Summary

Plaintiffs have increasingly sought to hold companies accountable through litigation for security breaches or hacks of their computer systems that store personal information. Two recent court decisions in California demonstrate the expanding scope of liability in cybersecurity litigation. Unlike suits resulting from security breaches or hacks, plaintiffs successfully used that state’s consumer protection statutes to bring suit against product manufacturers for their products’ alleged cybersecurity vulnerabilities. They were able to survive motions to dismiss based on allegations that the companies failed to disclose potential cybersecurity risks. This recent litigation underscores the need for manufacturers to consider cybersecurity from the outset when designing or building products, as well as developing policies for when and how they disclose possible risks associated with these products.   

Edenborough v. ADT

In Edenborough v. ADT, a customer who bought a home security system through ADT sued the company for alleged flaws in its system’s cybersecurity. The customer claimed that the system’s use of “unsecured” and “unencrypted” wireless transmissions would allow hackers to “readily turn the wireless sensors off.”  He brought claims under California’s consumer protection statutes, alleging ADT misrepresented and fraudulently omitted the “known” vulnerabilities in its security system. 

The court dismissed the customer’s misrepresentation claims, reasoning that he did not allege reliance on any of ADT’s affirmative representations. In addition, ADT’s statements on its website about its “innovative” and “most advanced” technologies were non-actionable puffery. The court did, however, allow the customer’s omission claims to proceed because of its finding that ADT owed its customers a duty to disclose the known vulnerabilities of its security system. The court noted that ADT had exclusive knowledge about the allegedly “unsecured” and “unencrypted” transmissions, which would be a material fact for customers to have when considering whether to purchase the system.

In re: Lenovo Adware Litigation

The In re: Lenovo Adware Litigation concerned plaintiffs’ claims that software installed on their Lenovo laptops compromised the performance, privacy and security of their computers. A software company called Superfish had an agreement with Lenovo to install its VisualDiscovery software on Lenovo laptops. The court’s opinion explained that VisualDiscovery intercepts “data sent between a computer user and a website, redirecting it for analysis to generate relevant advertisements back to the user’s computer.” The plaintiffs claimed that this software caused performance issues on the laptops and made the laptops vulnerable to third-party hackers and other malicious actors. Lenovo allegedly did not inform customers about the installation of this software before the customers bought the laptops. 

The customers brought a class action lawsuit against Lenovo and Superfish based on a number of different tort and statutory claims under California and New York law.  Within the court’s complex ruling, several holdings are particularly noteworthy. First, the court first found that the plaintiffs could not base standing for their claims on the possibility that the software could potentially expose them to a future security breach; the potential for a claimed injury would be too speculative. The plaintiffs did, however, have standing based on alleged privacy intrusions and performance problems caused by VisualDiscovery. 

Second, the court refused to dismiss most of the plaintiffs’ claims based on alleged intrusions into their laptops by VisualDiscovery. The court did not allow all of the class claims to proceed because of “several individualized questions that will predominate in determining liability and damages.”  Specifically, for purposes of some of the plaintiffs’ claims, the court would need to determine whether Superfish in fact accessed all of the plaintiffs’ laptops, and noted that the plaintiffs’ damages claim was not directly tied to its theory of liability. However, the court did certify two classes of plaintiffs and allow the plaintiffs’ fraudulent omission claims to proceed under California consumer protection law.  The court also allowed the plaintiffs leave to amend their complaints on a number of the claims similar to those in Edenborough v. ADT.  The court reasoned that Lenovo and Superfish allegedly had exclusive knowledge of the risks caused by VisualDiscovery, and thus had a duty to disclose.  

Key Trends in Cybersecurity Litigation Against Product Manufacturers 

Both the Edenborough and Lenovo cases emphasize the potential liability companies face for their products’ cybersecurity vulnerabilities. These cases both involved companies that allegedly had knowledge of security defects, which they failed to disclose. Plaintiffs were able to survive motions to dismiss based on allegations that the companies misled the public about the security of their products. 

Companies should carefully draft public statements and marketing about their products with potential cybersecurity litigation in mind. A failure to disclose a material fact about the product’s security risks could expose the company to liability. Companies could also face costly litigation if they do not act reasonably, either when discovering a security defect or introducing products into the market that have known security defects. Companies should carefully consider these risks going forward, as plaintiffs attempt to extend the scope of liability for cybersecurity vulnerabilities.