Vehicle Hacking Class Action Runs Out of Gas in Illinois Court

In a decision likely to bring comfort to the manufacturers of vehicle automation technology, the court in Flynn v. FCA US LLC, No. 15-cv-855-SMY, 2020 WL 1492687 (S.D. Ill. Mar. 27, 2020) granted the defendants’ motion to dismiss. The court ruled that the plaintiffs’ class-action claims of vehicle vulnerability to hacking were too hypothetical to provide standing. The case was dismissed by an Illinois federal district court for lack of jurisdiction on March 27, 2020. The plaintiffs have since appealed the case to the Seventh Circuit, which was recently set for oral argument on October 27, 2020. As of August 10, the appeal is fully briefed. Flynn v. FCA US LLC is one of the first court rulings that could have an impact on autonomous vehicle (AV) development and liability.

The plaintiffs sought damages based on vulnerabilities in Chrysler vehicles that could have allowed hackers to access both critical and non-critical vehicle systems. Although none of the vehicles were actually hacked outside of a controlled environment, the plaintiffs alleged that the vehicles were defective in that (1) the infotainment system was “exceedingly hackable”; (2) the vehicle’s computer system failed to prevent hackers from remotely taking control of the vehicle; and (3) the infotainment system and the vehicles lacked the capability to download software patches that were critical for protecting the vehicles.

In 2016, the court denied a prior motion to dismiss because the plaintiffs had alleged sufficient facts to establish standing. In 2018, the court granted the plaintiffs’ motion for class certification, a decision which the Supreme Court declined to review.

After the close of discovery following class certification, the defendants filed a motion to dismiss for lack of jurisdiction, which led to the court’s recent decision. The court determined that a reexamination of the defendants’ standing arguments was warranted, stating that “Article III standing requires that the plaintiff suffered an injury in fact […] which is concrete and particularized and actual or imminent – not conjectural or hypothetical.” Id. at *7.

The court noted that it was unclear whether the infotainment system was defective at all. “The mere fact that a product has a vulnerability does not in itself, mean the product is defective.” Id. at *11. Recognizing that any product can be made safer or better, the court held that a future risk of hacking is too speculative and that allegations of economic loss stemming from speculative risk of future harm cannot establish standing. The court further found that there was no demonstrable effect on the market for the plaintiffs’ vehicles, and as such, the plaintiffs had not suffered any injury in fact.

Although this case was disposed of on standing grounds, it is a win for those in favor of greater vehicle automation. Manufacturers do not have to account for wholly hypothetical risks. However, manufacturers must continue to establish and employ best practices for vehicle cybersecurity. They should examine the practices of their suppliers and service providers to avoid cybersecurity risks, and work with their dealers to review agreements with car buyers to cover similar potential litigation.

We will watch the appellate decision and provide any necessary updates.