At an estimated 8.4 billion in number, connected devices now in use outnumber people on earth.1 It is estimated that the usage of these devices will continue to grow, reaching 20 billion devices over the next two years and 50 billion devices by 2050.2 The Internet of Things (IoT) describes the milieu of these connected devices, which are connected to each other and to the internet. IoT technologies are transforming not only industrial processes but the way people do business. Their effect is far reaching, cutting across all disciplines and industries. These connected devices range from wearables, children's smart toys and home appliances, to digital health devices and autonomous vehicles.
In this new world of product development, IoT technologies are marked by shorter product and adoption cycles and have the capability to collect, store, and exchange highly specific data about their users. Product failures or vulnerabilities of IoT devices may not only lead to privacy breaches, but also to property damage, personal injury, and economic loss claims. Class actions may well become an effective litigation tool for advancing claims involving IoT technology failures. As recent IoT class action jurisprudence demonstrates, IoT product failures may be exposed by an ill-intentioned third party in the course of a cyber-attack or through benign schemes driven by research and journalistic initiatives.3 At times, the exposed vulnerability may necessitate a product recall.4
Recent IoT class actions south of the border demonstrate the rich variety of claims being advanced by plaintiffs: privacy and warranty breaches, negligent design and manufacture, unjust enrichment, fraud and failure to warn claims. While there may be cases where defendants will agree to a settlement,5the current tendency has been for defendants to fight the merits of the claims being advanced. In the cases to-date, the defendants have prevailed where it has been demonstrated there was no evidence that any of the plaintiffs experienced the alleged product failure.
This strategy of resistance has not always reaped benefits for the challenging defendants. A recent example is the July 5, 2018 ruling in Flynn v. FCA. Despite there being no evidence that any of the plaintiffs’ vehicles were hacked into as a result of the alleged cybersecurity flaws of their connected vehicles’ infotainment system, a U.S. Federal Court declined to order summary judgment with respect to all of the plaintiffs’ claims. The Court found there existed a genuine dispute as to whether the class vehicles had defects, whether the alleged defects were remedied by the recall and whether additional measures were required to protect the vehicles from an unreasonable risk of hacking.6 While the Court found that the plaintiffs’ unjust enrichment claims lacked merit, the warranty claims survived the summary judgment motion, as did some of the plaintiffs’ claims for fraudulent misrepresentation. Ultimately, the Court granted partial certification of three classes of plaintiffs in Michigan, Illinois, and Missouri. As this decision is expected to be appealed, it remains to be seen whose arguments will ultimately prevail.
What should IoT manufacturers, distributors, suppliers, and platform providers do in the face of this product litigation risk? The best practice may well be to exercise due diligence in ensuring the security integrity of the IoT device, both for the device itself as well as anything that connects to it. Particularly in cases where there is no evidence that any class member suffered the alleged product failure, it would appear that challenging the merits of the claim pre-certification may have some merit.7
In conclusion, while courts are still defining the parameters for IoT class actions, class actions are expected to be an attractive option for plaintiffs to seek recovery for losses incurred from IoT product failures. In this changing landscape, it will be important for IoT device manufacturers, distributors, suppliers, and platform providers to not only inoculate against security failures before the product hits the market but also to continue to conduct post-market product surveillance in order to deploy safety and security reinforcements during the product life cycle.
1 Gartner, Press Release, "Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016" ( 7 February 2017), online: https://www.gartner.com/newsroom/id/3598917
2 Leta Gortman, “The Era of the Internet of Things: Can Product Liability Laws Keep Up” 84 Def. Counsel J. 1 (2017) at p. 1-2.
3 Ross v St Jude Medical Inc, No 2:16- cv- 06465 (CD Cal 2016); Cahen v Toyota Motor Corp, 14 F Supp 3d 955 (ND Cal 2015); and Flynn v FCA US LLC, 3:15-cv-00855 (SD III 2015).
4 Cahen v Toyota Motor Corp, 14 F Supp 3d 955, 971 (ND Cal 2015).
5 NP and PS v Standard Innovation Corp, No 1:16-cv-8655 (ND Ill 2017).
6 Flynn v FCA US LLC, 3:15-cv-00855 (SD III 2015), see page of the July 2018 decision of Justice Reagan.
7 See: Lozanski v the Home Depot 2016 ONSC 5447 at para 48 and 74. The alleged loss stemmed from a data breach of the Home Depot’s payment card systems by a hacker using custom-built malware. Although this was a motion for approval of settlement, among other things, the court noted that it would have approved a discontinuance in part because there was no allegation on the part of any class member that he or she suffered a financial loss attributable to the data breach. The Court also noted that the company had fulfilled its obligations to respond to the hacking and to notify its customers and had done so in a responsible, prompt, generous and exemplary fashion.