At an estimated 8.4 billion in number, connected devices now in use outnumber people on earth.1 It is estimated that the usage of these devices will continue to grow, reaching 20 billion devices over the next two years and 50 billion devices by 2050.2 The Internet of Things (IoT) describes the milieu of these connected devices, which are connected to each other and to the internet. IoT technologies are transforming not only industrial processes but the way people do business. Their effect is far reaching, crossing all disciplines and industries. These connected devices range from wearables, smart children’s toys and home appliances to digital health devices and autonomous vehicles.
In this new world of product development, IoT technologies are marked by shorter product and adoption cycles and have the capability to collect, store, and exchange highly specific data about their users. Product failures or vulnerabilities of IoT devices may not only lead to privacy breaches, but also to property damage, personal injury, and economic loss claims. Class actions may well become an effective litigation tool for advancing claims involving IoT technology failures. As recent IoT class action jurisprudence demonstrates, IoT product failures may be exposed by an ill-intentioned third party in the course of a cyber-attack or through benign schemes driven by research and journalistic initiatives.3 At times, the exposed vulnerability may necessitate a product recall.4
Recent IoT class actions south of the border demonstrate the rich variety of claims being advanced by plaintiffs: privacy and warranty breaches, negligent design and manufacture, unjust enrichment, fraud and failure to warn claims. While there may be cases where defendants will agree to a settlement,5 the current tendency has been for defendants to fight the merits of the claims being advanced. In the cases to-date, the defendants have prevailed where it has been demonstrated there was no evidence that any of the plaintiffs experienced the alleged product failure.
This strategy of resistance has not always reaped benefits for the challenging defendants. A recent example is the July 5, 2018 ruling in Flynn v. FCA. Despite there being no evidence that any of the plaintiffs’ vehicles were hacked into as a result of the alleged cybersecurity flaws of their connected vehicles’ infotainment system, a US Federal Court declined to order summary judgment with respect to all of the plaintiffs’ claims. The Court found there existed a genuine dispute as to whether the class vehicles had defects, whether the alleged defects were remedied by the recall and whether additional measures were required to protect the vehicles from an unreasonable risk of hacking.6 While the Court found that the plaintiffs’ unjust enrichment claims lacked merit, the warranty claims survived the summary judgment motion, as did some of the plaintiffs’ claims for fraudulent misrepresentation. Ultimately, the Court granted partial certification of three classes of plaintiffs in Michigan, Illinois, and Missouri. As this decision is expected to be appealed, it remains to be seen whose arguments will ultimately prevail.
What should IoT manufacturers, distributors, suppliers, and platform providers do in the face of this product litigation risk? The best practice may well be to exercise due diligence in ensuring the security integrity of the IoT device, both for the device itself as well as anything that connects to it. Particularly in cases where there is no evidence that any class member suffered the alleged product failure, it would appear that challenging the merits of the claim pre-certification may have some merit.7
In conclusion, while courts are still defining the parameters for IoT class actions, class actions are expected to be an attractive option for plaintiffs to seek recovery for losses incurred from IoT product failures. In this changing landscape, it will be important for IoT device manufacturers, distributors, suppliers, and platform providers to not only inoculate against security failures before the product hits the market but also to continue to conduct post-market product surveillance in order to deploy safety and security reinforcements during the product life cycle.