Who is best positioned to develop security and privacy standards for emerging technologies that malicious actors are trying to hack?  If you said class action plaintiffs’ lawyers, you are in luck (for now). 

The Supreme Court recently declined to determine whether a remote possibility of hacking—without any showing that such hacking has ever occurred—allows plaintiffs to extract millions of dollars from car manufacturers.  As the Washington Post reported, the Court had two pending cert petitions before it that turned on how Article III standing should be applied to our increasingly connected world.  As of January 7th, it is down to one.  These issues will be of critical importance as plaintiffs look to sue manufacturers on speculative claims arising out of various security and privacy issues that we are just on the cusp of grappling with as a society.

So, what about the case?  In FCA US LLC v. Flynn, a group of consumers filed a class action suit after Wired magazine published an article describing how two cybersecurity researchers hacked a Jeep Cherokee.  But none of these consumers’ vehicles had been hacked.  What’s more, there was no evidence of any FCA vehicle being hacked outside of a controlled environment.  To get around this problem, the Flynn plaintiffs alleged an “overpayment” theory, essentially arguing that had the consumers known of the security vulnerabilities exposed by Wired, they would have paid less for their vehicles or not purchased them at all.

The trouble with this sort of theory is that there are hundreds of thousands of known vulnerabilities in software and products, some found by Google Project Zero, others by white hat hackers, and still others by bad guys.  Many, but not all, are in massive databases managed by the government and others, such as the Common Vulnerabilities and Exposures databaseFederal policy encourages the identification and disclosure of vulnerabilities with “bug bounties” and other tools.  But if left unchecked, class action plaintiffs will be making security and privacy policy using the in terrorem effect of huge verdicts based on 20:20 hindsight.

We digress.  Now, back to Flynn.  In the District Court for the Southern District of Illinois, FCA argued that the overpayment theory did not satisfy Article III standing, citing Clapper v. Amnesty International USA, a case in which the Supreme Court rejected standing based on attenuated, multi-step theories of harm.  Some courts have resisted the core teaching of Clapper, seeking to find ways to let plaintiffs bring cases on speculative bases.  But, Clapper held that harm must be “certainly impending” to satisfy Article III.  (full disclosure, an author of this article filed the only amicus brief on the winning side of that case, representing a bipartisan coalition of U.S. Attorneys General and the Washington Legal Foundation)

In Flynn, the Southern District of Illinois rejected FCA’s argument, finding that the plaintiffs’ case could not be dismissed on standing grounds because the Wired article established that there were cybersecurity vulnerabilities with the plaintiffs’ vehicles, and the plaintiffs cast doubt on whether those vulnerabilities had been fixed.  The court found that the plaintiffs could plausibly satisfy Article III standing if they subsequently proved that (1) the recall did not fix all vulnerabilities; and (2) the ongoing vulnerabilities reduced the value of their vehicles.  Accordingly, the Southern District of Illinois certified the plaintiffs as a class.

FCA appealed the class certification to the Seventh Circuit under Federal Rule of Civil Procedure 23(f), alleging “manifest error” in, inter alia, the district court’s standing analysis.  The Seventh Circuit rejected this appeal (in a really short and unsatisfying opinion).  So, FCA filed a (long shot) petition for certiorari.

In the cert petition, FCA argued that because there had never been an actual vehicle hack, there was no plausible allegation of harm, in other words, there was no viable claim that any hack was “certainly impending.”  Moreover, FCA reasoned that any future hacking theory depended on “speculation about the unfettered choices made by actors not before the court,” speculation which Clapper condemned.  Lastly, the FCA contended that allowing plaintiffs to couch impermissible standing bases in terms of an “overpayment” theory would allow an end-run around Article III’s standing requirements.

Several amici filed briefs in support of FCA’s now-dismissed cert petition.

In a brief filed by CITA-The Wireless Association, Cause of Action Institute, and Association for Unmanned Vehicle Systems International (“CTIA brief”), the amici argued that many courts are misapplying Article III standing in the cybersecurity context by relying on hypothetical injuries.  They noted that in Flynn, there was a highly attenuated chain of events required for harm to occur, including: (1) the existence of a proficient hacker capable of tampering with vehicles remotely (unlike the cybersecurity researchers in the Wired article who had physical access); (2) that hacker finding a vulnerability despite the numerous patches; (3) that hacker gaining access to critical systems; and (4) that hacker manipulating those critical systems.  The amici argued that this chain of events presented too many ifs to satisfy standing under Clapper.  The CTIA brief also argued that allowing massive class action suits based on the mere possibility of hacking would dull incentives for information sharing, and encourage companies to keep consumers in the dark and prematurely rush out security patches.  Lastly, the CTIA brief argued that the Court should not apply a blunt instrument—high-stakes class action litigation—to a complex issue already being addressed through public and private sector collaboration. (another disclosure, we drafted that one too)

The National Association of Manufacturers and American Tort Reform Association also supported the cert petition.  They argued that finding standing based on a possibility of hacking would essentially create a requirement for perfect cybersecurity: an impossibility.  They also pointed out that this theory of standing was out of step with traditional products liability law, allowing plaintiffs to bypass the actual injury prong of such lawsuits.  Accordingly, they contended that the “overpayment” theory would create perverse incentives for companies, upsetting the “traditional product liability principles that have been developed to incentivize appropriate corporate conduct.”

The Alliance of Automobile Manufacturers, Inc. argued that the National Highway Traffic Safety Administration (“NHTSA”) foreclosed any plausible allegation of certainly impending harm when if found that the FCA’s remedies “appear[ed] to have eliminated vulnerabilities that might allow a remote actor to impact vehicle control systems.”  They further argued that allowing suits to go forward on speculation—pointing out that plaintiffs presented no evidence of actual market effect—ran contrary to Clapper.  They predicted that these speculative suits would prove costly for manufacturers without benefit to consumers, as the NHTSA already regulates this field.

In response, the plaintiffs argued[1] that Clapper was distinguishable from their suit because Clapper concerned future injuries, whereas the plaintiffs had already suffered the overpayment injury.  They further argued that fears of abusive litigation were overstated.

The Court declined to hear the FCA case, leaving the parties to duke it out in the lower courts.  Going forward, there will be enormous pressure in cases like this to settle.

The remaining pending cert petition—Zappos.com, Inc. v. Stevens—also grapples with how to apply Article III standing to a new cybersecurity problem.  The question in that petition is whether individuals with personal information held in a database breached by hackers have Article III standing, without any further showing of injury.  Like in Flynn, many of the arguments turn on the application of Clapper’s “certainly impending” standard.

So, what we have now is an uncomfortable period of legal uncertainty and rising peril for manufacturers and innovators.  Security approaches will and must evolve over time as technology and threats change.  The discovery and resolution of vulnerabilities should be encouraged—not punished by class action lawyers looking for a payday.  Judges need to hold the line on standing and faithfully apply Clapper to class actions based on unexploited security vulnerabilities.

* * *

Megan Brown is a partner at Wiley Rein LLP, leading the firm’s cybersecurity and IoT work.  She also is Associate Program Director of the National Security Institute at George Mason’s Scalia Law School.

Boyd Garriott is a law clerk at Wiley Rein LLP in the Telecommunications, Media & Technology group.

[1] The plaintiffs’ brief in this case was redacted.  The summary of their arguments thus comes from the Petitioner’s reply brief.