February 16, 2018 Articles

The Ups and Downs of Being "Smart": Smart Products Litigation

By Sarah Miller

As “smart” products have entered the marketplace, smart products liability lawsuits have not been far behind. Indeed, the use of smart products’ data in investigations and lawsuits is increasingly prevalent. Some of the recent cases include traditional products liability theories, and some do not; but all of them are instructive as to how products’ data is being used, and will be used in the future, in the courtroom.

Smart Data and Breach of Privacy
Breach of privacy is the basis for many investigations and much litigation concerning smart products. Because injuries in most cases brought to date are privacy related, consumers may not immediately trace actual injuries in the form of identity theft to smart products, and mere threats of identity theft may be too remote to be actionable.

Investigations and lawsuits stem from breach of privacy. As federal agencies show increasing interest in smart products and increasing savvy about how they are used by consumers and manufacturers, large-scale investigations into such products have also increased. In 2017, the FTC publicized its settlement with VIZIO, Inc., in the matter of the alleged collection, utilization, and sale of data related to viewing activity and consumer demographics obtained through smart televisions. The settlement provided for $2.2 million in payments, large-scale data deletion, and implementation of a privacy program. Since the FTC announced the settlement, plaintiffs have filed at least one class action suit against VIZIO, which is currently pending in the Central District of California, having survived a motion to dismiss.See In re Vizio Inc., Consumer Privacy Litigation, Case No. 8-16-ml-02693, Dkt. No.145 (S. Dist. Cal. July 25, 2017).

Defense lawyers may be able to use smart data to their advantage. In smart products cases alleging breach of privacy, the data itself may be the impetus for a case, but it can also sometimes be the key to a successful resolution for the defense attorney. In Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 971 (N.D. Cal. 2015), the plaintiffs were unable to survive a motion to dismiss when they could not properly plead an injury with information obtained from a public report put out by a U.S. senator. A Northern District of California judge dismissed the complaint—filed on the heels of a report released by U.S. Senator Ed Markey of Massachusetts on vehicle hacking—against Toyota, Ford, and GM that alleged that the plaintiffs purchased products at risk of being hacked. The complaint relied heavily on the Markey report, but it was light on discussion of injury to the plaintiffs. The court found that the plaintiffs lacked standing as they had failed to show an actual injury: in other words, they failed to allege that any of them had actually been hacked.

In another set of cases, a hacker gained access to the servers of VTech Electronics North America, LLC, an affiliate of which made toys that could access an online library of educational and other child-focused content. See In re VTech Data Breach Litig., 2017 WL 2880102, at *2 (N.D. Ill. July 5, 2017). The toys required registration with personally identifiable information, and the hacker first gained access to that information and then notified a journalist that he had done so. VTech, upon being notified, suspended access to online services, investigated the breach, and updated its data security protocols to respond to vulnerabilities taken advantage of by the hacker. As in the Cahen case, the federal court found that the plaintiffs failed to allege an injury and thus did not have standing to proceed. In the VTech case, however, the court also focused on the nature of the information compromised, noting that, as no credit card numbers or “any other information that could easily be used in fraudulent transactions” was compromised, the likelihood of harm was too remote to be remedied by the courts.

Disclosure of sensitive information creates the biggest headlines. Even though no credit card numbers or other information that could lead to financial identity theft was collected in the VTech case, it still made headlines because information about minor children was compromised. In general, though, the privacy concerns of the public are more often triggered by cases where particularly sensitive information is at risk. For instance, it was widely reported that in March of this year, the maker of an electronically connected vibrator, “We-Vibe,” settled a case in which it was alleged to have gathered sensitive personal data without consent from its customers. The nature of the suit was so sensitive that the “named” plaintiff did not even sue under her actual name, apparently not wishing to identify herself as a consumer of the product at issue.

Smart products’ data in the courtroom has consequences for all concerned. These cases make clear that the data from smart products can increase potential litigation risks, particularly when a government investigation or public report finds a product’s vulnerability before the company does. (In fact, many of the recent cases were inspired by (or even based solely on) government investigations or other reports.) But they also show how data can help defense counsel to determine and implement a successful litigation (or settlement) strategy.

Clearly, the rush to the courtroom by overly eager plaintiffs’ attorneys with articles and government reports in hand can backfire—but not just in terms of the plaintiffs’ case. Plaintiffs with no cognizable injury can cause manufacturers to incur losses of time, money, and reputation as the manufacturers attempt to mitigate damage caused by a malicious third party.

Smart Data and Investigation-Related Requests
Smart products manufacturers may not be able to avoid the courtroom even if they can protect their consumers and their consumers’ data. Increasingly, police officers, prosecutors, and federal agencies are seeking data from smart products manufacturers in ongoing investigations. Such requests have been commonplace when the manufacturer is the target of an investigation, but now smart products manufacturers may also have to deal with requests for information they have gathered when other companies, or even their own customers, are targets of investigations not related to the smart products manufacturers.

For instance, in October 2017, the Washington Post ran an article discussing how a murder victim’s Fitbit, smart alarm, and other smart products in the house, including cell phones and a key fob, helped detectives find discrepancies in her husband’s timeline of the night that she was killed. The husband was later charged with his wife’s murder.

The Washington Post article examines how the use of smart products’ data in criminal investigations is on the rise and notes that, despite service providers’ attempts to shield its customers’ privacy in such investigations, the production of such data is increasingly required by the courts. For instance, in another 2015 murder case, this one in Arizona, prosecutors obtained a search warrant for the recordings of the Amazon Echo owned by the suspect in their investigation. Amazon challenged the warrant in court but ultimately provided the recordings when the suspect agreed to their production.

How a company will maneuver such requests varies, and companies should create a policy after considered analysis. During the Arizona Amazon Echo case, Amazon argued that both user voice commands and the Alexa Voice Service response were protected under the First Amendment. While Amazon did not comment on the case directly to the press, it issued a statement that it would “not release customer information without a valid and binding legal demand properly served” and that it “objects to overbroad or otherwise inappropriate demands as a matter of course.” Id.

Smart Products and Products Liability
While many cases focus on privacy issues framed as products liability claims, smart products cases will increasingly allege other, more traditional forms of products liability injury as we rely more on smart products.

One nondata risk that has increased for smart products relates to “wearable technology”: a product kept on or near its owner all day could explode and then would almost certainly cause personal injury. The Samsung Galaxy Note 7 was the poster child for this problem, providing late-night hosts with material for weeks, buoyed by Samsung’s relative silence about its investigation. After Samsung issued a global recall, revealed the specific vulnerabilities that made the Note 7’s batteries explode, and promised to share its findings with the industry, the company appeared to be turning things around. But now the company’s Galaxy J7 seems to be having similar problems, with a report that a J7 exploded midair on a flight this month.

After a major incident, a statement that a company “is investigating the problem” is not sufficient in the age of smart products. Smart products consumers seek instant gratification, and they think that the answers are in the data. Of course, to what extent the data can help clarify “traditional” products liability cases, as opposed to data breach cases, is still unknown; but defense attorneys who move quickly to obtain, preserve, and analyze all available data will better be able to determine the extent of the problem and develop a strategy.

In the absence of helpful data, smart products manufacturers would do well to take a lesson from Fitbit and inject some transparency into their investigations, particularly if an allegation is meritless. Within two weeks after a Fitbit user claimed that her Flex 2 exploded on her wrist, Fitbit conducted an initial investigation involving testing by a “leading third-party failure analysis firm” and was able to conclude that the item did not malfunction. Fitbit updated the press throughout the process; such transparency resulted in the news cycle on the story only lasting about a week.

Conclusion
As more products become smart, the legal system’s reach into captured data will only increase. However, all sides in a case should recognize that, in the Information Age, smart products can be a target and a shield in the products liability arena. As a result, the issue of education about the product and the problem—for the consumer, the judge, and the government, as needed—is both more complicated and more crucial than ever before.


Sarah Miller is an attorney at the Nashville, Tennessee, office of Bass, Berry & Sims PLC.


Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).