Late last week, the Seventh Circuit affirmed a trial court’s ruling granting dismissal at summary judgment of claims against FCA US LLC (“FCA,” formerly known as Chrysler) and Harman International Industries, Inc. (“Harman”) for lack of Article III standing. See Flynn v. FCA US LLC, — F. 4th —-, 2022 WL 2751660 (7th Cir. July 14, 2022). Plaintiffs’ class-action complaint claimed injuries arising out of an alleged cybersecurity vulnerability in an infotainment system designed by Harman for installation in FCA vehicles manufactured between 2013 and 2015. See id. at *1. However, after discovery, the Plaintiffs offered the trial court no evidence establishing that the vulnerability actually caused them any harm.
Having failed to cite “any factual support for their claimed injury” in the trial court, id. at *3, the Plaintiffs shifted gears and sought to rely on appeal on portions of their expert reports regarding an “overpayment” theory that they had not relied on in the trial court, id. at *4. Under that argument, Plaintiffs claimed that “they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability.” Id. at *1. The Seventh Circuit rejected Plaintiffs’ bid to rely on their expert reports as arising “far too late,” id. at *4, and affirmed the trial court’s ruling with a procedural modification to reflect a dismissal for lack of subject-matter jurisdiction without leave to amend, id. at *5.
FCA benefitted from prompt attention to the alleged vulnerability. As the Seventh Circuit noted, FCA “immediately issued a recall and provided a free software update to patch the vulnerability” after Wired magazine documented the issue in 2015. Id. at *1. “Federal regulators supervising the recall determined that the patch eliminated the vulnerability[, and] [o]ther than the Jeep in the Wired test, no other Chrysler vehicle has been successfully hacked.” Id.
As internet-connected products continue to proliferate, manufacturers can expect an increasing number of product-defect lawsuits predicated upon alleged cyber vulnerabilities. However, as the Flynn decision demonstrates, the injury-in-fact element of Article III standing provides an effective defense where plaintiffs lack evidence the alleged vulnerabilities have produced any real-world harms.