On November 25, a California federal court dismissed without prejudice a proposed class action against Toyota Motor Corp., Ford Motor Co., and General Motors LLC, claiming the carmakers failed to ensure the electronic security of their vehicles by equipping them with computer technology that is susceptible to being hacked by third parties. Cahen, et al. v. Toyota Motor Corp., et al., No. 15-cv-01104-WHO, 2015 WL 7566806 (N.D. Cal. Nov. 25, 2015).

The putative class of drivers sued the three automakers in March, claiming the companies knew for years that hackers could remotely control cars with drivers behind the wheel but did nothing to protect consumers. Notably, none of the plaintiffs alleged that such hacking had actually occurred or that they in particular were in danger of having their cars hijacked remotely.

U.S. District Judge William H. Orrick dismissed the action because the drivers failed to identify an actual injury to themselves sufficient for Article III standing, ruling that the speculative risk of being hacked in the future could not be considered an “injury in fact.” As Judge Orrick explained, “[i]t is difficult for me to conclude whether plaintiffs’ vehicles might be hacked at some point in the future, especially in light of the fact that plaintiffs do not allege that anybody outside of a controlled environment has ever been hacked. Plaintiffs have alleged only that their cars are susceptible to hacking but have failed to plead that they consequently face a credible risk of hacking.”

The plaintiffs attempted to argue that they were economically harmed because they would not have purchased the vehicles or paid as much for them had they known about their hacking vulnerabilities. In addition, they claimed that their cars are less valuable because the vulnerability has not been fixed. Judge Orrick also rejected these claims as being too speculative, noting that the alleged economic injury “rests solely upon the existence of a speculative risk of harm,” and that such allegations are insufficient to confer Article III standing “unless plaintiffs plead ‘something more.’” Judge Orrick further pointed out that federal regulations require all vehicles manufactured after 2008 be equipped with some form of the electronic component that plaintiffs claim to be defective, and reasoned that “because the alleged harm is unmanifested and widespread, how that would translate into economic injury is unclear.”

Among their other claims, the drivers accused the car manufacturers of violating their privacy rights under California law by collecting and sharing data about their vehicle’s driving history, performance and/or location “at various times.” Judge Orrick again found that the plaintiffs lacked standing because (1) they failed to identify a credible risk of future harm from the alleged collection and tracking of their vehicle data sufficient to create injury in fact (e.g., identity theft), and (2) they did not specifically allege that they were personally affected by the alleged conduct. The court also held that even assuming arguendo that the plaintiffs’ allegations were sufficient to establish standing, they did not demonstrate a violation of their right to privacy under the state constitution because the collected data at issue “is not categorically the type of sensitive and confidential information that the [California state] constitution aims to protect.”

The court also found that the plaintiffs could not sue Ford in California, because none of the lead plaintiffs bought or leased a Ford vehicle in California, and Ford is not headquartered in the state.

The plaintiffs have until January 8, 2016, to file an amended complaint.