Vehicle HackingOn November 25, 2015, the Northern District of California dismissed Cahen v. Toyota Motor Corporation, Case No. 15-cv-01104, one of the first class actions to allege that automotive manufacturers did not sufficiently protect their vehicles’ technology from intrusion by hackers.  This class action was first filed in March, following a report issued by Senator Ed Markey that described these security vulnerabilities (Senator Markey would eventually introduce the Security and Privacy in Your Car Act, which if enacted would instruct NHTSA and the FTC to create IT security and privacy standards for vehicle electronics and networks).

Relying heavily on the Markey report, the Cahen plaintiffs alleged that Ford, GM, and Toyota manufactured vehicles with computer systems that are “susceptible to dangerous hacking.”  According to plaintiffs, a successful hack can result not only in an invasion of privacy, but can also allow the hacker to “take remote control of the operation of a vehicle.”  In addition, plaintiffs alleged that the technology in the defendant manufacturers’ vehicles allowed them to collect data from unsuspecting drivers and share such data with third parties.  The plaintiffs brought consumer fraud claims under California, Oregon, and Washington law.

The defendants moved to dismiss the First Amended Complaint on the grounds that plaintiffs had not sufficiently alleged an injury in fact – a requirement for Article III standing.  The court granted the motion after determining the following:

  • Future Harm from Hacking Too Speculative: According to defendants, the weakness in plaintiffs’ case lay in the fact that “plaintiffs do not allege any hacking incidents that have taken place outside of controlled settings, and [ ] the entire threat rests on the speculative premise that a sophisticated third party cybercriminal may one day successfully hack one of plaintiffs’ vehicles.”  The court agreed with defendants, and found Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013), U.S. Hotel and Resort Mgmt, Inc. v. Onity, Inc., 2014 WL 3748639 (D. Minn. July 30, 2014), and Birdsong v. Apple, Inc., 590 F.3d 955 (9th Cir. 2009) to be instructive on the point that an allegation of future harm must be “certainly impending” or a “credible threat” in order to suffice for injury in fact.
  • Economic Loss Allegations Also Too Speculative: The Cahen plaintiffs also alleged that they suffered economic loss due to the risk of their vehicles being hacked in the future, which they argued was sufficient to constitute an injury in fact.  However, the plaintiffs did not allege that their vehicles had diminished in value in any way.  The court rejected this argument, finding that “an economic injury that rests on the risk presented by an underlying product defect fails to establish injury in fact if the underlying risk is itself speculative.”  Citing In re Toyota Motor Corp. Unintended Acceleration Litig., 790 F. Supp. 2d 1152 (C.D. Cal. 2011), and Contreras v. Toyota Motor Sales USA, Inc., 2010 WL 2528844 (N.D. Cal. June 18, 2010), the court explained that plaintiffs needed to allege “something more” beyond a speculative risk that their vehicles may be hacked in the future (for example, an allegation that the Bluebook value of their vehicles had decreased).
  • Allegations of Data Collection by Defendants Not The Same As a Data Security Breach: Finally, the court found that plaintiffs had not “identified a concrete harm from the alleged collection and tracking of their alleged collection and tracking of their personal information sufficient to create injury in fact.”  Unlike in cases like Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) or In re Sony Gaming Networks & Customer Data Security Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014), the plaintiffs’ personal data had not been exposed due to a malicious data breach; rather, defendants were allegedly collecting data on plaintiffs’ driving history and vehicle performance and sharing such data with third-party data centers.  According to the court, it was not evident how the collection and limited disclosure of such data harmed or will harm plaintiffs.

The Cahen decision is another in the growing body of caselaw that finds no injury-in-fact based on the bare allegation that the plaintiff was exposed to a future risk of hacking.  Defense counsel are advised to spot, investigate, and attack similar issues regarding the plaintiff’s standing in any applicable case (e.g., an Internet of Things (IoT) class action alleging cybervulnerabilities).