In both cases, federal appeals court judges formally approved lawsuits by thousands of consumers who want to collectively sue major companies for cybersecurity failures — even though the customers couldn’t prove they’d suffered any direct financial harm from the companies’ digital negligence.
The companies are asking the high court to overturn the lower court decisions allowing the lawsuits. They argue that customers must suffer some concrete financial or physical harm before they can demand compensation for a data breach or for hackable vulnerabilities discovered in their products.
Consumers, however, contend that setting such strict standards would give negligent companies a pass for not sufficiently protecting their products and data.
If the Supreme Court rules on either case, it could fundamentally reshape the responsibility the private sector has over the security of Internet-connected products that could endanger consumers' privacy or even their lives in the case of things like cars and medical devices.
If the court sets a high bar for consumers to sue, it could prompt companies to play fast and loose with their data. If that standard is too low, however, it may deter companies from sharing information about newfound computer bugs or investing in new technologies out of fear they’ll be on the hook for legal damages.
“You’ve potentially jacked way up the monetary costs from a vulnerability that’s disclosed down the road,” Megan L. Brown, an attorney with Wiley Rein who deals in complex litigation and technology, told me. “That may affect a company’s risk calculation and make them not do some things.”
The first class action suit was sparked after a viral 2015 Wired article describing how two security researchers hacked through the entertainment system in a Jeep Cherokee to kill the brakes — all while the Wired reporter was driving the vehicle at 70 mph through downtown St. Louis.
After the article, Chrysler mailed 1.4 million vehicle owners a USB stick with software to fix the vulnerability, and there’s no evidence malicious hackers ever exploited it. Jeep owners point to the hack, however, as evidence that their vehicles are “excessively vulnerable” and say they should get some money back, according to Chrysler’s petition to the high court.
The issue is particularly complicated because cybersecurity experts warn there’s no way to ensure any system is 100 percent digitally secure.
Even major digital consumer products such as Microsoft’s Office suite or Apple’s iPhone aren’t invulnerable. Security researchers find hackable vulnerabilities in those products every week. The most mature and cyber-sensitive companies, however, usually manage to find and patch the most dangerous vulnerabilities before malicious hackers exploit them.
If the Jeep plaintiffs are successful, “it opens the door to litigation of all stripes and flavors over any consumer product that connects to the Internet,” Chrysler attorney Thomas H. Dupree Jr. told me. “Any product, hypothetically, can be hacked and any plaintiff can hire a lawyer who says, ‘In my opinion the product has inadequate cybersecurity even though it hasn’t been breached.’ ”
In the second case, the online retailer Zappos did suffer a malicious breach of a database containing customers’ information, including names, contact information and possibly credit card data. The company says, however, that there’s no evidence the hackers used that data to impersonate customers or to make phony credit card charges.
The customers dispute that characterization, however, and say hackers used their information to hack other accounts.
The Zappos and Jeep cases are being litigated at the U.S. District Court level while the lower courts wait to learn whether the Supreme Court will hear the cases. Neither case has moved substantially past the questions of whether the plaintiffs have standing to sue and who should be included in the plaintiffs' class.
The high court held a conference on the Zappos case this month and is scheduled to meet on the Jeep case Jan. 4. The court probably will decide whether to grant hearings in the cases in January.
Meanwhile, industry groups are worried about the potential implications. Trade associations like the U.S. Chamber of Commerce, the National Association of Manufacturers and CTI, the wireless association, have filed friend-of-the-court briefs supporting the companies.
They have reason to be concerned if the high court does take the cases. Lawsuits where there’s much clearer harm from a data breach have resulted in multimillion-dollar settlements. Target, for example, paid $18.5 million to settle cases brought by state attorneys general over its 2013 breach of credit and debit card information for at least 40 million customers and personal information about many more. The retailer is trying to conclude a $10 million settlement on a consumer class action stemming from that breach.
In other cases, assessing whether hack victims have suffered harm can be far more difficult.
The U.S. Court of Appeals for the D.C. Circuit, for example, is mulling a case filed by federal employee unions over the 2015 Office of Personnel Management data breach. Most cyber experts believe that breach was launched by Chinese government hackers who want to use the data for blackmail or other espionage.
That means it’s unlikely the data stolen from more than 21 million current and former federal employees and their families will be used for identity theft or to make phony credit card charges. The stolen data, however, included extremely personal background check information, including lengthy questionnaires about finances, housing, family relationships and drug and alcohol use.
An appeals court judge said during a Nov. 2 hearing that the government faced an “uphill battle” arguing the plaintiffs didn’t have grounds to sue in that case, as reported by GovExec.
The harm caused by that kind of hack is far different from the nebulous damage caused by a breach involving only information such as names and addresses, Joe Hall, chief technologist at the Center for Democracy and Technology think tank, told me.
“Trivial harm should not be something that keeps us from building wonderful things,” Hall said. “But we really need to find a way to articulate harms that are not economic but really affect people’s ability to trust each other or to participate in the world.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The American website security company Cloudflare continues to provides cybersecurity services to several foreign terrorist and militant groups, HuffPost's Jesselyn Cook reported. The company has been told multiple times that it protects websites affiliated with terrorist organizations but has forged ahead.
“Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC),” Cook reported. “These organizations own and operate active websites that are protected by Cloudflare, according to four national security and counterextremism experts who reviewed the sites at HuffPost’s request.”
Cook noted that under U.S. law, it is illegal to knowingly provide “material support” to a foreign terrorist organization. Doug Kramer, general counsel of Cloudflare, told HuffPost that the company tries “to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online.” But Kramer also told Cook that Cloudflare is “very aware of our obligations under the sanctions laws” and has “a policy in place to stay in compliance with those laws.”
PATCHED: A new report about Russia's online disinformation efforts surrounding the 2016 election reinforces the conclusion that Russian operatives sought to help elect Donald Trump and describes how the Russia-based Internet Research Agency adapted its messages to various sections of the American electorate, according to The Washington Post's Craig Timberg and Tony Romm, who obtained a draft of the study. The research by the Computational Propaganda Project at Oxford University and the network analysis firm Graphika also provides new details of Russian trolls' use of not only Facebook and Twitter but also YouTube and Instagram, according to my colleagues.
“What is clear is that all of the messaging clearly sought to benefit the Republican Party — and specifically Donald Trump,” the report said, as quoted by Craig and Tony. “Trump is mentioned most in campaigns targeting conservatives and right-wing voters, where the messaging encouraged these groups to support his campaign. The main groups that could challenge Trump were then provided messaging that sought to confuse, distract and ultimately discourage members from voting.”
The report, which was prepared for the Senate Intelligence Committee, also said some technical missteps could have helped unmask the disinformation campaign sooner. For instance, Russian operatives used rubles to pay for ads and listed Russian phone numbers for contact information, my colleagues reported. “The operatives also left behind technical signatures in computerized logs, such as Internet addresses in St. Petersburg, where the IRA was based,” Craig and Tony wrote.
PWNED: Brian Kemp, then-Georgia's secretary of state and Republican candidate for governor, turned a warning about vulnerabilities in Georgia's election systems into an accusation that Democrats sought to hack the state's voter database, according to the Atlanta Journal-Constitution's Alan Judd. No evidence has emerged since then to back up Kemp's claims and it appears that no crime was committed, the Journal-Constitution reported. Kemp ultimately won the governor's race with a margin of just about 55,000 votes.
“More than a month later, state Democratic officials say no law enforcement agency has been in touch about the alleged crime,” Judd reported. “Lawyers and others involved in the episode say they’ve heard nothing, either. The agencies won’t comment on their investigations.” Moreover, Judd noted that Georgia's “secretary of state’s office declined to release documents concerning its investigation, including more than 80 internal emails from the weekend before Election Day. The agency said that because its lawyers were part of the email chains, the documents were subject to attorney-client privilege.”
— The U.S. Air Force tomorrow is set to launch the first of a total of 32 planned GPS III satellites that are “designed to be more accurate, secure and versatile” and meant to replace older satellites, the Associated Press’s Dan Elliott reported. “Compared with their predecessors, GPS III satellites will have a stronger military signal that’s harder to jam — an improvement that became more urgent after Norway accused Russia of disrupting GPS signals during a NATO military exercise this fall,” according to the AP.
However, not all of the new security features will be implemented right away. “Only some aspects of the stronger, jamming-resistant military signal will be available until a new and complex ground control system is available, and that is not expected until 2022 or 2023, said Cristina Chaplain, who tracks GPS and other programs for the Government Accountability Office,” Elliott wrote.
— More cybersecurity news from the public sector:
— Open Whisper Systems, which makes the encrypted messaging app Signal, doesn’t intend to abide by Australia’s new encryption legislation, Motherboard’s Lorenzo Franceschi-Bicchierai reported. “By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars,” Joshua Lund, a developer for Signal, said in a blog post, as quoted by Motherboard. “The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.” As Franceschi-Bicchierai noted, critics say a provision of the legislation could allow Australian authorities to essentially demand back doors to bypass encryption.
— More cybersecurity news from the private sector:
— “A group of three Russian lawmakers close to the Kremlin has proposed a tightening of state control over the local internet in response to what they view as ‘aggressive’ U.S. cyber security actions, a parliamentary document showed on Friday,” according to Reuters. The draft legislation “would allow officials to ‘minimize’ the level of Russian users’ internet traffic that goes abroad, and centralize control of traffic under the Roskomnadzor communications watchdog if a ‘threat’ emerged to the functioning of the domestic web,” Bloomberg News reported.
— More cybersecurity news from abroad:
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15, 2019.
After trusting Cohen for years, Trump now thinks he has no credibility:
Trump routinely says things that aren’t true. Few Americans believe him:
A Cameroonian journalist covered an American’s death. The government charged her with fake news: