We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation.  Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation.

Flynn v. FCA US was one of several “car hacking” class actions filed in 2015 following a series of well publicized media reports concerning the “hackability” of certain cars through their infotainment systems.  These reports vividly demonstrated how hackers could exploit security vulnerabilities and remotely control vehicles as they were being driven, with potentially devastating consequences.  Although there has never been a reported case of any car actually being hacked and remotely controlled, several lawsuits were filed.  One lawsuit, Cahen v. Toyota Motor Corp, was filed in the Northern District of California focused on the alleged security flaws of Toyotas, but was ultimately dismissed.

Flynn was the second case and focused on alleged security flaws in the UConnect system of Chryslers.   Plaintiffs filed a kitchen sink complaint, alleging a wide array of warranty and fraud claims under state and federal law on behalf of a putative class of consumers who had purchased Chryslers.  The case has had a long and tortured procedural history that resulted in the dismissal of numerous counts and whittled the case down to a small class of consumers.

A critical dispute in the case has been the viability of plaintiffs’ damages theories.  Plaintiffs articulated an “overpayment” theory of damages premised on the notion that purchasers reasonably expected and paid for information security when they purchased Chryslers, and are therefore entitled to recover that percentage of the sales price attributable to information security because of the security flaws in the UConnect system.  Similar overpayment theories have been attempted in data breach cases, including the Target class action and Cahen, but have been rejected by courts on the grounds there is no reasonable basis to believe consumers considered data security when they made their purchasing decisions.   A second damage theory articulated by plaintiffs is that damages could be measured by calculating the cost to repair the security flaws in each car.

Data breach litigators have been long awaiting the Court’s ruling on the viability of these theories on a class wide basis, and now we have our answer: on the eve of trial, the Court granted in part plaintiffs’ motion for class certification, first ruling that plaintiffs’ overpayment damages matched their theory of liability and could be proven on a class wide basis under the laws of three states—

Illinois, Michigan and Missouri. (The court had previously ruled that plaintiffs had standing to pursue the claim in federal court.) The Court rejected plaintiffs’ request for nationwide certification stating that “it would be unwieldy and require highly individualized inquiries.” The also Court rejected the Plaintiffs’ “cost of repair” damages, finding that such damages did not match their theory of liability.  Trial has now been continued, pending possible appeal of the class certification decision and the parties’ submission of a joint trial proposal.

The Court’s ruling in Flynn is notable for a number of reasons. Not only is Flynn the first car hacking case to proceed to trial on a class wide basis, it is the first data security case to proceed past summary judgment in which no actual breach had occurred.  The watershed issue in most data breach cases is Article III standing, and defendants have found frequent success arguing that plaintiffs have not suffered injury sufficient to establish federal standing where there is no reasonable likelihood that plaintiffs will suffer identity theft or financial harm stemming from the breach.  Those arguments would appear to be even stronger in a case alleging only the potential of a breach, but the Southern District of Illinois found otherwise.

The Flynn plaintiffs’ damages theories relied on conjoint analysis, a branch of marketing theory which postulates that a value can be placed on consumer expectations at the time they make purchasing decisions.  This kind of damages analysis is common in warranty cases involving tangible products such as automobiles, but had never been successfully advanced in data breach litigation, which typically does not involve security flaws of products.

As Internet of Things technology advances, and more and more everyday products become wired, the potential use of conjoint analysis to prove overpayment damages may enable plaintiffs to avoid typical standing issues because, under this theory of liability, the injury lies not in the fear of future harm, but in overpaying for a product that lacked reasonable data security.   It also raises the ominous specter of plaintiffs advancing class actions premised solely on security flaws in a product, even where there has been no actual breach.  Stay tuned.