in part because the alleged defects and the defendants’ alleged failure to disclose them raise common questions as to whether the defendants engaged in standardized conduct.13 The court certified Illinois warranty claims, Michigan consumer protection claims, and Missouri Merchandising Practices Act claims.14
Unfortunately, physical harm from remotely connected vehicles is not merely a possibility: It has already happened. In March, a pedestrian died after being hit by a driverless Uber vehicle that was traveling too fast for road conditions and did not “see” her walking her bike across a road.15 Additional collisions and deaths have occurred involving other semi-autonomous driving systems that have weaknesses such as not seeing stationary objects.16
IoT medical devices that wirelessly connect patients to hospitals, pharmacists, and doctors also could cause physical harm because they are susceptible to hacking and security risks. Researchers have uncovered flaws in dozens of medical devices, including pacemakers, insulin pumps, glucose monitors, and digital intravenous drips.17 A pair of researchers, for example, say that they have discovered vulnerabilities with Medtronic pacemakers through which malware can be installed on the devices, allowing them to be controlled remotely, which means that unnecessary shocks could be delivered to patients or needed shocks could be withheld.18
Litigation over vulnerable IoT medical devices has been somewhat limited to date, but the potential for physical harm caused by insufficient cybersecurity cannot be ignored.19 The proven existence of flaws in such devices underscores the need for manufacturers to protect consumers, especially in light of draft FDA guidance suggesting that manufacturers provide a “cybersecurity bill of materials” that lists device components vulnerable to attack.20
Class Action Hurdles
Federal lawmakers have not yet enacted national legislation that would control or regulate these devices, and—apart from states passing new laws that would allow consumers to safeguard and monitor their data—the current patchwork nature of state regulation is woefully inadequate.21 Civil lawsuits remain one of the most important ways for consumers of IoT devices to protect themselves, especially in the context of products liability issues.
Class actions allow consumers injured by IoT devices to hold companies accountable for massive data breaches or the loss of the “benefit of the bargain” when consumers purchase devices susceptible to hacking and malware. They also permit consumers to pursue a quasi-recall of a defective or dangerous product because the litigation encourages retailers to remove these products from the market and because consumers who learn of the litigation stop buying them. Before filing any class action related to breaches or injuries associated with IoT devices, however, consider the challenges that these lawsuits likely will bring.
Forced arbitration clauses. Certain IoT devices may explicitly require consumers to arbitrate their claims, preventing them from suing and waiving any right to trial by jury. Defendants often use forced arbitration clauses to avoid class actions or other consolidated proceedings altogether. Although courts have shown a reluctance to invalidate these provisions, consumers are making significant strides in litigating these claims when the clauses are, for example, buried within warranty packets22 or when companies try to deny consumers any recourse or ability to pursue their claims.23
Standing. Since the U.S. Supreme Court’s 2016 Spokeo, Inc. v. Robins decision,24 which emphasized that an injury in fact must be concrete and particularized, defendants have been raising Article III standing challenges related to data breaches, hacking, and injuries arising out of inadequate data security.25 As a result, it is crucial to understand how the district and circuit courts in your jurisdiction have interpreted and applied Spokeo and to be able to articulate how, specifically, consumers were injured (for example, through dissemination of their private information) beyond hypothetical conjecture related to the potential for future harm.
Before filing, consult an expert in the field to learn how the devices collect, transmit, and receive data and whether those devices need to be connected to the internet to work and perform basic functions.
Know the device. Understand how the IoT devices in question work, how data is transmitted, and where data is stored. Before filing, consult an expert in the field to learn how the devices collect, transmit, and receive data and whether those devices need to be connected to the internet to work and perform basic functions. You also must understand whether and to what extent the purchase agreements and warranties guarantee that certain online services will work.26 This will help inform what claims, such as breach of warranty, may be available.
Be creative. Consider new and novel approaches to these lawsuits, and reach out to colleagues for assistance. For example, the federal Computer Fraud and Abuse Act of 1986, which prohibits computer crimes such as accessing one without authorization, could be used to obtain redress from companies that install software updates on devices that have harmful effects and cause the potential for injury.27
Remember that even if consumers were not physically harmed by an IoT device, they can still pursue breach of warranty and consumer protection claims based on the purchase of a defective or unsafe product.
Damages. When seeking class certification, focus on the defendants’ standardized conduct and explore damages analyses that attempt to measure the value of the device had consumers been aware of the allegedly withheld information about the insufficient cybersecurity. For example, when measuring classwide damages in the Chrysler litigation, the consumers relied on—and the court held sufficient—a choice analysis that could measure consumer opinions on the economic value of vehicle cybersecurity.28 In other words, the analysis focused on the vehicles’ value if consumers had been aware of the allegedly withheld information regarding the insufficient cybersecurity. An important takeaway from this case is that consumers who did not suffer physical harm from an IoT device can still pursue consumer protection and breach of warranty claims after purchasing a defective and unsafe vehicle.
As companies continue to create and sell IoT devices, civil lawsuits such as class actions will become increasingly necessary to ensure that consumers have remedies for the injuries they sustain when cybersecurity measures fail.
Adam J. Levitt is a founding partner, Amy E. Keller is a partner, and Adam Prom is an associate at DiCello Levitt & Casey in Chicago. They can be reached at alevitt@dlcfirm.com, akeller@dlcfirm.com, and aprom@dlcfirm.com.
Notes
- Michael Gras, Web of Liability, Trial 24 (Sept. 2017). IoT Village, a security event organized by Independent Security Evaluators, has exposed security vulnerabilities across dozens of devices. Indep. Sec. Evaluators, IoT Village Announces 2017 List of Devices to be Hacked at DEF CON, PR Newswire (July 20, 2017), https://www.prnewswire.com/news-releases/iot-village-announces-2017-list-of-devices-to-be-hacked-at-def-con-300491660.html.
- For example, Uber recently agreed to pay $148 million to settle an investigation into a 2016 data breach that affected tens of millions of riders and drivers. See Kate Conger, Uber Settles Data Breach Investigation for $148 Million, N.Y. Times (Sept. 26, 2018), www.nytimes.com/2018/09/26/technology/uber-data-breach.html.
- Lorenzo Franceschi-Bicchierai, Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings, Motherboard (Feb. 27, 2017), https://motherboard.vice.com/en_us/article/pgwean/Internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings.com.
- Richard Chirgwin, CloudPets’ Woes Worsen: Webpages Can Turn Kids’ Stuffed Toys Into Creepy Audio Bugs, The Register (Mar. 1, 2017), www.theregister.co.uk/2017/03/01/cloudpets_woes_worsen_mics_can_be_pwned/.
- Casey Quackenbush, Amazon and Ebay Are Among Retailers Dropping ‘CloudPets’ Smart Toys Amid Concerns About Hacking, Time (June 7, 2018), http://time.com/5304045/amazon-ebay-cloudpets-hacking/.
- Ms. Keller presently serves as colead counsel for the more than 100 million people whose information was exposed in the Equifax data breach. In re Equifax, Inc. Customer Data Sec. Breach Litig., No. 17-md-02800-TWT (N.D. Ga. Dec. 6, 2017).
- Edenborough v. ADT, LLC, No. 3:16-cv-02233-JST (N.D. Cal. Apr. 25, 2016); see also Steven Trader, ADT Agrees to End Alarm Hackability Suits With Settlement, Law 360 (Jan. 24, 2017), www.law360.com/articles/884393/adt-agrees-to-end-alarm-hackability-suits-with-settlement.
- ADT Home Security Settlement, Frequently Asked Questions (2017), https://www.adthomesecuritysettlement.com/FrequentlyAskedQuestions#q7.
- Zak v. Bose Corp., 2017 WL 1395259 (N.D. Ill. Apr. 18, 2017).
- Zak v. Bose Corp., 2017 WL 3379333 (N.D. Ill. Aug. 3, 2017).
- Flynn v. FCA US LLC, 2015 WL 11018515 (S.D. Ill. Dec. 22, 2015). A controlled experiment in 2015 demonstrated that hackers could take control of a Jeep Cherokee using the Uconnect platform. See Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway—With Me in It, Wired (July 21, 2015), www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
- Flynn, 2015 WL 11018515.
- Flynn v. FCA US LLC, 2018 WL 3303267, at *9–15 (S.D. Ill. July 5, 2018).
- Id. at *14–15.
- Chris Coppola & BrieAnna J. Frank, Report: Driver in Autonomous Uber Was Watching ‘The Voice’ Moments Before Fatal Tempe Crash, WUSA9 (June 22, 2018), https://tinyurl.com/y7yaszk7.
- Jack Stewart, Tesla’s Autopilot Was Involved in Another Deadly Car Crash, Wired (Mar. 30, 2018), www.wired.com/story/tesla-autopilot-self-driving-crash-california/. The dangers could get worse once additional driverless vehicles hit the road in coming years and more of them communicate with each other. J.C. Reindl, Car Hacking Remains a Very Real Threat as Autos Become Ever More Loaded With Tech, USA Today (Jan. 14, 2018), www.usatoday.com/story/money/2018/01/14/car-hacking-remains-very-real-threat-autos-become-ever-more-loaded-tech/1032951001/.
- Dan Tynan, Yes, Your Life-Saving Medical Devices Can be Hacked, The Parallax (Aug. 3, 2017), www.the-parallax.com/2017/08/03/defcon-medical-devices-hacked/.
- Lily Hay Newman, A New Pacemaker Hack Puts Malware Directly on the Device, Wired (Aug. 9, 2018), www.wired.com/story/pacemaker-hack-malware-black-hat/.
- In October, the FDA released updated draft guidance with recommendations for how medical device manufacturers can better protect their products from cybersecurity risks. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff, FDA (Oct.18, 2018), www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf.
- Id. at 7, 10.
- A positive development at the state level is the California Consumer Privacy Act of 2018 (Assemb. 375, 2017–2018 Leg. (Cal. 2018)), which goes into effect in 2020 and will give consumers the right to request all the data businesses are collecting on them, as well as the right to request that businesses do not sell any of their data. The law allows the California attorney general to fine businesses for noncompliance, allows consumers to sue companies over data breaches, and provides statutory damages for failing to properly secure data. At the federal level, the U.S. Senate is considering the “AV START Act” that may set driverless vehicle policy for decades to come; opponents note that, among other things, the bill establishes that a manufacturer must have a plan for cybersecurity but provides no guidelines on what protections that plan must contain. S. 1885, 115th Cong. §30108 (2017); see Jeff Plungis, Safety Exemption for Self-Driving Cars Advances in Congress, Consumer Reports (Sept. 29, 2017), www.consumerreports.org/autonomous-driving/safety-exemption-for-self-driving-cars-advances-in-congress/. Congress previously considered the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691), which would have implemented some basic cybersecurity hygiene practices but was never passed, and a more recent cybersecurity bill, “Information Transparency & Personal Data Control Act” (H.R. 6864), would totally preempt state tort remedies and provide no adequate protections at all.
- Norcia v. Samsung Telecomm. Am., LLC, 845 F.3d 1279 (9th Cir. 2017), cert. denied, 138 S. Ct. 203 (2017); Knutson v. Sirius XM Radio Inc., 771 F.3d 559 (9th Cir. 2014).
- Joe Patrice, Fitbit Faces Possible Contempt Charge for Admitting What Everyone Knows, Above the Law (June 5, 2018), https://abovethelaw.com/2018/06/fitbit-faces-possible-contempt-charge-for-admitting-what-everyone-already-knows/.
- 136 S. Ct. 1540 (2016).
- See In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017).
- See In re VTech Data Breach Litig., 2018 WL 1863953 (N.D. Ill. Apr. 18, 2018).
- 18 U.S.C. §1030.
- Flynn, 2018 WL 3303267, at *12.