Cahen v. Toyota Motor Corp., currently before the U.S. Court of Appeals for the Ninth Circuit, concerns a class action challenge brought by drivers of Toyota and General Motors cars. Modern cars are “connected” — they contain hundreds of computer systems that are connected to the internet and control almost everything in the car, including the engine, braking, airbags, door locks, seats, and infotainment systems. The plaintiffs allege that Toyota and GM violated California law by selling cars that are susceptible to hacking and collecting private driver data. The lower court dismissed the plaintiffs claims for lack of standing and for failure to state a claim.
Do the plaintiffs have standing to challenge Toyota and GM for selling cars susceptible to hacking
Do the plaintiffs have standing to challenge Toyota and GM for selling cars that collect and disclose personal driving information?
Have the plaintiffs stated a claim for invasion of privacy under the California Constitution?
Factual & Procedural Background
Named plaintiffs Helene Cahen and Merrill Nisam, both California residents, represent a class of California consumers who purchased cars from Toyota and General Motors. Cahen purchased a Lexus RX 400 H in September 2008, while Nisam purchased a Chevrolet Volt in March 2013.
The California class brought eight causes of action against GM and Toyota:
Violation of the California’s Unfair Competition Law (“UCL”), Cal. Bus. Prof. Code § 17200, et seq.;
Violation of California’s Consumers Legal Remedies Act (“CLRA”), Cal. Civ. Cod § 1250, et seq.;
Violation of California’s False Advertising Law (“FAL”), Cal. Bus. Prof. Code § 17500, et seq.;
Breach of California’s Implied Warranty of Merchantability, Cal. Com. Code § 2314;
Breach of contract at California common law;
Fraud by concealment at California common law;
Violation of California’s Song-Beverly Consumer Warranty Act, Cal. Civ. Code §§ 1791.1 & 1792; and
Invasion of privacy under the California Constitution, Cal. Const. art. I, § 1. FAC ¶¶ 62-138.
These causes of action reduce down to two complaints:
The “cars’ computer systems lack security,” and consequentially “basic vehicle functions can be controlled by individuals outside the car, endangering the safety of vehicle occupants.” Despite “defendants’ knowledge of significant security vulnerabilities, they market their vehicles as safe,” and
“[D]efendants collect owner data, specifically geographic location, driving history, and vehicle performance, from the vehicle computers and then share that data with third parties without securing the transmission.”
Lower Court Opinion
The lower court dismissed plaintiffs’ claims on a combination of lack of Article III standing and (FRCP 12(b)(1)) and failure to state a claim (FRCP 12(b)(6)).
To assert standing, plaintiffs claimed injury caused by the defendants’ misrepresentations about safety and data collection. Plaintiffs argue that they wouldn’t have purchased the cars or paid as much to purchase them had they known of the safety and privacy risks, and alleged that they paid inflated prices. Plaintiffs also claimed injury because defendants collect large amounts of driving data, including location data, and transmit the data to third party data centers without effectively securing it.
The court first considered whether the plaintiffs had standing based on the future risk of hacking. Relying on Clapper v. Amnesty Int’l USA, U.S. Hotel and Resort Management, Inc. v. Onity, Inc., and Birdsong v. Apple, Inc, the lower court concluded that a future risk of hacking did not provide injury-in-fact. The court was unable to determine “whether plaintiffs’ vehicles might be hacked at some point in the future, especially in light of the fact that plaintiffs do not allege that anybody outside of a controlled environment has ever been hacked.” As a result, plaintiffs had failed to allege actual or “certainly” impending harm, which the court confused with injury-in-fact: “[W]hile it is possible that a potential hacker would in fact attempt to gain control of a vehicle, allegations of possible future injury are not sufficient.” In addition, because the risk of hacking was “speculative,” the court found that the plaintiffs had failed to allege “that any future risk of harm is concrete and particularized as to themselves.” Drawing from products liability cases in the Northern District of California, the court found persuasive that many of these cases denied standing “where there has been no actual injury and the injury in fact theory rests only on an unproven risk of future harm.”
Second, the court rejected plaintiffs’ allegations of economic loss flowing from the risk of future hacking. Economic injury sufficient to provide Article III standing arises when plaintiffs pay “more for a product than they otherwise would have paid, or bought it when they otherwise would not have done so.” But here, the court found that the plaintiffs could not “obscure that the alleged economic injury rests solely upon the existence of a speculative risk of future harm.” Plaintiffs had also failed to make specific allegations of “diminution in value.” As a result, the “unmanifested and widespread” harm could not clearly translate into economic injury. In addition, the market effect was “hypothetical” because “potentially all post-2008 cars vehicles on the American market, and not just defendants’ vehicles, lack the allegedly necessary security protections and firewalls.”
Third, the court rejected standing based on invasion of privacy because the plaintiffs had not “identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.” Again confusing harm for injury-in-fact, the court faulted plaintiffs for failing to “allege the kind of theft, malicious breach, or widespread accidental publication of sensitive personally identify information such as social security numbers or credit card information” that other courts had found sufficiently dangerous to pose a credible risk of future identity theft. Moreover, the plaintiffs’ claims were not particularized because they had not specifically alleged that they themselves were harmed by the defendants’ data collection.
Finally, the court held in the alternative that the plaintiffs had not stated a claim of invasion of privacy. A claim of invasion of privacy under the California Constitution requires a plaintiff to plead “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” The court found that “defendants’ tracking of a vehicle’s driving history, performance, or location at various times, is not categorically the type of sensitive and confidential information the constitution aims to protect.” The court criticized the plaintiffs’ allegations for leaning heavily on a report prepared by Senator Edward Markey instead of identifying “which car manufactures are collecting data, the frequency of which the data is being tracked, or the type of data is being collected.”
The court granted defendant’s motion to dismiss, and appellants appealed.
Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.
EPIC has a long and substantial interest in building privacy protections into the Internet of Things generally and connected cars specifically. EPIC has also filed two recent amicus briefs in cases involving Article III standing.
In November 2015, former EPIC Associate Director Khaliah Barnes testified before Congress about the Internet of Cars. EPIC’s testimony urged Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. In June 2016, EPIC submitted comments to the National Telecommunications and Information Administration about the Internet of Things. EPIC recommended that legal requirements ensure that companies providing IoT services adopt Privacy Enhancing Technologies; do not track, profile, or monitor users; minimize data collection; and ensure security in both design and operation of Internet-connected devices. EPIC has also submitted comments to the Federal Trade Commission describing several of the most common IoT devices, including some in connected cars, and outlined the main privacy and security concerns associated with these devices.
In 2013, EPIC and a coalition of privacy advocates submitted comments the National Highway Traffic Safety Administration’s (“NHTSA”) 2012 proposal to mandate Event Data Recorders (“EDRs”) in vehicles manufactured after September 2014. Event Data Recorders are devices that can internally record, retain, and report data related to the drivers’ operation of an automobile. The comments recommend that NHTSA protect driver privacy and limit the collection and use of EDR data. EPIC also commented on NHTSA’s 2014 advanced notice of proposed rulemaking requiring vehicle-to-vehicle communications. There, EPIC urged NHTSA to complete a more detailed privacy and security assessment of V2V communications. Additionally, EPIC recommend that NHTSA should: (1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications, including the basic safety messages (“BSMs”); (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights. EPIC commented on the privacy implications of EDRs to NHTSA in 2003 and 2004.
Finally, EPIC has filed several amicus briefs recently that defend plaintiffs’ ability to bring lawsuits for privacy violations. In In re SuperValu Customer Data Security Breach Litigation, EPIC presented a comprehensive framework of Article III standing, and urged a federal appeals court to protect consumers’ ability to sue companies for inadequate data security. Early in 2016, EPIC argued in Storm v. Paytime that data breach victims have standing to sue without needing to wait for consequential harms. EPIC also catalogued the epidemic of data breaches in the U.S., and explained why companies should be liable when they fail to protect the consumer data they collect. In Spokeo v. Robins, EPIC defended Congress’s authority to enact laws that safeguard the privacy of American consumers.
U.S. Court of Appeals for the Ninth Circuit, No. 16-15496