The Cybersecurity 202: The Supreme Court could decide how bad a hack must be for victims to sue
Two class-action lawsuits that could come before the Supreme Court this term seek to determine just how bad a cybersecurity lapse must be before customers can sue.
In both cases, federal appeals court judges formally approved lawsuits by thousands of consumers who want to collectively sue major companies for cybersecurity failures — even though the customers couldn’t prove they’d suffered any direct financial harm from the companies’ digital negligence.
The companies are asking the high court to overturn the lower court decisions allowing the lawsuits. They argue that customers must suffer some concrete financial or physical harm before they can demand compensation for a data breach or for hackable vulnerabilities discovered in their products.
Consumers, however, contend that setting such strict standards would give negligent companies a pass for not sufficiently protecting their products and data.
If the Supreme Court rules on either case, it could fundamentally reshape the responsibility the private sector has over the security of Internet-connected products that could endanger consumers’ privacy or even their lives in the case of things like cars and medical devices.
If the court sets a high bar for consumers to sue, it could prompt companies to play fast and loose with their data. If that standard is too low, however, it may deter companies from sharing information about newfound computer bugs or investing in new technologies out of fear they’ll be on the hook for legal damages.
“You’ve potentially jacked way up the monetary costs from a vulnerability that’s disclosed down the road,” Megan L. Brown, an attorney with Wiley Rein who deals in complex litigation and technology, told me. “That may affect a company’s risk calculation and make them not do some things.”
The first class action suit was sparked after a viral 2015 Wired article describing how two security researchers hacked through the entertainment system in a Jeep Cherokee to kill the brakes — all while the Wired reporter was driving the vehicle at 70 mph through downtown St. Louis.
After the article, Chrysler mailed 1.4 million vehicle owners a USB stick with software to fix the vulnerability, and there’s no evidence malicious hackers ever exploited it. Jeep owners point to the hack, however, as evidence that their vehicles are “excessively vulnerable” and say they should get some money back, according to Chrysler’s petition to the high court.
The issue is particularly complicated because cybersecurity experts warn there’s no way to ensure any system is 100 percent digitally secure.
Even major digital consumer products such as Microsoft’s Office suite or Apple’s iPhone aren’t invulnerable. Security researchers find hackable vulnerabilities in those products every week. The most mature and cyber-sensitive companies, however, usually manage to find and patch the most dangerous vulnerabilities before malicious hackers exploit them.
Source: Washington Post