IoT Devices Create Litigation Vulnerabilities
October 31, 2016
This article was authored by guest contributor Matthew Gardner.
How vulnerable are makers of IoT devices to class actions based on poor cybersecurity? Perhaps very vulnerable. That’s the take away from one federal judge’s recent decision to partially deny a motion to dismiss a class action alleging cybersecurity defects in home security cameras.
The case, Edenborough v. ADT, LLC, 3:16-cv-02233 (N.D.Cal. 2016), involves claims under California law that ADT deceived its customers by failing to inform them that ADT’s home security cameras could be jammed by hackers. The plaintiffs alleged that ADT knew (in part based on a research conducted for an article in Forbes) that hackers could “easily defeat” the security system by disabling or jamming the cameras.
The district court agreed with ADT that many of its statements, like that “ADT takes pride in using the most advanced technology,” were non-actionable puffery. However, the district court held that plaintiffs’ allegations that ADT had deceived its customers by failing to disclose certain cybersecurity vulnerabilities was sufficient to state a claim for violating California law. The court held that, “It is plausible that a reasonable consumer would attach importance to the fact that their home security system could be easily hacked and bypassed . . . . This is especially true . . . where the risk brings into question the core functionality of ADT’s wireless systems: to protect homes from intrusion.”
This district court’s reasoning should put IoT device manufacturers on notice: failing to disclose cybersecurity risks—without more—may be a sufficient basis for a class action under state law.
This decision is more striking because it did not involve an actual hack of ADT’s security cameras. Litigation over lax cybersecurity has often been a dead end as plaintiffs struggle to convince courts that, for example, the theft of a social security number results in actual harm. This case could open the door to litigation absent harm.
A future concern for IoT device manufacturers, however, is that poor cybersecurity could result in real world injuries. The potential for IoT devices to cause actual injuries is more than theoretical. Imagine the plaintiffs’ case if their security cameras were hacked and used to spy on them in their homes. Imagine the plaintiffs’ case if their security cameras were taken off line as part of a home invasion. Or worse, imagine if the plaintiffs’ security cameras were taken off line, and the homeowners were attacked in a subsequent home invasion.
But here, the plaintiffs survived based on the mere theoretical possibility of a hacker disabling their security systems. It is too soon to tell if this decision is an outlier or a sign that courts will take a harder look at cybersecurity lapses for IoT devices. In either case, in addition to working on supply chain and device design and management, the makers of IoT devices should review what they are saying to customers. Are they comfortable that broad claims about cybersecurity will fall into the vague land of puffery? Are they aware of potential cybersecurity risks and, if so, have they considered whether and how to inform their customers about risks? Do they have processes in place to handle new vulnerabilities and public dissemination of risks?
Cyber attacks on IoT devices are escalating, and class actions will follow. IoT device manufactures should consider how to reduce their exposure to consumer fraud issues, including by communicating about cybersecurity risks to customers.