Vehicle Hacking Class-Action Litigation to Proceed to Discovery After Supreme Court Denies Certiorari

Class-action litigation on claims that vehicles are vulnerable to hacking will go forward after the U.S. Supreme Court declined to review the class certification. The nation’s highest court denied the petition for certiorari in FCA US LLC v. Flynn, No. 18-398, on Monday, January 7, 2019.

Petitioners in the case had sought Supreme Court review of an order certifying three classes of plaintiffs who purchased or leased certain makes and models of vehicles manufactured by the defendants that were vulnerable to hacking. None of the vehicles had actually been hacked, and the petitioners argued to the U.S. Court of Appeals for the 7th Circuit and then to the Supreme Court that the class certification was improper because the plaintiffs had not suffered a legally sufficient injury. 

This case arose in 2015 after WIRED magazine published an article demonstrating that hackers could remotely control vehicles through their infotainment systems. After the article was published, Chrysler¹  issued a recall that included software fixes. Aside from the hack described in the WIRED article, the infotainment system had never been hacked. Nonetheless, the plaintiffs filed a class-action lawsuit in U.S. District Court for the Southern District of Illinois alleging that both software and hardware defects remained that left the vehicles vulnerable to hacking.

The defendants first moved to dismiss the case, arguing that the plaintiffs had not suffered a legally sufficient injury. In response, the plaintiffs proffered two types of injury—increased risk of injury or death, and overpayment. The District Court concluded that any increased risk of injury or death (or fear of that risk) was too remote to be sufficient.² However, overpayment for the vehicle or its diminution in value was a substantial enough injury for the case to proceed, the court said.³

The plaintiffs then sought to certify a class made up of purchasers and lessees who overpaid or whose vehicles lost value. On July 5, 2018, the District Court certified classes for the three states where the named plaintiffs bought or leased their vehicles.⁴ The classes are made up of more than 220,000 consumers seeking $440 million in damages. The defendants sought permission from the 7th Circuit to appeal the order certifying the classes, which was denied. Now that the Supreme Court has likewise declined to review the certification order, the case will next proceed to discovery on the claims that the vehicles are vulnerable to hacking, with trial set to begin in October 2019.

Vehicles are increasingly more automated with fully autonomous vehicles getting closer to the average consumer every day. In this environment, with ever-increasing litigation over internet of things and connected devices, manufacturers must continue to employ best practices for cybersecurity, to review the practices of their suppliers and service providers, and to ensure that their indemnity provisions cover potential cybersecurity litigation.