Over the last several decades, there have been significant advancements in automotive technology. Today’s vehicles are equipped with more and more sophisticated computer systems than ever before. But as our reliance on technology continues to grow, so does the potential for cybersecurity attacks and resulting litigation. That’s why it’s becoming increasingly important for car manufacturers to pay close attention to the legal landscape.
One recent case illustrates what’s going on. On March 27, 2020, the U.S. District Court for the Southern District of Illinois dismissed an automotive cybersecurity class action lawsuit, Flynn v. FCA US LLC. In Flynn, the plaintiffs alleged that the Uconnect system that allows integrated control over phone, navigation, and entertainment functions in certain vehicles was vulnerable to hackers seeking to take remote control of those vehicles. Plaintiffs further alleged that “but for [d]efendants’ misrepresentations about the [vulnerabilities of the Uconnect system], they would not have purchased the vehicles or would have paid less for them.”
Some background: The lawsuit was filed following a 2015 Wired magazine news article that demonstrated that the Uconnect system could be hacked in a controlled environment. However, aside from the hack described in the news article, there had been no other reports of hackers remotely accessing or seizing control of the system. In fact, “[p]laintiffs concede[d] that only one hack of the 1.2 million vehicles with the purported defects has occurred, and that one occurrence took place when two highly trained researchers hacked a vehicle in a controlled setting.”
Recognizing that no product is foolproof, the district court held that the fact that a product has vulnerabilities does not make that product defective. Further, the court ruled that plaintiffs’ allegations that their vehicles were worth less than they would be without the alleged Uconnect defects were conclusory and unsupported by any evidence. Plaintiffs did not allege that “their Uconnect systems do not work; that they have experienced any problems related to the Uconnect system; that they are unwilling to drive their vehicles because of the defects in the Uconnect systems; or that they have sold or traded (or attempted to sell or trade) their vehicles at a loss due to the alleged defects in the Uconnect system.” Further, plaintiffs’ damages expert did not establish “a demonstrable effect on the market for [p]laintiffs’ vehicles based on, for example, documented recalls, declining Kelley Bluebook values, or a risk so immediate that they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket damages.” The court also noted that “a future risk of hacking is too speculative” and that “allegations of economic loss stemming from speculative risk of future harm cannot establish standing.”
The district court’s dismissal was a big win for car manufacturers, but the plaintiffs have since appealed the dismissal. The Seventh Circuit heard oral arguments on October 27, 2020, and has taken the matter under advisement.
Flynn is not the first automotive cybersecurity lawsuit of its kind. For example, in Cahen v. Toyota Motor Corp., which was filed in the U.S. District Court for the Northern District of California in 2015, the plaintiffs claimed that the computer technology in certain vehicles was susceptible to hacking, but did not allege that any of their vehicles were actually hacked. As in Flynn, the district court in Cahen dismissed the case because plaintiffs did not suffer any injury beyond a speculative risk of hacking, and the Ninth Circuit affirmed that decision.
If the outcome of the Flynn appeal is the same as the outcome in Cahen, it will set helpful precedent for car manufacturers in the Seventh Circuit. We will continue to monitor the appellate decision and report any significant developments.
As the legal landscape surrounding automotive cybersecurity continues to develop, car manufacturers may want to consider taking steps to minimize risks of cybersecurity attacks and litigation. In 2016, the National Highway Traffic Safety Administration (NHTSA) published a Cybersecurity Best Practices for Modern Vehicles manual, which contains guidance for improving motor vehicle cybersecurity. Additionally, the Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-driven community that is aimed at enhancing vehicle cybersecurity capabilities, also published cybersecurity best practices. Although these manuals contain non-binding guidance, they provide guidance to manufacturers and possibly a way to mitigate risk if their technology is eventually hacked.
Vehicle cybersecurity is a dynamic field that is changing rapidly. As vehicles become more reliant on software, manufacturers should continue to monitor the legal landscape and ensure they are taking the appropriate steps to protect themselves from potential liability.