Suing over Technology Security Still Requires Standing, but For How Long?

March 6, 2018

We continue to see concern over technology and security, with an increasing focus on the Internet of Things (IoT).  Courts are becoming a popular forum for these disputes, with class-action litigants, like those in Edenborough et al v. ADT, LLC et al, No. 3:16-cv-02233 (N.D. Cal. Apr. 25, 2016), hoping that the courts will step in to set technology policy.  Likewise, commentators like Bruce Schneier encourage the government to use regulation or standards of care to let litigants “impose liabilities on manufacturers” of IoT devices.

Courts, in the main, insist that plaintiffs bring non-abstract claims based on actual harm.  In an opinion released late last year in a highly watched case, the Ninth Circuit affirmed a lower court’s dismissal of Cahen v. Toyota Motor Corp, a class-action case involving automotive cybersecurity.  There, class-action plaintiffs claimed, based on news reports, that their vehicles contained electronic control units that could be hacked, and sought money damages despite there being no actual exploit or breach of consumer data.

The Ninth Circuit affirmed the dismissal for lack of standing because the plaintiffs failed to allege an injury-in-fact.  Their vehicles had not actually been hacked and they could not show that any vehicle had been hacked outside of a controlled environment.  The court stated that mere risk of being hacked was “speculative” and not enough to show injury.

Nor could the plaintiffs show injury based on over-paying for their cars, a novel theory that plaintiffs were testing.  The court stated that such an allegation was “conclusory and unsupported by any facts” because the plaintiffs could not show any economic loss.

Finally, the plaintiffs could not show they suffered injury based on invasion of privacy.  They could not show why the data collected from their cars is sensitive or individually identifiable to a particular driver.  They therefore could not “demonstrat[e] how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data cause an actual injury.”

This case shows that a high bar continues to face Plaintiffs bringing lawsuits related to security issues in new technology: they will need to show that they were actually injured.  Abstract claims are insufficient.  But, the case also highlights the growing use of litigation to try to influence emerging technology.  We expect more such litigation in the future, even though, as discussed in an earlier post, tech policy is best developed--not by judges and juries--but by the market, supported by executive and legislative branch action to facilitate innovation.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek